MD Anderson Ordered to Pay $4.3M HIPAA Fine

A judge affirmed a fine HHS issued last year over the Texas cancer center's use of unencrypted devices.

The University of Texas MD Anderson Cancer Center must pay more than $4.3 million in fines for its failure to guard the protected health information of tens of thousands of patients.

The institution had argued unsuccessfully that the fine is excessive, but a Health and Human Services administrative law judge (ALJ) affirmed the sum, which must be paid to the HHS Office for Civil Rights.

"We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information," OCR Director Roger Severino said in a statement Monday.

This marks the fourth-largest amount awarded to the office by an HHS ALJ and only the second time the office has won summary judgment in a HIPAA proceeding, according to the HHS statement.

MD Anderson, which is based in Houston, was notified in March last year of the proposed fine, which stemmed from three breaches the institution reported to OCR in 2012 and 2013:

• Unencrypted laptop stolen: Dr. Randall Millikan, a clinician and faculty member for MD Anderson, reported on May 1, 2012, that an unencrypted laptop he used to work from home had been stolen. The device contained the electronic protected health information of more than 29,000 people. The judge described Millikan as director of research informatics at MD Anderson's genitourinary center.
   
• Unencrypted thumb drive lost: An unnamed summer intern in the Department of Stem Cell Transplantation and Cellular Therapy reportedly misplaced an unencrypted USB thumb drive on July 13, 2012. The device contained Microsoft Excel files with protected health information of more than 2,200 people.
   
• Another unencrypted thumb drive lost: Dr. Marisa Gomes, a visiting researcher from Brazil working in MD Anderson's infectious disease department, notified her department on December 2, 2013, that she had lost track of an unencrypted USB thumb drive over Thanksgiving break. The device, which contained information on nearly 3,600 people, was reportedly last seen in her desk at work.

In a statement released Monday afternoon to HealthLeaders, MD Anderson said there is no evidence that any patient information was viewed by an unauthorized party in any of the three cases reviewed.

"We are disappointed by the ALJ’s ruling, and we are concerned that key exhibits and arguments were not considered. MD Anderson plans to appeal the ruling, which will result in a full review of all of the arguments and evidence," the institution said.

"Regardless of the ALJ’s decision, we hope this process brings transparency, accountability and consistency to the Office for Civil Rights' enforcement process," the MD Anderson statement added, reiterating the cancer center's commitment to patient privacy.

The regulations governing electronic protected health information do not specifically require encryption, but they do require that systems containing such information be inaccessible to those who are not authorized to access the information, according to Judge Steven T. Kessel's decision affirming the fine.

"Nothing in those regulations directs the use of specific devices or specific mechanisms by a covered entity. However, the bottom line is that whatever mechanisms an entity adopts must be effective," Kessel wrote.

What got MD Anderson in such deep trouble was its failure to implement the mechanism it had adopted. The cancer center decided in 2008 to encrypt its devices, including laptops and USB drives. But even in 2013, the institution had still yet to complete the project, Kessel wrote.

Kessel described the fine as "quite modest given the gravity of [MD Anderson]'s noncompliance."