In an appeal that marks the first time the Health and Human Services department has considered the amount of the penalty in addition to the merits of the ruling, HHS has affirmed an OCR order imposing a $4.3 million penalty on the University of Texas MD Anderson Cancer Center (MD Anderson) for HIPAA violations. MD Anderson told the Cybersecurity Law Report that it plans to appeal the ruling. We analyze the case, the penalty, which one expert called “exceptional,” and what companies can learn from it. See also “Lessons From the Continued Uptick in HIPAA Enforcements” (Feb. 8, 2017).