MD Anderson Cancer Center to Pay $4.3 Million for 3 Data Breaches

The breaches occurred when an employee’s laptop was stolen from a residence and two unencrypted thumb drives went missing.

MD Anderson Cancer Center to Pay $4.3 Million for 3 Data Breaches

It is the fourth largest amount ever awarded to the OCR for a HIPAA violation.

A federal judge imposed a $4.3 million fine on a Texas-based cancer treatment center following an investigation into three breaches linked to unencrypted devices.

In a statement Monday, the HHS Office for Civil Rights said an administrative law judge ruled that the University of Texas MD Anderson Cancer Center violated the HIPAA privacy and security rules, reports Gov Info Security. It is the fourth largest amount ever paid for a HIPAA violation.

The case stems from three incidents in 2012 and 2013 when an employee’s laptop was stolen at a residence and two unencrypted thumb drives went missing, leading to the possible compromise of 35,000 health records.

The OCR launched an investigation following the three breaches and found that MD Anderson had written encryption policies dating as far back as 2006, but the cancer center’s own risk analyses found that a lack of protection could pose a high risk to patient privacy, according to The Houston Chronicle.

MD Anderson did not begin to adopt full-scale processes to implement encryption of patient health records until 2011, the government said. Even then, the center did not fully encrypt all of its devices between March 2011 and January 2013, which is when the breaches occurred.

The judge found MD Anderson’s slow implementation of security measures to be “shocking given the high risk to its patients.”

MD Anderson officials have argued that the center was not subject to encryption requirements because the electronic patient health information involved was being used for research.

A statement from MC Anderson says it plans to appeal the judgment.

“We are disappointed by the ALJ’s ruling, and we are concerned that key exhibits and arguments were not considered,” said the statement. “In all three cases involving the loss or theft of devices reviewed by the Administrative Law Judge, there is no evidence any patient information was viewed or any harm to patients was caused.”

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

About the Author


Amy is Campus Safety’s Executive Editor. Prior to joining the editorial team in 2017, she worked in both events and digital marketing.

Amy has many close relatives and friends who are teachers, motivating her to learn and share as much as she can about campus security. She has a minor in education and has worked with children in several capacities, further deepening her passion for keeping students safe.

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety HQ