Federal health officials have ordered the University of Texas MD Anderson Cancer Center to pay a $4.3 million fine for failing to secure health records stemming from data breaches.
The Houston Chronicle reports the U.S. Department of Health and Human Services announced Monday that MD Anderson's failure to encrypt health records violated the 1996 patient privacy law known as the Health Insurance Portability and Accountability Act.
The case involves three incidents in 2012 and 2013 when the center's devices were either stolen or lost, potentially compromising the health records of 35,000 people. The Office of Civil Rights' investigation into the data breaches found the center didn't fully encrypt all of its devices during that time.
MD Anderson had alleged the center wasn't subject to encryption requirements because the health information involved was being used for research.