The boom of information technology in healthcare has brought a host of benefits to patients, physicians and organizations. The expansion of technology has been especially evident as organizations have struggled through the COVID-19 pandemic have tried to remain accessible to patients. Embracing technology also comes with potential risks related to data security.

The U.S. Court of Appeals for the Fifth Circuit has vacated the $4.3 million civil monetary penalty against the University of Texas MD Anderson Cancer Center after two years and several lost appeals, according to Health IT Security. The penalty stemmed from two instances of lost, unencrypted USB drives containing patient data.

The judge ruled the decision by the U.S. Department of Health and Human Services to levy the massive fine against MD Anderson was “arbitrary, capricious, and contrary to law.” The highly publicized Office for Civil Rights settlement stemmed from two data breaches in 2012 and 2013. 

In the first instance, a criminal stole an unencrypted laptop that contained protected health information and research data in April 2012. The device contained the names, medical records numbers, treatments, research information, and some Social Security numbers, of about 29,201 patients.

Several months later, MD Anderson reported another data loss incident, where a trainee lost an unencrypted portable hard drive on a campus shuttle bus. Another unencrypted USB drive was lost in 2013, which also contained ePHI.

An OCR investigation found MD Anderson’s own risk analysis determined that its lack of device-level encryption posed a high risk to the privacy and security of the ePHI in its possession. Despite the risks, OCR alleged MD Anderson did not begin an enterprise-wide adoption of ePHI encryption until 2011.

Click here to read the article.