An administrative judge within the U.S. Department of Health and Human Services (HHS) has ruled that the University of Texas MD Anderson Cancer Center inadequately protected patient health records, violating the Health Insurance Portability and Accountability Act (HIPAA). A penalty of $4.3 million will be assessed for the breach of 33,500 patient records.
The judgement concerns two incidents at MD Anderson dating back to 2012 and 2013, in which a laptop was stolen and two USB drives were lost. While MD Anderson had adopted policies to minimize the security risk presented by unencrypted data prior to the incidents, it only began implementing these policies in 2011. The laptop and both USB drives contained unencrypted patient data at the time they were lost.
MD Anderson released a statement expressing disappointment with the ruling, noting that "in all three cases involving the loss or theft of devices reviewed by the Administrative Law Judge, there is no evidence any patient information was viewed or any harm to patients was caused.”
In a similar enforcement action in early 2018, HHS reached a settlement with another health-care provider over five alleged HIPAA violations. The agreement with Fresenius Medical Care North America stated that the company failed to "conduct thorough and accurate risk analyses of potential vulnerabilities,” resulting in a $3.5 million penalty.
Sources: Medscape, July 10, 2018; HHS press release, June 18, 2018.