In June 2018, the University of Texas MD Anderson Cancer Center was ordered to pay a $4.3 million fine to the HHS Office for Civil Rights (OCR) for data breaches. It was the fourth largest HIPAA-related amount to be paid to OCR.
The original case arose out of incidents in 2012 and 2013 in which an MD Anderson employee’s laptop was stolen, a company trainee lost a thumb drive, and a visiting researcher lost a thumb drive. These devices contained data for more than 33,000 patients. The health records were not encrypted, so OCR decided that MD Anderson had violated HIPAA regulations.