A Texas cancer treatment center has been fined $4.3 million in civil penalties for violating the privacy and security regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The Houston-based University of Texas MD Anderson Cancer Center first came under the scrutiny of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) following three separate data breaches in 2012 and 2013. In those incidents an unencrypted laptop was stolen from the home of an employee and two unencrypted USB thumb drives containing the unencrypted electronic protected health information (ePHI) of some 33,500 people were lost.

The OCR, which enforces HIPAA security and privacy requirements, uncovered formal MD Anderson encryption policies dating to 2006 but not until 2011 did the center adopt an enterprise-wide solution to encrypt ePHI data. By 2013 MD Anderson’s devices containing ePHI information remained unencrypted, the OCR said, despite an earlier risk assessment that found its data was vulnerable to a breach.

MD Anderson’s fine as imposed by an HHS administrative law judge is the fourth largest monetary win in OCR’s history of prosecuting HIPAA violations and its second summary judgement, officials said. “OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said Roger Severino, OCR’s director. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”

In its defense, MD Anderson said it was not obligated to encrypt its devices, claiming the sensitive patient data at risk was for research purposes and not subject to HIPAA’s non-disclosure requirements. The administrative judge called MD Anderson’s conduct “shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI.”

MD Anderson told GovInfoSecurity it will appeal the judgement. “We are disappointed by the [administrative law judge’s] ruling, and we are concerned that key exhibits and arguments were not considered,” the healthcare organization said. “MD Anderson plans to appeal the ruling, which will result in a full review of all of the arguments and evidence. Regardless of the [administrative law judge’s] decision, we hope this process brings transparency, accountability and consistency to the OCR enforcement process.”

If you organizations has concerns about your IT HIPAA status, please contact us for a free onsite assessment.