This breach breaks my heart. Today’s headlines read: MD Anderson Fined $4.3 million for HIPAA violations. Why does this break my heart? For two reasons. One, is because I would rather they use that money to help cancer patients, and two, MD Anderson does so many wonderful things, I hope this does not tarnish its reputation.

MD Anderson suffered three separate data breaches in 2012 and 2013 involving the theft of an unencrypted laptop and the loss of two USB thumb drives containing the unencrypted data of more than 33,500 patients. I have said it a thousand times, lost and stolen laptops is the number one reason for a HIPAA breach. Thumb drives were used a lot more often in 2012 and 2013 than they are now.

The OCR investigation that followed found the cancer center hadn’t updated its encryption policies since 2006. Further, a risk analysis by MD Anderson found that the lack of encryption posed a high-risk to the loss of patient data.

Despite these observations, OCR officials said that MD Anderson failed to begin adopting encryption policies for patient data until 2011. Even then, it failed to encrypt its inventory of devices containing patient data between 2011 and 2013. This is a tough pill to swallow because fast forward to 2018, where the understanding is much better, and this would not have happened. Especially at a medical center of this size. As a HIPPA consultant for our clients, I have watched the awareness grow, and HIPAA is taken much more seriously than it was in 2011.

MD Anderson officials argued that the data didn’t need to be encrypted as the patient data was for research purposes and not subject to HIPAA. Further, they said the OCR fine was “unreasonable.”

Earlier this year, Fresenius Medical Care North America settled with OCR for $3.5 million following an OCR investigation of a string of breaches in 2013. The health system failed to encrypt health data on its devices.


**Parts of this article were reprinted from


MD Anderson Fined