A cancer center received an order to pay $4.3 million in a settlement for HIPAA violations that involved multiple data breaches.
On 18 June, the United States Department of Health and Human Services (HHS) announced in a press release that one of its Administrative Law Judges (ALJs) ruled in favor of its Office for Civil Rights (OCR) and against The University of Texas MD Anderson Cancer Center (MD Anderson).
The judge said in his decision that MD Anderson must therefore pay $4.3 million for its failure to comply with the the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. That penalty will include $2,000 for each day it wasn’t compliant between 24 March 2011 and 25 January 2013 as well as a $1.5 million fine each year for its noncompliance in both 2012 and 2013.
In a Notice of Proposed Determination, HHS revealed that OCR sought to impose those fines as a result of three data breaches affecting MD Anderson. The first incident, which occurred in April 2012, involved the theft of an unencrypted laptop containing the electronic personal health information (ePHI) of nearly 30,000 individuals. The other incidents, which occurred later in 2012 and 2013, both involved the loss of USB devices on which was stored the ePHI of a combined 6,000 persons.
At the time of those incidents, MD Anderson had written policies including encryption requirements. Even so, it didn’t begin to implement its program until August of 2011, explained HHS in its Notice, and had not achieved complete encryption of its information assets as of January 2013. For its failure to manage its risk through encryption, MD Anderson violated one of the key information security elements required by HIPAA.
OCR Director Roger Severino said he supports the ALJ’s decision. As quoted in the HHS press release:
OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations. We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.
All organizations that handle ePHI need to make sure they achieve HIPAA compliance lest they incur penalties of their own. To help enterprises, Tripwire’s solutions use foundational controls and real-time monitoring that satisfy the HIPAA Security Rule (Part 164). Learn more here.