On June 18, 2018, the the Office for Civil Rights (OCR) posted a press release announcing its summary judgment victory against the University of Texas MD Anderson Cancer Center (MD Anderson) – a ruling that will require MD Anderson to pay $4,348,000 in civil money penalties to OCR. According to the press release, this is only the second HIPAA summary judgment victory in OCR’s history and the $4.3 million is the fourth largest amount ever awarded to OCR for HIPAA violations.
The June 1, 2018 Administrative Law Judge’s decision ultimately hinged on a stolen unencrypted laptop and several lost unencrypted USB thumb drives containing “identifying information such as patient names, addresses, and Social Security numbers; and clinical information such as diagnoses, assessments, prognoses, and treatment regimes” of a total of 33,500 individuals. Decision at 2.
The hefty fine was based on the fact MD Anderson knew encryption was an essential risk management tool since 2006 yet did not get around to fully deploying encrypted devices until after the losses in question. According to the ALJ, MD Anderson before then made only “half-hearted and incomplete efforts at encryption”. Decision at 5.
According to the ALJ:
The question is whether Respondent took the necessary steps to address the risk that it had identified – the potential for data loss due to the storage of ePHI on unencrypted devices. As I have explained, the failure to address that risk is the sum and substance ofRespondent’s noncompliance. Had it done so, then unauthorized acts by Respondent’s employees might be relevant to the issue of compliance. But, failure by Respondent to take the security measures that it had identified as necessary renders irrelevant the issue of whether employees were playing by the rules, because that failure created a risk whether or not Respondent’s employees did so.
Decision at 14 (emphasis in original).
This latest OCR action may very well be appealed given the jurisdictional arguments made by MD Anderson. No matter what the final appellate result, however, the ruling should slam the lid on any covered entity ever questioning again whether encryption is worth the cost of deployment. Whether it is from a state enforcement action or OCR settlements based on vendor negligence, laptops stolen from a car, or a USB thumb drive improperly taken from an IT department, when it comes to encryption an ounce of prevention is definitely worth at least a pound of cure.