HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

New OCR HIPAA Penalty: Cancer Care Group to Pay $750,000

A new OCR HIPAA penalty has been issued for a breach of HIPAA regulations. Cancer Care Group, an Indiana-based radiation oncology private physician practice, has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights for $750,000, for potential HIPAA violations relating to a 2012 data breach.

Back in August 2012, Cancer Care Group discovered a laptop computer and unencrypted backup drive had been stolen from the vehicle of an employee. The data breach exposed the Protected Health Information of 55,000 patients.

The stolen device contained highly sensitive data, which included the Social Security numbers of patients: Exactly the data need by identity thieves to rack up tens of thousands of debts in the names of the breach victims. The data on the drives was not encrypted.

HIPAA Does Not Demand Data Encryption


Under the HIPAA Security Rule, data encryption is only an addressable issue. This means that a HIPAA-covered entity must consider data encryption for all PHI stored, transmitted, or backed up. A HIPAA-covered entity can make an informed decision as to whether data encryption is a wise precaution, but that means first assessing the level of risk of potential exposure of that data.

Please see the HIPAA Journal Privacy Policy

Provided the decision not to encrypt data is reasonable, given the level of risk of exposure, a HIPAA violation and accompanying fine could well be avoided, even after a data breach has occurred that encryption could potentially have prevented. (If the decision, and the reasons for not encrypting are reasonable, and the process has been documented.)

The Decision Not to Encrypt, was not the HIPAA Violation

However, when a data breach occurs (and over 500 individuals are affected), an OCR breach investigation is conducted. That investigation is concerned with determining whether the breach could have been prevented, and if it would have been reasonable, under the circumstances, for protections to have been put in place to prevent that breach from occurring. If data security measures were inferior to those deemed necessary under HIPAA standards, a financial penalty may well be issued.

In the case of Cancer Care Group, “widespread non-compliance with the HIPAA Security Rule,” was discovered. The OCR was therefore forced to take corrective action.

An action plan was issued – with a tough timeframe for meeting data security standards – and a financial penalty was deemed to be appropriate. The OCR discovered enterprise-wide HIPAA-compliance issues which had been allowed to persist, unaddressed, since 2005: The date the Security Rule took effect.


Cancer Care Group neglected to perform a fundamental security measure: A comprehensive risk assessment for when laptops and other portable devices are lost or stolen. The OCR investigators also discovered that the healthcare provider did not have written policies in place “for addressing and controlling the removal of electronic devices” from the premises.

In a press release issued by the OCR, Director, Jocelyn Samuels, said “Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information.”

She went on to say, “proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”

Cancer Care Group has agreed to implement an action plan that addresses Security Rule failings and settle for $750,000 without admission of liability. The full resolution agreement for Cancer Care Group can be read here.

Comply or Receive an OCR HIPAA Penalty


The new OCR HIPAA penalty comes soon after the OCR announced it had reached a settlement with Brighton, Mass-based St. Elizabeth’s Medical Center for $218,400. That case involved HIPAA violations stemming from the sharing of documents via an internet-based application. At face value the cases do not appear that similar, but both data breaches resulted from the failure to perform a comprehensive risk assessment.

The latest OCR HIPAA settlements send a clear message to all HIPAA-covered entities. A failure to perform a comprehensive risk assessment is a decision that will prove costly. And with the OCR HIPAA compliance audits looming ever closer, HIPAA failures such as these are highly likely to be uncovered.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.