Cancer Care Group to Pay $750,000 HIPAA Non-Compliance Penalty

by | Sep 2, 2015

Cancer Care Group, an Indiana-based radiation oncology private physician practice, has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights for $750,000, for potential HIPAA breaches relating to a 2012 data violation.

In August 2012, Cancer Care Group found that a laptop computer and unencrypted backup drive had been stolen from the vehicle of an employee. The data breach released the Protected Health Information of 55,000 patients.

The stolen device stored highly sensitive data, which included the Social Security numbers of patients: Exactly the data required by identity thieves to rack up tens of thousands of debts in the names of the breach victims. The data on the drives did not contain encryption.

Under the HIPAA Security Rule, data encryption is only an addressable problem. This means that a HIPAA-covered entity must consider the use of data encryption for all PHI stored, transmitted, or backed up. A HIPAA-covered body can make an informed decision as to whether data encryption is a wise precaution, but that means first reviewing the level of risk of potential exposure of that data.

Provided the decision not to encrypt data has a sound basis, given the level of risk of exposure, a HIPAA violation and accompanying fine could well be prevented, even after a data breach has occurred that encryption could potentially have prevented. (If the decision, and the reasons for not encrypting are of sound reasoning, and the process has been documented.)

However, when a data breach happens (and over 500 individuals are affected), an OCR breach investigation is conducted. That investigation is focused on determining whether the breach could have been prevented, and if it would have been reasonable, under the circumstances, for protections to have been implemented to prevent that breach from occurring. If data security measures were weaker to those deemed necessary under HIPAA standards, a fine may well be issued.

In the case of Cancer Care Group, “widespread non-compliance with the HIPAA Security Rule,” was found. The OCR was therefore forced to take corrective measures.

A corrective action plan was issued – with a strict timeframe for meeting data security standards – and a financial penalty was found to be appropriate. The OCR discovered enterprise-wide HIPAA-compliance issues which had been allowed to continue, unaddressed, since 2005: The date the Security Rule took effect.

Cancer Care Group did not perform a fundamental security measure: A comprehensive risk assessment for when laptops and similar devices are lost or stolen. The OCR investigators also found that the healthcare provider did not have written policies in place “for addressing and controlling the removal of electronic devices” from the offices.

In a press release published by the OCR, Director, Jocelyn Samuels, stated “Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information.”

She added, “proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”

Cancer Care Group has agreed to implement a corrective action plan that addresses Security Rule failings and settle for $750,000 without admission of liability. The full resolution agreement for Cancer Care Group can be viewed here.

The new OCR HIPAA penalty comes in the aftermath of the OCR announcing it had reached a settlement with Brighton, Mass-based St. Elizabeth’s Medical Center for $218,400. That case involved HIPAA violations arising from the sharing of documents via an internet-based application. At face value the cases do not seem similar, but both data breaches were a consequence of the failure to perform a comprehensive risk assessment.

The latest OCR HIPAA settlements make a clear statement to all HIPAA-covered entities. A failure to carry out a comprehensive risk assessment is a decision that will prove costly. And with the OCR HIPAA compliance audits coming soon, HIPAA failures such as these are highly likely to be identified.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy