MD Anderson to pay $4.3 million settlement with OCR for HIPAA violations

The University of Texas MD Anderson Cancer Center has agreed to pay a $4.3m settlement for HIPAA violations, making it the fourth largest monetary settlement with the Office of Civil Rights. The breaches occurred in 2012 and 2013, and involved the theft of an unencrypted laptop and the loss of two unencrypted USB thumb drives containing patient data. MD Anderson argued that the data did not need to be encrypted as it was for research purposes, but the judge upheld the fine. Similar breaches have occurred in other medical institutions.