The University of Texas MD Anderson Cancer Center was fined $4.3 million by the Department of Health and Human Services Office Civil Rights (OCR) for a series of breaches which resulted in the loss of 33,000 patient health records in 2012 and 2013.
In 2012 a laptop containing 30,000 records was stolen from an employee’s home and later that same year a researcher at the center lost a USB drive containing patient records while on a shuttle bus. Another USB device containing patient data was lost the following year and in all cases the devices were unencrypted despite HIPAA privacy rule mandating encryption.
The fine is for violations of the Health Insurance Portability and Accountability Act and is noticeably higher than previous breaches signalling officials are starting to failures to secure patient data more seriously.
A 2018 Beazley report found the average settlement with the OCR has quadrupled as more cybersecurity resources become available and HIPAA guidelines are taken more seriously.