Indiana oncology center Cancer Care Group, PC (CCG) has agreed to pay $750,000 to the Department of Health and Human Services and adopt corrective measures to settle HHS’s claims that the company violated HIPAA by failing to adequately protect electronic personal health information (ePHI). One of the main allegations was that CCG failed to secure unencrypted ePHI stored on computer back-up tapes, which were stolen from an employee’s car. CCG reported the incident to HHS, and there was no indication that the ePHI had been accessed, let alone misused. And, of course, HIPAA does not specifically require encryption. Once again, none of this mattered to the federal government’s number two enforcer of data security rules.