MD Anderson Fined $4.3 Million for Data Breach

MD Anderson was accused of violating HIPAA by the Office for Civil Rights (OCR) for failing to encrypt devices that held electronically protected health information (ePHI). The failure exposed the ePHI of over 33,500 people when a laptop and two thumb drives were lost in 2012-2013.

MD Anderson’s legal team made several arguments, all of which were rejected by the judge, with the final argument stating that the fines were unreasonably high based upon the fines for previous breaches.  While the fine was noticeably higher than those levied for previous violations of HIPAA, it is well within the amounts authorized by the law, and in keeping with the current trend in the OCR.


average costs of legal penalties for cybersecurity breaches has increased dramatically


According to the 2018 Beazley Breach Briefing, the average settlement with the OCR has quadrupled over the last several years, coinciding with an increase in both cybersecurity resources and public and institutional understanding of the risks of poor cybersecurity practices.

The OCR investigation showed MD Anderson completed cybersecurity assessments as early as 2006 listing lack of mobile asset encryption as a high risk. Mobile device encryption can be expensive in both licensing costs and implementation time, and companies with limited resources must factor in return on investment for all resource-intensive decisions.  However, looking at the poor state of cybersecurity in the healthcare industry as a whole, other possibilities arise.

According to the 2018 HIMSS Cyber Security Survey, 9% of healthcare organizations perform a cybersecurity risk assessment monthly and 9.6% perform one daily.  This is unlikely.  But if true, it indicates a large waste of resources. Cybersecurity risk assessments are vital to cybersecurity and regulatory compliance, providing a holistic understanding of your cybersecurity risk posture.  But the process takes time, and traditional assessments of this type require highly skilled individuals.  These assessments are only useful if the time between them is utilized to resolve the issues identified.

Running a traditional, on-site risk assessment can be very expensive.  First, hire outside auditors who, after about $40,000 and 72 hours, will produce a long, dense technical report.  The next challenge is communicating this collected data to upper management and seeking approval to formulate a plan to address the issues revealed. has developed a better process, creating a SaaS platform to automate the cybersecurity risk assessment process. This quickly provides any sized organization with a robust view of its current cyber risks.  In addition, the automatically generated Roadmap Report uses a score-card style view which summarizes your Top Missing Controls, your In-Progress Controls as well as your Successfully Implemented Controls. It allows upper management to understand and remediate security failures in an extremely user-friendly and cost-effective manner.  If you’re wondering how your organization can quickly get started, contact us for more information.


Brent Gage

After beginning his career as a roustabout on an offshore drilling rig, Brent is now the Manager of Cybersecurity at who performs client consultation and assessments while maintaining and monitoring the platform’s hosting infrastructure.

Share this post


Recent Articles

About Us

Contact Us