On June 18, 2018, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a settlement with The University of Texas MD Anderson Cancer Center (MD Anderson) for data breaches that potentially disclosed the health records of nearly 35,000 patients. The settlement is the fourth-largest ever paid to OCR. MD Anderson submitted three breach reports in 2012 and 2013, leading to an OCR investigation. The breaches involved the theft of an unencrypted laptop from the home of an MD Anderson employee and the loss of two unencrypted USB thumb drives containing the electronic protected health information (ePHI) of MD Anderson patients.
OCR found that MD Anderson had written encryption policies in place going as far back as 2006 and that it had conducted internal risk analyses that had previously determined that the lack of device-level encryption posed a high risk to the security of ePHI. Despite this information, OCR found that MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011 and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013—the time period during which the breaches occurred.
OCR proposed, and received, the maximum financial penalty against MD Anderson for a “Tier 2” HIPAA violation—a minimum of $1,000 for each violation up to a maximum of $1.5 million per calendar year. Tier 2 describes situations in which an “act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provisions, but in which the covered entity or business associate did not act with willful neglect.”