Marianne Kolbasuk McGee reports:
The University of Texas MD Anderson Cancer Center has filed a lawsuit arguing that a $4.3 million HIPAA penalty levied against it last year by the Department of Health and Human Services following three data breaches involving unencrypted devices was unlawful.
In the complaint filed Tuesday in a Texas federal court, MD Anderson argues that HHS, as a federal agency, does not have the authority to impose the civil monetary penalty against the cancer center because MD Anderson, which is part of the University of Texas, is a “state agency.”
MD Anderson also argues that HHS exceeded its authority by imposing a civil monetary penalty “beyond the statutory caps” under HIPAA, and also exceeded its authority by imposing an “excessive” penalty in violation of the eighth amendment to the Constitution.
Read more on GovInfoSecurity.