Texas-based cancer hospital agrees to $4.3 million HIPAA settlement

June 20, 2018

On June 18, 2018, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a settlement with The University of Texas MD Anderson Cancer Center (MD Anderson) for data breaches that potentially disclosed the health records of nearly 35,000 patients. The settlement is the fourth-largest ever paid to OCR. MD Anderson submitted three breach reports in 2012 and 2013, leading to an OCR investigation. The breaches involved the theft of an unencrypted laptop from the home of an MD Anderson employee and the loss of two unencrypted USB thumb drives containing the electronic protected health information (ePHI) of MD Anderson patients.

OCR found that MD Anderson had written encryption policies in place going as far back as 2006 and that it had conducted internal risk analyses that had previously determined that the lack of device-level encryption posed a high risk to the security of ePHI. Despite this information, OCR found that MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011 and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013—the time period during which the breaches occurred.

OCR proposed, and received, the maximum financial penalty against MD Anderson for a “Tier 2” HIPAA violation—a minimum of $1,000 for each violation up to a maximum of $1.5 million per calendar year. Tier 2 describes situations in which an “act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provisions, but in which the covered entity or business associate did not act with willful neglect.”

Lexology has the full article

Sponsored Recommendations

The Race to Replace POTS Lines: Keeping Your People and Facilities Safe

Don't wait until it's too late—join our webinar to learn how healthcare organizations are racing to replace obsolete POTS lines, ensuring compliance, reducing liability, and maintaining...

Transform Care Team Operations & Enhance Patient Care

Discover how to overcome key challenges and enhance patient care in our upcoming webinar on September 26. Learn how innovative technologies and strategies can transform care team...

Prior Authorization in Healthcare: Why Now?

Prepare your organization for the CMS 2027 mandate on prior authorization via API. Join our webinar to explore investment insights, real-time data exchange, and the benefits of...

Securing Remote Radiology with the Zero Trust Exchange

Discover how the Zero Trust Exchange is transforming remote radiology security. This video delves into innovative solutions that protect sensitive patient data, ensuring robust...