$4.3 Million HIPAA Penalty for 3 BreachesMD Anderson Cancer Center Cited for Unencrypted Devices
This story has been updated.
A lack of device encryption will cost a Texas-based cancer treatment center $4.3 million in civil monetary penalties from the Department of Health and Human Services.
In a statement Monday, the HHS Office for Civil Rights said it was granted a summary judgment by an HHS administrative law judge, who ruled that The University of Texas MD Anderson Cancer Center violated the HIPAA privacy and security rules. The judge approved OCR imposing $4.3 million in penalties in the aftermath of its investigations into three breaches involving unencrypted devices.
In a statement provided to Information Security Media Group, MD Anderson says it plans to appeal the judgement.
"We are disappointed by the ALJ's ruling, and we are concerned that key exhibits and arguments were not considered. MD Anderson plans to appeal the ruling, which will result in a full review of all of the arguments and evidence. Regardless of the ALJ's decision, we hope this process brings transparency, accountability and consistency to the OCR enforcement process."
The ruling is only second summary judgment in the agency's history of HIPAA enforcement. The financial penalty is the fourth largest amount ever awarded to OCR by an administrative law judge or secured in a settlement for HIPAA violations, OCR notes in the statement.
A letter that OCR sent to MD Anderson says that the penalty includes $1.3 million for violations related to its unencrypted access controls and $3 million for impermissible disclosures.
MD Anderson is an academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston.
OCR says it investigated MD Anderson following three separate data breach reports in 2012 and 2013. One involved the theft of an unencrypted laptop from the residence of an MD Anderson employee; the others involved the loss of unencrypted universal serial bus thumb drives containing the unencrypted electronic protected health information on a total of over 33,500 individuals (see: Cancer Center Reports 2nd Data Breach).
"OCR's investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson's own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI," OCR says in the statement.
"Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprisewide solution to implement encryption of ePHI until 2011, and even then, it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011, and January 25, 2013," the statement adds.
The administrative law judge agreed with OCR's arguments and findings and upheld OCR's penalties for each day of MD Anderson's noncompliance with HIPAA and for each record of individuals breached, OCR notes.
"OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations," says OCR Director Roger Severino.
"We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information."
OCR alleges that MD Anderson claimed that it was not obligated to encrypt its devices and asserted that the ePHI at issue was for "research," and thus was not subject to HIPAA's nondisclosure requirements.
MD Anderson further argued that HIPAA's penalties were unreasonable, OCR says. "The ALJ rejected each of these arguments and stated that MD Anderson's 'dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,' a risk that MD Anderson 'not only recognized, but that it restated many times,'" OCR says in the statement.
In its statement to ISMG, the cancer center says: "Substantial measures are in place to ensure the protection of private patient information. In all three cases involving the loss or theft of devices reviewed by the administrative law judge, there is no evidence any patient information was viewed or any harm to patients was caused."
OCR generally imposes a civil monetary penalty only in those cases that involve a lack of cooperation with investigators or the failure to take recommended steps to correct security deficiencies. An administrative law judge must approve such penalties.
OCR has issued civil monetary penalties in just three previous cases. That includes an HHS administrative law judge in February 2017 issuing a $3.2 million penalty against Children's Medical Center of Dallas in another case involving unencrypted devices and other HIPAA violations, including failure to implement risk management plans.
Also, in February 2016, an HHS administrative law judge granted a summary judgment requiring Lincare Inc., a provider of respiratory care, medical equipment and other services to in-home patients, to pay a $240,000 civil monetary penalty (see OCR Slaps Home Health Provider with Penalty).
That case involved an investigation into Clearwater, Fla.-based Lincare after an individual complained in December 2008 that a Lincare employee left behind documents containing the PHI of 278 patients after moving to a new residence.
The HIPAA enforcer issued its first civil monetary penalty back in 2011 against Cignet Health for violations of the HIPAA Privacy Rule. Cignet, which operated four clinics in Maryland, was fined $4.3 million for the violations that involved failing to provide 41 patients with access to their medical records and then failing to cooperate with federal investigators. OCR officials say Cignet filed for bankruptcy and did not end up paying the penalty.
Lessons for Others
So, what should other covered entities and business associates learn from the MD Anderson case?
"This is another example of how taking an adversarial approach to an OCR compliance review is a losing proposition," says privacy attorney David Holtzman, vice president of security consultancy CynergisTek.
"In this case, MD Anderson had many opportunities to work with its regulator to take voluntary corrective action to resolve this matter informally. This approach would have resulted in much more efficient use of scarce resources that would have been available for investment in technologies that would have safeguarded its PHI. Instead, it chose to put its money toward paying attorneys' fees to fight what it should have seen as the inevitable conclusion that it had failed to follow its own policies and procedures to encrypt portable devices that handled PHI."
OCR's investigation found that because the organization performed a risk analysis over a number of years, it was not only aware of the need to encrypt devices to ensure that confidential data would not be improperly disclosed, but it established a policy requiring the encryption and protection of devices containing ePHI, Holtzman notes. "As the [ruling] points out, the evidence shows that MD Anderson made only half-hearted and incomplete efforts at encryption in the years following its risk assessments," he adds.
"The bottom line is that when an organization identifies through its risk assessment that a threat or vulnerability poses a significant risk to the confidentiality of PHI, it must take action to put processes or technology in place that will effectively protect that health information," Holtzman says.