MD Anderson Cancer Center to Pay $4.3 Million for 3 Data Breaches

The breaches occurred when an employee’s laptop was stolen from a residence and two unencrypted thumb drives went missing.

MD Anderson Cancer Center to Pay $4.3 Million for 3 Data Breaches

It is the fourth largest amount ever awarded to the OCR for a HIPAA violation.

A federal judge imposed a $4.3 million fine on a Texas-based cancer treatment center following an investigation into three breaches linked to unencrypted devices.

In a statement Monday, the HHS Office for Civil Rights said an administrative law judge ruled that the University of Texas MD Anderson Cancer Center violated the HIPAA privacy and security rules, reports Gov Info Security. It is the fourth largest amount ever paid for a HIPAA violation.

The case stems from three incidents in 2012 and 2013 when an employee’s laptop was stolen at a residence and two unencrypted thumb drives went missing, leading to the possible compromise of 35,000 health records.

The OCR launched an investigation following the three breaches and found that MD Anderson had written encryption policies dating as far back as 2006, but the cancer center’s own risk analyses found that a lack of protection could pose a high risk to patient privacy, according to The Houston Chronicle.

MD Anderson did not begin to adopt full-scale processes to implement encryption of patient health records until 2011, the government said. Even then, the center did not fully encrypt all of its devices between March 2011 and January 2013, which is when the breaches occurred.

The judge found MD Anderson’s slow implementation of security measures to be “shocking given the high risk to its patients.”

MD Anderson officials have argued that the center was not subject to encryption requirements because the electronic patient health information involved was being used for research.

A statement from MC Anderson says it plans to appeal the judgment.

“We are disappointed by the ALJ’s ruling, and we are concerned that key exhibits and arguments were not considered,” said the statement. “In all three cases involving the loss or theft of devices reviewed by the Administrative Law Judge, there is no evidence any patient information was viewed or any harm to patients was caused.”

About the Author


Amy is Campus Safety’s Senior Editor. Prior to joining the editorial team in 2017, she worked in both events and digital marketing.

Amy’s mother, brother, sister-in-law and a handful of cousins are teachers, motivating her to learn and share as much as she can about campus security. She has a minor in education and has worked with children in several capacities, further deepening her passion for keeping students safe.

In her free time, Amy enjoys exploring the outdoors with her husband, her son and her dog.

Read More Articles Like This… With A FREE Subscription

Campus Safety magazine is another great resource for public safety, security and emergency management professionals. It covers all aspects of campus safety, including access control, video surveillance, mass notification and security staff practices. Whether you work in K-12, higher ed, a hospital or corporation, Campus Safety magazine is here to help you do your job better!

Get your free subscription today!

Subscribe Today!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety Conference Ed Spaces Registration Open Promo Campus Safety HQ