Data breach is a serious offense when it comes to patient-related information. After all, health-related information of patients is sensitive and can do a lot of harm if it ends up in the wrong hands. For instance, pharma companies can use the insight to tug at strings that are best known to be effective in customers. It comes as no surprise that the recent data breach by MD Anderson Cancer Center in the University of Texas was considered as a major offense. The federal judge ruled in the favor of HHS and asked MD Anderson to pay a hefty fine of $4.3 million. This settlement is by far the largest one in HIPAA-cases that involved making fine payments to OCR.
What’s the story?
Why is MD Anderson at fault?
While the organization has argued that it did have policies in place, the ruling of the judge was against the hospital because it failed to address the risk of unprotected data. According to David Holtzman, who is a Vice President in the Compliance department of an IT firm, when a company detects a vulnerability in any of its processes, it has to take immediate action. The need to do this increases, even more, when Patient Health information is concerned.
What was MD Anderson’s take on it?
In the court, MD Anderson pointed out that there is no clause in HIPPA requirements that applied to information which had research-based uses. So, by this logic, MD Anderson didn’t even have to encrypt any of its devices or data in the first place. However, the judge who made the ruling did not agree with this stance since MD Anderson’s inability to secure data led to high risk of confidential information loss of patients. Since MD Anderson was well aware of the threat for the past 5 years (when its data was unprotected), it was liable for the fine. MD Anderson still claims that there is a lack of proof which shows that any of the information misplaced has been used or viewed.