A Judge ruled in favor of the Office of Civil Rights and upheld a fine of $4,348,000 against MD Anderson, a cancer treatment and research center in Texas.  This was the 4th largest fine in history for HIPAA violations.

What led to this judgement, and what can we learn from it?

Lesson #1 – Repeat breaches exposing patient data will put you on OCR’s radarOCR had previously investigated this facility for theft of a laptop, and loss of USB drives, all of which contained unencrypted patient data.

Lesson #2 – Encrypt sensitive data!  See Lesson #1.  What makes this worse for MD Anderson is that they were not following their own written encryption policy that dated back to 2006, and that their internal risk analysis had identified the lack of device encryption as “high risk”.

Lesson #3 – Take action.  It’s not enough to have policies and procedures, you need to verify that they are being followed.  Performing a risk analysis doesn’t protect your organization if you don’t heed the findings and remediate the high level risks.

Lesson #4 – Compliance requirements to protect data are not optional.  OCR and other entities that enforce cyber compliance are going after organizations of all sizes who do not take the compliance requirements and their duty to protect data seriously.  We have worked with clients who have come to us after fines ranging from $10,000/month to over $2.2 million dollars.  Save yourself money and reputational damage by proactively confirming your compliance.