An administrative law judge ruled the University of Texas MD Anderson Cancer Center must pay a $4.3 million penalty issued by the Department of Health and Human Services for HIPAA violations.

The three data breaches in question date back to 2012 and 2013, when an unencrypted laptop was stolen from an MD Anderson employee and two unencrypted USB thumb drives containing information of 33,500 patients were lost. An investigation by the HHS Office for Civil Rights found MD Anderson had written encryption policies dating back to 2006 and an internal risk analysis found a lack of encryption on hospital-owned devices posed a security risk.

Still, MD Anderson failed to encrypt its inventory of electronic devices, which prompted OCR to issue fines for each day of HIPAA noncompliance and for each record that was exposed. OCR issued the fine in March 2017, citing the provider’s “willful neglect” and enforcing the maximum available penalty.

RELATED: Data breaches are drawing more scrutiny from both federal and state regulators

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” OCR Director Roger Severino said in a statement. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”

In his judgment, the administrative law judge said the fines were warranted because MD Anderson “failed to adopt an effective mechanism” to protect patient data. He also rebuffed an argument by the provider that stolen information is only disclosed when it is viewed by a third party.

“The plain language of the regulation doesn't suggest that,” Steven T. Kessel wrote in his decision (PDF). “Moreover, to interpret the regulation so narrowly as Respondent suggests would render its prohibitions against unauthorized disclosure to be meaningless. If Respondent had its way, it and other covered entities could literally cast ePHI to the winds and be immune from penalty so long as OCR fails to prove that someone else received and viewed that information.”

Monday’s decision marks the second summary judgment victory in OCR’s history of HIPAA enforcement. It is the fourth-largest fine in OCR’s history.

In a statement to FierceHealthcare, MD Anderson said it plans to appeal the ruling.

"Patient privacy is of extreme importance at The University of Texas MD Anderson Cancer Center, and substantial measures are in place to ensure the protection of private patient information," a spokesperson said in a statement. "In all three cases involving the loss or theft of devices reviewed by the Administrative Law Judge (ALJ), there is no evidence any patient information was viewed or any harm to patients was caused.
 
"We are disappointed by the ALJ’s ruling, and we are concerned that key exhibits and arguments were not considered. MD Anderson plans to appeal the ruling, which will result in a full review of all of the arguments and evidence. Regardless of the ALJ’s decision, we hope this process brings transparency, accountability and consistency to the Office for Civil Rights’ enforcement process.
 

"MD Anderson remains committed to patient privacy, and we will continue our efforts to remain an industry leader in safely protecting patient information."

Editor's Note: This story has been updated to include a statement from MD Anderson.