One stolen laptop and two errant thumb drives may end up costing MD Anderson Cancer Center $4.3 million unless the University of Texas wins an appeal it plans to mount. It already lost the first round before officials from the Office for Civil Rights (OCR) and the second with an administrative law judge (ALJ).

Earlier this summer, an HHS ALJ dismissed what he called “a blizzard of arguments and counter-arguments” from MD Anderson about why it should not pay the penalty OCR had deemed appropriate—the fourth largest in the agency’s history. Unlike most organizations faced with OCR enforcement action, MD Anderson chose neither to settle with OCR and likely engage in a corrective action plan, nor to accept a penalty—$4.358 million, to be exact.

Although OCR’s investigation was triggered by the loss of the three items from 2012-2013, it grew to encompass MD Anderson’s program to encrypt all of its devices, an effort OCR contended was slow and incomplete.

According to OCR, the first incident was the theft of a laptop that had information about nearly 30,000 individuals. Neither encrypted nor password-protected, the laptop was stolen in April 2012 from the home of MD Anderson’s then-director of research informatics at its Genitourinary Cancer Center. He had purchased the laptop with MD Anderson funds and was using it for telework.

In July of the same year, MD Anderson reported that a summer intern in the Stem Cell Transplantation and Cellular Therapy Department lost a USB thumb drive she owned that had information on 2,264 individuals that she downloaded from MD Anderson’s systems.” In December 2013, another such drive that was owned by a “visiting researcher from Brazil” was missing from a “tray in her desk.” It contained data for 3,598 people. Both drives were unencrypted.