Awareness : Newsletter Articles

Tough on Encryption: University of Texas Cancer Center to Pay $4.35 Million in Penalties to the HHS

The U.S. Department of Health and Human Services’ Office of Civil Rights orders the University of Texas MD Anderson Cancer Center to pay $4,348,000 in civil penalties for HIPAA violations. This settlement, the fourth largest monetary settlement with the Office for Civil Rights (OCR), was affirmed this summer by an administrative law judge from the Department of Health and Human Services (HHS). What resulted in the organization receiving one of the toughest penalties for violation of the HIPAA privacy and security rules? Failure to properly encrypt devices containing patient health data.

Between 2012 and 2013, MD Anderson suffered three separate data breaches. The breaches involved the theft of an unencrypted laptop and the loss of two USB thumb drives, which together contained the unencrypted data of more than 33,500 patients. OCR investigations found that although the University cancer center begun adopting encryption policies for patient data in 2011, it failed to fully encrypt its inventory of devices containing patient data between 2011 and 2013.

Officials from MD Anderson argued that the data didn’t need to be encrypted as the patient data was for research purposes and not subject to HIPAA. Unfortunately for them, the HHS administrative law judge sided with OCR and found that the penalty was not only reasonable but also “minuscule when compared to the respondent’s size and the volume of business that it does.”

This crack-down on device encryption has become increasingly common just in this last year. Earlier this year, Fresenius Medical Care North America settled with OCR for $3.5 million for failing to encrypt devices containing patient health data.

HIPAA requires all devices containing patient health data to be secured. Here are essential tips for securing your devices:

  • Encrypt all devices including portable storage devices (USB, SD, microSD, etc.)
  • Require a PIN/password to restrict access and change it often
  • Set your device to always require a PIN or password after 3 minutes or less of inactivity
  • Enable “remote wipe” on mobile devices
  • Install and maintain antivirus software
  • Keep operating system and applications up to date
  • Avoid jailbroken devices
  • Never download applications from untrusted sources

It is important to remember that you are entrusted with maintaining the privacy of our patients, employees, students, donors and research participants.  For assistance with device encryption, contact the UMIT Help Desk at 305-243-5999 or