The University of Texas MD Anderson Cancer Center has been ordered to pay $4,348,000 in penalties to the Office for Civil Rights as part of a HIPAA enforcement action. OCR investigated MD Anderson after three data breach reports in 2012 and 2013. The reports alleged the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted USB drives with health information of more than 33,500 patients.
The OCR investigation found that MD Anderson’s HIPAA risk assessment identified the lack of encryption, but the organization did not begin to implement encryption until 2011, and took until 2013 to implement all its policies.
MD Anderson argued that the unencrypted information was for research and therefore should not have been subject to the HIPAA nondisclosure requirements. OCR did not accept this argument, nor did it accept the argument that its penalties were unreasonable.