Skip to main content

What we can learn from MD Anderson's $4.3 million HIPAA penalty

In what was the fourth largest settlement amount for HIPAA violations, the University of Texas MD Anderson Cancer Center was assessed $4.3 million in penalties for violating HIPAA. 1

Let’s go behind the headlines and take a closer look at the case. 

The case
MD Anderson was investigated by the HHS Office for Civil Rights (OCR) after reporting three data breaches that occurred in 2012 and 2013. The breaches involved the theft of an unencrypted laptop and the loss of two unencrypted USB thumb drives that contained the electronic protected health information (ePHI) of more than 33,500 individuals. 1 

Though MD Anderson had encryption policies in place since 2006, they did not adopt system-wide encryption until 2011. According to the OCR, MD Anderson also failed to encrypt its electronic devices from March 24, 2011 to January 25, 2013. 1 

MD Anderson argued that it was not obligated to encrypt its devices, because the ePHI in question was for research, and was not subject to HIPAA requirements. MD Anderson also argued HIPAA’s penalties were unreasonable. 1

“We are disappointed by the ALJ’s ruling and we are concerned that key exhibits and arguments were not considered,” MD Anderson officials said in a statement to the Houston Chronicle. 2

“In all three cases involving the loss or theft of devices reviewed by the Administrative Law Judge, there is no evidence any patient information was viewed or any harm to patients was caused,” the statement continued.2

An administrative law judge agreed with the OCR’s findings and upheld the $4,348,000 in penalties, based on each day of MD Anderson’s noncompliance with HIPAA and for each record of individuals breached.

The judge said MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI.” 1

MD Anderson says it plans to appeal the ruling. 2

Lessons learned

  1. Organizations should start with the basics, conduct a risk assessment (using an outside party if possible).
  2. Develop a risk management plan based on the findings of the risk assessment.
  3. All organizations must have written policies and procedures. If you purchase policy and procedure templates, make sure they reflect your actual processes and that you follow them.
  4. If you have a breach, you should expect an OCR investigation. Cooperate with any investigation and respond to the OCR in a timely and complete manner.
  5. Patients expect their data will be protected.  A breach can have serious consequences to your organization from the cost of the breach, defense costs, loss of income, and reputational harm. Be proactive and prepared, including having adequate cyber risk transfer or cyber insurance. 1

Read more about the case here.


1. U.S. Department of Health and Human Services. Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations. June 18, 2018. Available at Accessed June 27, 2018.

2. Deam J. MD Anderson to pay $4.3 million penalty for data breach. June 20, 2018. Available at . Accessed June 27, 2018.


Questions about HIPAA and cyber risk management? Visit our website or contact our team of cyber experts at or 800-580-8658.

About the Author

Cathy joined TMLT in 2010 and serves as the Senior Compliance and Risk Management Manager. Cathy leads the development and implementation of TMLT’s cyber risk management services. Cathy Bryant can be reached at