$4.3 Million Fine to HHS for Data Breaches

Data breach is a serious offense when it comes to patient-related information. After all, health-related information of patients is sensitive and can do a lot of harm if it ends up in the wrong hands. For instance, pharma companies can use the insight to tug at strings that are best known to be effective in customers. It comes as no surprise that the recent data breach by MD Anderson Cancer Center in the University of Texas was considered as a major offense. The federal judge ruled in the favor of HHS and asked MD Anderson to pay a hefty fine of $4.3 million. This settlement is by far the largest one in HIPAA-cases that involved making fine payments to OCR.

What’s the story?

A lot of people have been wondering if the data breach was intentional or an accident. If reports are to be believed, the data breach was accidental from the side of MD Anderson. Actually, negligence may be a better word to describe the incident. Back in 2012, a laptop of one of the employees of MD Anderson was stolen. This was followed by another instance of negligence in 2013 where a trainee of the company lost a drive containing sensitive information. The same year, the visiting researcher of the institute was responsible for losing yet another thumb drive. When you combine the data present on the three devices, it is estimated that a total of 33,800 patients’ data was compromised because of the negligence and subsequent data breach. Additionally, none of the data lost was encrypted. This means that it was all largely unprotected and accessible by whoever had the devices. This led to a direct violation of the security as well as privacy policy of HIPPA. According to a spokesperson of MD Anderson and an official statement released by the organization, MD Anderson may appeal against the said fine ruling. On the other hand, the OCR director was content with the ruling of the judge stating that the ruling of the judge ensured entities like MD Anderson are likely to understand the repercussions of not implementing the required measures for protecting patient data. According to MD Anderson, it is not like that the organization does not encrypt its data at all. Instead, the encryption measures and policies have been in place since 2006. However, as per reports, the process of encryption didn’t start until 2011. The process of protecting all data took two years, which clashed with the time when the devices were stolen or misplaced.

Why is MD Anderson at fault?

While the organization has argued that it did have policies in place, the ruling of the judge was against the hospital because it failed to address the risk of unprotected data. According to David Holtzman, who is a Vice President in the Compliance department of an IT firm, when a company detects a vulnerability in any of its processes, it has to take immediate action. The need to do this increases, even more, when Patient Health information is concerned.

What was MD Anderson’s take on it?

In the court, MD Anderson pointed out that there is no clause in HIPPA requirements that applied to information which had research-based uses. So, by this logic, MD Anderson didn’t even have to encrypt any of its devices or data in the first place. However, the judge who made the ruling did not agree with this stance since MD Anderson’s inability to secure data led to high risk of confidential information loss of patients. Since MD Anderson was well aware of the threat for the past 5 years (when its data was unprotected), it was liable for the fine. MD Anderson still claims that there is a lack of proof which shows that any of the information misplaced has been used or viewed.