Failing to protect user health data, Anderson Cancer Center in Houston, Texas must pay a $4.3 million fine, a judge ruled in a decision made public this week.
In March 2017, the Department of Health and Human Services fined MD Anderson for violating HIPAA, the result of three data breaches that left the electronic protected health information (ePHI) of thousands of patients unprotected. The Texas institution contested the penalty, but administrative law judge Steven Kessler upheld the fine and affirmed the sum, which must be paid to the department’s Office for Civil Rights.
The breaches date back to 2012 and 2013, when an unencrypted laptop was stolen and two unencrypted thumb drives went missing from MD Anderson. The devices contained the protected health data of 34,800 patients.
Kessel agreed with the HHS argument that the lost and stolen devices constituted unlawful disclosure, and highlighted the failure of the cancer center to implement its own encryption policies, which were on the books since 2008. “Despite this awareness and its own policies, [MD Anderson] made only half-hearted and incomplete efforts at encryption over the ensuing years,” Kessel wrote in the judgment. “The theft of the laptop illustrates why it was essential for Respondent to implement its encryption policy.”
MD Anderson argued the loss of the devices should not be considered unlawful disclosure without evidence that the information was accessed by unauthorized individuals. Kessel rejected the argument, pointing out that the question was whether the institution had failed to protect ePHI from disclosure, including via theft, and it was irrelevant whether the information was in fact accessed.
Kessel said that MD Anderson’s interpretation would render HIPAA unenforceable. “How could anyone know with any reasonable probability that—for example—the ePHI contained on the stolen laptop resulted in a given individual suffering from identity theft?”
The judge also rejected MD Anderson’s arguments that the fine was excessive. HHS had issued the maximum penalty available for what it called “willful neglect.”
“In all three cases involving the loss or theft of devices reviewed by the Administrative Law Judge (ALJ), there is no evidence any patient information was viewed or any harm to patients was caused,” MD Anderson wrote in a statement to Healthcare Analytics News™.
MD Anderson plans to appeal the ruling, according to its statement.
“MD Anderson remains committed to patient privacy, and we will continue our efforts to remain an industry leader in safely protecting patient information.”
“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” OCR Director Roger Severino said in a statement. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”
According to the statement, this is the agency’s fourth largest fine and second summary judgment victory.