Dive Brief:
- A federal judge upheld a $4.3 million fine against the University of Texas MD Anderson Cancer Center following an investigation into three data breaches — one stolen laptop and two lost flash drives, all unencrypted — that compromised the health information of more than 33,500 people. The HHS Office of Civil Rights found MD Anderson encryption policies for patient data hadn't been adopted until 2011.
- MD Anderson called the fine "unreasonable" and, in a statement to Healthcare Dive, asserted there is "no evidence any patient information was viewed or any harm to patients was caused." The academic system will appeal the ruling.
- In his decision, HHS administrative law judge Steven Kessel wrote that MD Anderson's conduct was "shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI" (electronic protected health information).
Dive Insight:
Over half of the security incidents that occur in healthcare are tied to employees, according to Verizon's latest Protected Health Information Data Breach Report. MD Anderson's security blunder sheds light on how easy it can be for employees to unintentionally violate HIPAA, and just how costly those mistakes can be.
The $4.3 million fine is the fourth largest monetary settlement with the Office of Civil Rights, calculated based on each day of the hospital's noncompliance and each individual record breached.
In addition to refuting the fine, MD Anderson claimed it was not obligated to encrypt its devices and that the electronic protected health information in question was for "research" and therefore not subject to HIPAA's nondisclosure requirements.
"We are disappointed by the ALJ’s ruling, and we are concerned that key exhibits and arguments were not considered. MD Anderson plans to appeal the ruling, which will result in a full review of all of the arguments and evidence," MD Anderson said in a statement.
However, as court filings show, MD Anderson submitted Breach Notification Reports to the OCR in 2012 and 2013 in connection with the security incidents. OCR said it had attempted to reach an informal resolution between 2015 and 2016, but failed to do so.
Healthcare companies are already required by HIPAA to report data breaches to patients within 60 days of discovery. A bill introduced in the Senate late last year would require companies to notify consumers of a data breach within 30 days of discovery. Executives at those companies would be held criminally accountable if they fail to do so.
Since January 2018, 52 cases where breaches of unsecured protected health information have affected 500 people or more have been reported to OCR. Of those 52 cases, 23 were classified as unauthorized access/disclosure, 18 as a hacking/IT incident, six as theft, three as improper disposal and two as loss.
The fact that insiders pose the biggest security risk at hospitals and health organizations is compounded by many companies in the industry failing to make cybersecurity a high priority. A late 2017 Black Book Market Research survey found that about 80% of organizations lack an executive-level leader to manage cybersecurity enterprise-wide and just 11% plan to name one in 2018.