An administrative judge fined The University of Texas MD Anderson Cancer Center $4.3 million Monday. The fine is for violations of the Health Insurance Portability and Accountability Act.
Judge Steven Kessel with U.S. Health and Human Services fined the Houston cancer center for losing more than 33,000 patients health records in 2012 and 2013. At $4.3 million, it is the fourth largest penalty awarded to the HSS Office of Civil Rights.
In 2012, a laptop with 30,000 records was stolen from an employee’s home. That same year, a researcher at MD Anderson lost a USB drive containing patient records while on a shuttle bus. A similar scene played out with another USB drive lost the following year.
Records included medical ailments and often Social Security numbers.
Kessel ruled that all of the devices should have been encrypted and none of them were.
“MD Anderson knew, since 2006, that it should be encrypting its devices. Their own people were saying ‘we should encrypt, we should encrypt,’ " said Roger Severino, director of the OCR, which filed the complaint against MD Anderson.
While it was well known internally that the healthcare provider needed encryption,”we continue to see lack of encryption as a problem," Severino said.
It’s unknown if the data was used or viewed, but when unencrypted devices are lost HHS policy is to treat it like it was. Just like, Severino said, HHS would treat lost data as though it weren’t accessed if the devices were encrypted.
The average settlement with OCR over cybersecurity breaches and lost electronic patient information has nearly quadrupled in the past decade, according to a 2018 report from Beazley, an insurance company for cyber breaches.
“Two reasons for the increase are that OCR has more resources at its disposal and far less patience for HIPPA non-compliance,” said the report.
In an email, an MD Anderson spokesperson says the healthcare provider is dedicated to patient privacy and will appeal the decision "because key exhibits and arguments were not considered."
Cybersecurity is increasingly a problem for health institutions who suffered more cyber extortion attacks and phishing attacks than any other industry, according to Beazley.
Despite increased fines and attacks, a 2018 report from the healthcare cybersecurity group Cynergistek found that only 45 percent of healthcare facilities are conforming to the Cyber Security Framework provided by the National Institute of Standards and Technologies.
“It’s not uncommon to hear healthcare security practitioners and professionals in other industries express concern of how far healthcare is behind in cybersecurity,” wrote David Finn, executive vice president of strategic innovation for Cynergistek, in the report.
Paul Flahive can be reached at paul@tpr.org or on Twitter @paulflahive.