University of Texas MD Anderson Cancer Center fined $4.3 million

The University of Texas MD Anderson Cancer Center has been fined $4.3 million for multiple breaches of the HIPAA (Health Insurance Portability and Accountability Act).

The fine relates to three incidents that occurred between 2012 and 2013. The first violation involved the theft of an employee laptop containing 30,000 patients’ health records. The device was stolen from a physician’s home on April 30, 2012, but it took MD Anderson six weeks to notify affected patients and authorities.

Three months later, a researcher at MD Anderson lost a USB drive containing patient records while on a shuttle bus. Another USB device containing patient data was lost the following year.

Unencrypted devices

In all three incidents, the breached information was unencrypted, meaning anyone who accessed the devices could view patients’ names, addresses, medical histories, and – in some cases – Social Security numbers.

Roger Severino, director of the Office of Civil Rights, commented: “MD Anderson knew, since 2006, that it should be encrypting its devices. Their own people were saying ‘we should encrypt, we should encrypt.’”

Severino added that a lack of encryption is a problem across the healthcare sector.


The dangers of data breaches have been a hot topic recently, with the GDPR (EU General Data Protection Regulation) having taken effect on May 25, 2018. The Regulation introduced strict rules regarding the way EU residents’ personal data is handled and strengthens data subjects’ rights related to their personal data.

Organizations in the US have been slow to react to the GDPR, with many assuming it doesn’t apply to them. However, the Regulation affects any organization that handles EU residents’ personal data, no matter where they are based. If you haven’t done so already, it’s essential that you understand whether the GDPR applies to you, as violations could lead to severe disciplinary action, with the most egregious cases attracting fines of up to €20 million (about $23 million) or 4% of annual global turnover, whichever is greater.

Achieve GDPR compliance

Those who do need to comply with the GDPR should consider enrolling on our Certified EU GDPR Foundation and Practitioner Combination Online Course.

This course takes you from a GDPR beginner to an expert in five days. You’ll be guided through the Regulation by an experienced data protection practitioner, who’ll explain:

  • The background to the Regulation and its terminology
  • The six data protection principles
  • Data subjects’ rights
  • How to secure personal data
  • How to report data breaches
  • The data protection officer role
  • How to conduct data protection impact assessments
  • How to transfer personal data outside the EU
  • The responsibilities of supervisory authorities

GDPR Training