The University of Texas M.D. Anderson Cancer Center was having a hard time protecting patient electronic health information. In 2012, an employee’s laptop, containing ePHI for about 30,000 patients was stolen. The same year, a trainee lost an unencrypted thumb drive with ePHI for about 2,000 people during her evening commute and in 2013, a visiting researcher misplaced another unencrypted thumb drive which contained ePHI for about 3,600 people. There was no evidence that any of the lost devices were used, or that the ePHI was accessed by anyone, but the state-run cancer center clearly failed to protect the data, and had failed to encrypt these records.