Texas MD Anderson Cancer Center HIPAA Breach

The University of Texas MD Anderson Cancer Center recently found themselves in the news as the latest company in trouble due to HIPAA violations. The U.S Health and Human Services (HHS) takes the privacy of patients very seriously, causing some serious issues for the medical center. By reading on, you will learn more about what HIPAA is and everything that you need to know about this HIPAA breach. You will also learn what we can take away from this story.

WHAT IS HIPAA?

HIPPA (Health Insurance Portability and Accountability Act) was passed by Congress in 1996 to help with the following key areas:

• Allows for the transferability and continuity of health insurance coverage for Americans;
• Allows for health insurance to be protected in the event of people changing or losing their jobs;
• Protects confidential health information;
• Reduces fraud and abuse in the health care system.

HIPAA plays a significant role in all businesses. It is essential that HIPAA regulations are maintained and adhered to, as to ensure that patients and customers are protected across the medical industry.

THE BREACH

There are some important things to know about the Texas MD Anderson Cancer Center HIPAA breach. Back between 2012 and 2013, an unencrypted laptop was stolen and another 2 unencrypted thumb drives were lost. As a result of their negligence in the matter, the Cancer Center was fined over $4 million. It was determined that they failed to implement preventative measures that impacted 33,000 patients.

Due to the unencrypted nature of the missing devices, HHS assumed that the PHI (Patient Health Information) was compromised since MD Anderson is unable to prove otherwise. Unlike in criminal proceedings, there is no presumption of innocence until proven guilty. Here, the lack of information is all HHS needs.

LESSON 1

Medical centers need to encrypt data to prevent lost, stolen, or decommission devices from putting patient information at risk. This is especially important with Bring Your Own Device (BYOD) policies and when USB devices such as thumb drives are used. Encryption is typically a word that most people don’t understand and therefore ignored, but this means to lock the data away so only those with a key can access it. Encryption standards like AES offers fast and affordable methods that are practically impossible to get into without the key. ​

LESSON 2

It is crucial to block all unauthorized USB devices to prevent the loss of sensitive data, as well as to protect against malware and malicious users who want to steal this information. USB devices are particularly hazardous because it allows people to easily steal information from the inside, as can be seen in the Center for Health Care Services in 2017. USB devices that are infected can quickly spread malware at a medical center, which has happened in 2 power generation facilities. If malware does happen at a medical center, the patient data is assumed to be compromised unless the company can prove that the malware never touched the PHI.

Sources

https://www.hipaajournal.com/ocr-4-3-million-cmp-university-texas-md-anderson-cancer-center/
http://www.dhcs.ca.gov/formsandpubs/laws/hipaa/Pages/1.00WhatisHIPAA.aspx
https://www.eetimes.com/document.asp?doc_id=1279619
https://www.hipaajournal.com/phi-28000-mental-health-patients-stolen-by-healthcare-employee/
https://arstechnica.com/information-technology/2013/01/two-us-power-plants-infected-with-malware-spread-via-usb-drive