Texas cancer center to pay $4.3 million in penalties for HIPAA violations after half-hearted and incomplete efforts at encryption
The University of Texas MD Anderson Cancer Center (MD Anderson) did not follow its own encryption policies or the HIPAA Rules and is ordered to pay $4,348,000 in civil money penalties to the Office of Civil Rights (OCR) for HIPAA violations.
During 2012 and 2013 an unencrypted laptop was stolen and two flash drives were lost. The devices contained the electronic personal health information of over 33,500 individuals.
OCR Serious About PHI
Despite creating policies for encryption, the center failed to follow these or to quickly pursue its implementation after the 2012 and 2013 breaches. “OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. The $4.3 million is the fourth largest amount ever awarded to the OCR.