Three Data Security Breaches and Everything was Fine(d)

Don Miller

Starting with the FTC vs. Wyndham case, bTrade’s MFT Nation blog has run a series of posts that we described as “case studies for what not-to-do” in the rapidly changing world of data security.  The latest in this series involves the University of Texas MD Anderson Cancer Center (“Anderson”).

The U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”), investigated Anderson after learning of three separate data breaches involving the theft of unencrypted electronic protected health information (ePHI) of tens of thousands of individuals.  To Anderson’s credit, it had written encryption policies going as far back as 2006 and risk analysis performed by Anderson showed that the lack of device-level encryption posed a high risk to the security of ePHI.


The problem for Anderson, however, was its failure to implement the required encryption.  Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and it failed to encrypt its inventory of electronic devices containing ePHI until much later.

OCR imposed a $4.3 million penalty against Anderson for violating HIPAA’s Privacy and Security Rules.  The penalty was justified “given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that Anderson “not only recognized, but that it restated many times.”

Click here to read more on OCR’s website about the recent actions taken against Anderson.

If you want to speak with bTrade’s data security experts about implementing an enterprise-wide encryption solution to protect ePHI, or any other type of data, please contact us at