It has taken more than a year for current and former residents of the City of Long Beach in California to learn that some of their personally identifiable and protected health information was compromised in a cyberattack. Notifications have been sent to multiple U.S. states confirming that the information of 470,060 individuals was exposed and potentially stolen in the attack. That figure includes 258,191 individuals whose protected health information was compromised. No ransomware group is known to have claimed responsibility for the attack.

The cyberattack was detected on or around November 14, 2023, and the forensic investigation confirmed on March 18, 2024, that sensitive data had been accessed or acquired by the threat actor. It then took a further 13 months before notification letters were mailed to the affected individuals. City officials confirmed that notification letters started to be mailed on April 14, 2025.

City officials explained that most of the affected systems were restored and brought back online within a matter of weeks after the attack was detected, and while confirmation of unauthorized access to data was confirmed in March 2024, in an October 7, 2024, update, the city explained that third party cybersecurity professionals were still trying to determine the nature and scope of the data stolen in the attack. The city explained in the notice that complimentary credit monitoring and identity theft protection services would be offered to individuals whose Social Security numbers were involved. “This process of identifying specific individuals’ sensitive information is incredibly detailed, time-intensive, can be lengthy, and has been ongoing to date,” explained city officials in the October 2024 notice. “Progress is being made, and the process may be close to completion in the upcoming months.”

In the latest notification, city officials explained that between the attack and April 14, 2025, there have been no indications that any of the impacted information has been misused for the purpose of committing identity theft or fraud, and said the notification letters were being issued as required by law and out of an abundance of caution. Long Beach Mayor Rex Richardson said, “This has proven to be an unprecedented event for our organization, and we continue to take this investigation and its findings seriously.” The individual notifications confirm that credit monitoring and identity theft protection services are being provided for 12 months to individuals whose Social Security numbers were compromised.

The post City of Long Beach Notifies Individuals Affected by November 2023 Cyberattack appeared first on The HIPAA Journal.

Ascension in St. Louis, Missouri, has started notifying certain patients about a security incident at one of its former business partners. Ascension learned on December 5, 2024, that the business partner had experienced a hacking incident. An investigation was launched, and it was determined on January 21, 2025, that Ascension had inadvertently disclosed patient data to the former business partner, and that data had likely been stolen in the hacking incident. Ascension confirmed that its own systems were unaffected.

A hacker was able to exploit a vulnerability in third-party software to gain access to data held by the former business partner. The data review confirmed that the information likely stolen in the incident included names, addresses, phone numbers, dates of birth, email addresses, race/gender, Social Security numbers, medical record numbers, insurance company names, and clinical information related to inpatient visits, which may have included, service locations, physicians’ names, discharge dates, and diagnosis and billing codes.

Ascension said it has reviewed its policies, procedures, and processes and will implement enhanced safeguards to prevent similar incidents in the future. The affected individuals had previously received services at Ascension facilities in Alabama, Michigan, Indiana, Tennessee, and Texas. Individual notifications are being mailed, and the affected individuals have been offered two years of complimentary credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Carolina Anesthesiology Database Containing 21,344 Records Exposed Online

A database containing the personally identifiable and protected health information of 21,344 patients has been exposed online. The database was found by security researcher Jeremiah Fowler, who analyzed a sample of the data and confirmed it contained information such as names, addresses, phone numbers, health insurance information, emergency contact information, diagnoses, case summaries, medications, vital statistics, family and patient medical histories, antitheology summaries, and physicians’ notes. The database also contained software billing and compliance reports belonging to a medical software company.

Fowler notified the medical software company about the exposed database, which identified the database owner, and notified them. The database was secured the same day. It is unclear for how long the database was exposed and if it was accessed by any other individuals. Fowler also identified files related to Atrium Health and contacted them about the data breach. Atrium Health confirmed that an investigation had been initiated and, via databreaches.net, that the database belonged to Carolina Anesthesiology. Atrium Health said it immediately shut down its data feeds to Carolina Anesthesiology while the database was secured and the incident was investigated. Carolina Anesthesiology is located in High Point, North Carolina, and provides anesthesiology services to High Point Regional Health System and Atrium Health.

The post Ascension Notifying Patients About Data Breach at Former Business Partner appeared first on The HIPAA Journal.

Verisource Services, an employee benefits administration service provider, has determined that a previously announced data breach was far worse than initially thought and has affected up to 4 million individuals. The Houston, Texas-based company detected a hacking incident on February 28, 2024, that disrupted access to some of its systems. Third-party cybersecurity and incident response experts were engaged to investigate the incident and determine the nature and scope of the unauthorized activity.

The forensic investigation confirmed hackers had access to its network and exfiltrated files on February 27, 2024. At the time of the initial announcement, Verisource Services said names, dates of birth, genders, and Social Security numbers had been stolen. The affected individuals included employees and dependents of clients who used its services, which include HR outsourcing, benefits enrollment, billing, and administrative services.

The data breach was initially reported as affecting 1,382 individuals, but as the investigation progressed, it became clear that the breach was worse than initially thought. In August 2024, the data breach was reported to the HHS’ Office for Civil Rights (OCR) as involving the protected health information of 112,726 individuals. The most recent notification to the Maine Attorney General indicates up to 4 million individuals have been affected, a sizeable increase from previous estimates. The OCR breach portal still lists the incident as affecting 112,726 patients and plan members of its HIPAA-regulated entity clients, although that total may well be updated in the coming days.

Verisource Services explained in the breach notice that the data review was not completed until April 17, 2025, almost 14 months after the security incident was detected. Verisource Services reported the security incident to the Federal Bureau of Investigation, and several additional security measures have been implemented to improve its security posture. Notification letters had previously been sent to some affected individuals; however, the bulk of the notification letters have only recently been mailed. Verisource Services said complimentary credit monitoring and identity theft protection services have been offered to the affected individuals, who will also be protected with a $1,000,000 identity theft insurance policy.

Since sensitive data was stolen many months ago, data may already have been misused. In addition to signing up for the credit monitoring and identity theft protection services, affected individuals should also check their account statements for signs of data misuse going back to February 2024. Verisource Services was already facing several class action lawsuits over the data breach. Now that the breach total has been substantially increased, further lawsuits are expected to be filed. The lawsuits already filed alleged that Verisource Services was negligent due to the failure to implement reasonable and appropriate cybersecurity measures and follow industry-standard cybersecurity best practices. The lawsuits seek a jury trial, attorneys’ fees, and compensatory and punitive damages.

The post Verisource Services Increases Data Breach Victim Count to 4 Million appeared first on The HIPAA Journal.

Cybersecurity incidents have been announced by Endue Software, Whitman County Public Hospital District No. 3, Palo Verde Hospital, and Northern California Children’s Therapy Center.

Endue Software

Endue Software, an infusion management platform provider, has recently confirmed it has been affected by a cyberattack that involved unauthorized access to patient data. In its April 11, 2025, substitute breach notice, Endue Software explained that unauthorized access to some of its systems was identified on February 17, 2025. The forensic investigation confirmed that an unauthorized actor gained access to some of its systems for a brief period on February 16, 2025. While the window of opportunity was short, files were copied from its systems during that time. Since February, Endue Software has been reviewing the compromised data to determine which clients and patients have been affected. It has now been confirmed that the compromised data included patients’ full names, addresses, dates of birth, Social Security numbers, and medical record numbers.

It is unclear how many of Endue Software’s clients have been affected in total. Endue Software has reported the breach to the HHS’ Office for Civil Rights as a data breach affecting 118,028 individuals; however, some of its customers may be reporting the data breach separately, as was the case with Rheumatology Associates of Baltimore (RAB), which recently reported the breach to OCR as affecting 28,968 of its patients.

Whitman County Public Hospital District No. 3

Whitman County Public Hospital District No. 3 in Washington State has recently announced a data breach that has affected 63,453 individuals, including patients and members of its Group Health Plan. Suspicious activity was identified within its IT network on February 28, 2025. Its IT environment was immediately secured, law enforcement was notified, and an investigation was launched to determine the cause of the activity.

The investigation confirmed that an unauthorized third party had access to its IT environment between December 26, 2024, and February 28, 2025, during which time, files containing patient and health plan member data may have been viewed or acquired.  The file review confirmed that the exposed data included names plus some or all of the following: date of birth, address, Social Security number, financial account information, diagnosis, lab results, medications, other treatment information, health insurance information, provider names, and/or dates of treatment.

Notification letters started to be sent to the affected individuals on April 11, 2025. Complimentary credit monitoring and identity theft protection services have been offered to eligible individuals. Whitman County Public Hospital District No. 3 said additional safeguards and technical security measures have been implemented to prevent similar incidents in the future.

Palo Verde Hospital

Palo Verde Hospital, a 51-bed hospital in Blythe, California, has recently notified the California Attorney General about a security incident “that disrupted the operations of some of its IT systems,” which suggests it was the victim of a ransomware attack. The incident was detected on March 6, 2025, and action was immediately taken to contain the threat. Assisted by third-party cybersecurity experts, the hospital determined there had been unauthorized access to its network between March 3, 2025, and March 6, 2025.  During that time, files containing patient data were accessed and acquired by the threat actor.

The file review confirmed that patient data was involved such as names, contact information, demographic information, Social Security numbers, dates of birth, medical record numbers, patient account numbers, diagnosis/treatment information, prescription information, provider name(s), date(s) of service, and health insurance information. A subset of individuals also had financial account information and routing numbers exposed.

Steps have been taken to improve security to prevent similar incidents in the future, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Northern California Children’s Therapy Center

Northern California Children’s Therapy Center in Woodland, California, has confirmed that patient data has been compromised in a recent security incident. On March 16, 2025, an unauthorized individual exploited a vulnerability in a cloud-based system used to collect and manage information to facilitate developmental screenings and connect families with appropriate resources.

The screenings were provided through the Help Me Grow Yolo County Program, through which community programs such as early childhood services are provided. When the breach was detected, action was immediately taken to secure the system, and the incident was fully resolved by March 19, 2025. An internal review has been completed, and the compromised data has been confirmed as:

• Referring provider information: agency name, address, phone number; provider name and email address
• Child’s information: name, gender, date of birth, language(s), and developmental skills
• Parent/caregiver information: name, relationship to the child, preferred method of contact, phone number, email address, and broad health-related issues
• Other information: Broad questions or concerns of the family or provider

It was not possible to determine whether any specific child’s data was accessed or acquired. As a precaution, all individuals who had screenings have been notified. Northern California Children’s Therapy Center is working with cybersecurity experts to ensure the ongoing security of systems and records, has reconfigured the impacted storage system, and is looking to implement additional measures to strengthen security.

The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Endue Software Confirms Data Breach Affecting Multiple Providers appeared first on The HIPAA Journal.

HIPAA violation cases are compliance investigations that result from a data breach being notified to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) or a privacy complaint being submitted to OCR via the complaints portal. When OCR identifies a violation of HIPAA, violation cases can be resolved in multiple ways.

OCR may choose to take no action if the HIPAA-regulated entity has identified and voluntarily corrected the HIPAA violation. If the HIPAA violation is not severe, OCR often chooses to provide technical assistance to help the regulated entity correct the violation. When there has been a serious violation of the HIPAA Rules, or evidence is found suggesting widespread noncompliance, OCR may initiate a more extensive review. Serious violations are sometimes resolved with a financial penalty.

OCR will notify the regulated entity about the findings of the investigation and typically gives the regulated entity an opportunity to settle the alleged violations informally. These settlements involve a reduced financial penalty and generally include a corrective action plan (CAP) with specific measures the regulated entity must implement to ensure compliance with the HIPAA Rules. The regulated entity will then be monitored for compliance with the HIPAA Rules by OCR for a set period, typically 1-3 years.

If a regulated entity contests the findings and maintains there was no wrongdoing, they have the opportunity to submit evidence to support a waiver of the proposed penalty. Should OCR determine that the evidence does not support a waiver, a civil monetary penalty will be imposed, but no CAP. The regulated entity can request a hearing of their HIPAA violation case before an Administrative Law Judge. If the appeal is not successful a civil monetary penalty will be imposed.

There are many different types of HIPAA violation cases. For example:

• Failure to conduct a risk analysis
• Failure to create and monitor logs of activity in information systems containing ePHI
• Impermissible uses and disclosures of PHI
• Failure to comply with individuals’ rights under HIPAA
• Lack of Notice of Privacy Practices
• Failure to provide HIPAA training to the workforce training and sanctions failures
• Failure to provide security awareness training to the workforce
• Non-compliance with audit control standards
• Failure to develop a contingency plan
• Lack of physical or technical safeguards
• Business Associate Agreement failures
• Failure to comply with the General Provisions for Transactions

Detailed below is a summary of all HIPAA violation cases that have resulted in civil monetary penalties or settlements OCR, including cases that have been pursued by OCR after potential HIPAA violations were discovered during data breach investigations and investigations of complaints.

You can also use the article in conjunction with our free HIPAA Violations Checklist to understand what is required to ensure full HIPAA compliance. Use the form on this page to arrange to receive your copy of the checklist.

OCR has increased its enforcement activities in recent years. OCR stepped up enforcement of compliance with the HIPAA Rules in 2016, more than doubling the number of financial penalties imposed. In 2016, 12 entities agreed to settle their compliance investigations and pay a financial penalty, with one case seeing a civil monetary penalty imposed. The following three years saw similar numbers of financial penalties; however, there was another major increase in HIPAA fines in 2020 when 19 HIPAA violation cases were settled with OCR. In 2022 and 2024, OCR resolved 22 HIPAA violation cases with financial penalties.

The 2020 increase is largely due to OCR’s HIPAA Right of Access enforcement initiative, which was launched in late 2019. Since then, OCR has been cracking down on entities that have failed to provide individuals with timely access to their medical records. As of December 2024, OCR has settled or imposed civil monetary penalties in 51 HIPAA violation cases under this compliance initiative.

In 2024, OCR announced a new enforcement initiative targeting noncompliance with the risk analysis provision of the HIPAA Security Rule. Risk analysis failures are among the most commonly identified HIPAA violations. In OCR’s last round of HIPAA audits in 2016 and 2017, most audited entities were not fully compliant with this important Security Rule provision, as they had either failed to conduct a HIPAA-compliant risk analysis, had not conducted one frequently enough, or their risk analyses were not comprehensive and/or accurate.

By increasing its enforcement activity, OCR is sending a message to all covered entities, large and small, that violations of HIPAA Rules will not be tolerated. OCR also announced in 2024 that the HIPAA compliance audit program will be recommencing imminently.

What are the Consequences of Violating HIPAA?

The consequences of violating HIPAA can be significant and it is important to note fines for a HIPAA violation can be applied by the HHS’ Office for Civil Rights (OCR) even if no breach of PHI has occurred. The financial consequences of violating HIPAA depend on the level of negligence, the severity of the violation, the number of individuals affected and the risk posed by the violation, the length of time that the violation has persisted, the financial position of the regulated entity, and in the case of a security breach, whether the entity has implemented recommended security practices continuously for the 12 months prior to the security incident.

• A violation of HIPAA attributable to ignorance of the HIPAA Rules can attract a fine of $141 – $35,581.
• A violation that occurred despite reasonable vigilance can attract a fine of $1,424 – $71,162.
• A violation due to willful neglect which is corrected within thirty days will attract a fine of between $14,232 and $71,162.
• A violation due to willful neglect which is not corrected within thirty days will attract a fine of between $71,162 and $2,134,831.

The maximum financial penalty, for willful neglect of the HIPAA Rules, is $2,134,831 per violation category, per year. The above penalties were implemented as demanded by the HITECH Act of 2009 and are increased annually in line with inflation.

The last update to the HIPAA violation penalty amounts applies to cases assessed on or after August 8, 2024, as detailed in the table below:

Penalty Tier	Level of Culpability	Minimum Penalty per Violation	Maximum Penalty per Violation	Annual Penalty Limit
Tier 1	Reasonable Efforts	$141	$71,162	$2,134,831
Tier 2	Lack of Oversight	$1,424	$71,162	$2,134,831
Tier 3	Neglect – Rectified within 30 days	$14,232	$71,162	$2,134,831
Tier 4	Neglect – Not Rectified within 30 days	$71,162	$2,134,831	$2,134,831

In April 2019, OCR reexamined the language of the HITECH Act and determined it had been misinterpreted and issued a Notice of Enforcement Discretion stating that the maximum annual penalties in three of the four penalty tiers would be changed. Under the Notice of Enforcement Discretion, the maximum annual penalty for a violation will be capped at $25,000 for Tier 1, $100,000 for Tier 2, and $250,000 for Tier 3 plus annual inflation increases. Taking this into account, the figures OCR is working with are detailed in the table below and will apply indefinitely, until the next inflation increase.

The Notice of Enforcement Discretion only applied a new annual penalty cap in three of the four penalty tiers. It did not change the maximum penalty for a violation, which means that the maximum penalty for a Tier 1 violation is higher than the annual penalty cap, therefore OCR must use the annual cap as the maximum penalty in that penalty tier.

Annual Penalty Limit	Annual Penalty Limit	Minimum Penalty per Violation	Maximum Penalty per Violation	Annual Penalty Cap
Tier 1	Lack of Knowledge	$141	$35,581	$35,581
Tier 2	Reasonable Cause	$1,424	$71,162	$142,355
Tier 3	Willful Neglect	$14,232	$71,162	$355,808
Tier 4	Willful neglect (not corrected within 30 days	$71,162	$2,134,831	$2,134,831

*Table last updated on August 10, 2024.

The inflation multiplier for 2025 was set by the Office of Management and Budget (OMB) as 1.02598. OMB requires all federal agencies to adjust their CMPs by January 15, 2025; however, before the new penalty amounts are applied, each federal agency is required to publish a final rule in the Federal Register applying the multiplier to existing penalties. OCR has been slow to apply the updates in recent years and did not apply the 2024 update until August 8, 2024. Another increase is due to be applied on January 15, 2025, but will likely be applied much later.

State Attorneys General can also impose financial penalties on HIPAA-covered entities and business associates for violations of the HIPAA Rules. Alternatively, financial penalties can be imposed if a breach of ePHI violates state laws. Some states are active enforcers of HIPAA compliance, including California, Connecticut, Indiana, Massachusetts, New Jersey, and New York.

When state laws are violated, the individuals whose ePHI has been compromised may be able to take legal action against the breached entity if it can be proven that they have suffered harm due to the negligence of a covered entity or business associate; however, there is no private cause of action in HIPAA, so it is not possible to sue a HIPAA-regulated entity for a HIPAA violation.

Financial Penalties Imposed on Covered Entities and Business Associates by the HHS’ Office for Civil Rights

Penalties for HIPAA Violations 2008-2025

Listed below are all the OCR HIPAA violation cases that have resulted in a financial penalty. These cases include civil monetary penalties, where it has been established that HIPAA Rules have been violated, and settlements, where HIPAA violations have been alleged to have occurred but the covered entity or business associate has decided not to contest the case and has instead chosen to pay a financial penalty to resolve the potential HIPAA violations with no admission of liability.

HIPAA Violation Cases 2025

Comprehensive Neurology

Comprehensive Neurology is a small New York neurology practice. In December 2020, the practice fell victim to a ransomware attack that saw hackers encrypt medical records and gain access to the electronic protected health information of 6,800 individuals. OCR investigated and determined that the practice had not conducted a comprehensive risk analysis to identify risks and vulnerabilities to ePHI. A settlement was reached, and Comprehensive Neurology agreed to pay a $25,000 financial penalty to resolve the alleged HIPAA Security Rule violation. Read more…

PIH Health

The California healthcare network PIH Health was investigated over a phishing attack between June 11 and June 21, 2019, that saw a hacker gain access to 145 employee email accounts that contained the electronic protected health information of 189,763 individuals. The exposed ePHI included names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information. OCR determined there had been an impermissible disclosure of the ePHI of 189,763 individuals, a failure to conduct a HIPAA-compliant risk analysis, and three HIPAA Breach Notification Rule failures – No timely breach notice to OCR and the affected individuals, and a failure to issue a media notice about the data breach. The alleged violations were settled, and PIH Health paid a $600,000 financial penalty. Read more…

Guam Memorial Hospital Authority

Guam Memorial Hospital Authority, the operator of a public hospital in the U.S. territory of Guam, was investigated after a complaint was received about a December 2018 ransomware attack. Another complaint was received while the first complaint was being investigated about unauthorized access to ePHI by employees after their employment had ended. The ransomware attack involved unauthorized access to the ePHI of up to 5,000 individuals, and OCR confirmed the second breach by former employees. OCR determined that a HIPAA-compliant risk analysis had not been conducted to identify risks and vulnerabilities to ePHI. OCR agreed to settle the alleged HIPAA violation, and Guam Memorial Hospital Authority agreed to pay a $25,000 financial penalty. Read more…

Northeast Radiology

Northeast Radiology, the operator of several medical imaging centers in New York and Connecticut, submitted a breach report to OCR in March 2020 involving unauthorized access to the protected health information of up to 298,532 individuals. Hackers had exploited a vulnerability in the Picture Archiving and Communication Systems (PACS) via its vendor Alliance HealthCare. Hackers had access to the system between April 2019 and January 2020. OCR investigated and determined that there had been a failure to conduct a comprehensive and accurate risk analysis. The alleged violation was settled, and Northeast Radiology agreed to pay a $350,000 financial penalty. This was the 6th financial penalty to be imposed under OCR’s risk analysis enforcement initiative. Read more…

Health Fitness Corporation

Health Fitness Corporation, an Illinois business associate that provides wellness plans to clients, submitted multiple breach reports to OCR between October 15, 2018, and January 25, 2019, on behalf of clients affected by a data breach. A misconfigured server had exposed protected health information on the Internet and files had been indexed by search engines. The data was exposed online between August 2015 and July 2018. According to Health Fitness, fewer than 4,304 individuals were affected.  OCR investigated and determined that a HIPAA-compliant risk analysis was not completed until January 19, 2024. A settlement was agreed upon that included a $227,816 financial penalty. Read More…

Oregon Health & Science University

Oregon Health & Science University was found to have failed to provide a personal representative with timely access to a patient’s full medical records. While some of the requested records were provided within a few days of the request being received, it took multiple requests, two interventions from OCR, and 16 months from the initial request for all of the requested records to be provided. OCR gave the university the opportunity to settle the case informally, but when a settlement could not be agreed, OCR proceeded to impose a civil monetary penalty of $200,000. Read More…

Warby Parker, Inc.

Warby Parker, Inc., a manufacturer and online retailer of prescription and non-prescription eyewear, was ordered to pay a civil monetary penalty of $1,500,000 to resolve alleged violations of the HIPAA Security Rule that were identified by OCR following an investigation of multiple data breaches. The first breach involved unauthorized access to the ePHI of 197,986 individuals between September 25, 2018, and November 30, 2018. Hackers compromised accounts in a credential stuffing attack on its website. Further data breach reports were filed with OCR in September 2019, January 2020, April 2020, and June 2022 that were also due to credential stuffing attacks, although the subsequent attacks only affected 484 individuals. OCR determined that Warby Parker had failed to conduct a HIPAA-compliant risk analysis, had not sufficiently reduced risks and vulnerabilities to ePHI, and was not conducting regular reviews of logs of activity in information systems containing ePHI. Read More…

HIPAA Violation Cases 2024

OCR has confirmed that 22 HIPAA violation cases in 2024 were resolved with civil monetary penalties or settlements.

Northeast Surgical Group

Northeast Surgical Group, a Michigan-based provider of surgical services, experienced a ransomware attack in 2023 that resulted in unauthorized access to ePHI and the encryption of the ePHI of all 15,298 of its patients. OCR investigated and determined that Northeast Surgical Group has not conducted a comprehensive and accurate risk analysis to identify risks and vulnerabilities to all ePHI. This was OCR’s 4th enforcement action under its new risk analysis enforcement initiative. The HIPAA violation case was settled with a $10,000 penalty. Read More…

South Broward Hospital District (Memorial Health System)

South Broward Hospital District, dba Memorial Health System in Florida, was investigated over a complaint from a patient who had not been provided with a copy of an EEG tracing, despite making one mailed request and three requests via the patient portal. The first request was made on December 30, 2020; however, the EEG tracing was not provided until September 29, 2021, 9 months after the first request was made. OCR determined that this was a violation of the HIPAA Right of Access; however Memorial Health System disagreed with the determination, as a copy of the EEG tracing had been provided to the patient on a previous occasion; however, the case was settled to avoid the time and cost of litigation and Memorial Health System paid a $60,000 penalty. Read More…

Solara Medical Supplies

Solara Medical Supplies, a supplier of continuous glucose monitors, insulin pumps, and other supplies to patients with diabetes, fell victim to a phishing attack that saw a threat actor gain access to the email accounts of 8 employees between April 2019 and June 2019. The email accounts contained the ePHI of 114,007 individuals. When issuing notification letters, 1,531 letters were sent to incorrect addresses, resulting in an impermissible disclosure of patients’ demographic information. OCR identified multiple violations of the HIPAA Security Rule and Breach Notification Rule – The failure to conduct a HIPAA-compliant risk analysis, the failure to manage risks and reduce them to an acceptable level, the impermissible disclosure of the ePHI of 114,007 patients in the first breach and 1,531 in the second breach, and the failure to issue timely notifications to OCR, the media, and the affected individuals. Solara settled the alleged violations and paid a $3,000,000 financial penalty. Read More…

USR Holdings

USR Holdings, a holding company that owns and manages primary mental health and substance abuse treatment facilities in Florida, Maryland, and Kentucky, discovered between December 8, 2018, and January 9, 2019, there had been unauthorized access to a database containing ePHI from August 23, 2018, to December 8, 2018. Unauthorized individuals were able to access the ePHI of 2,903 individuals and delete data.

OCR investigated and determined that USR Holdings failed to conduct a HIPAA-compliant risk analysis, had not implemented procedures for reviewing records of information system activity, had not established and implemented procedures for creating and maintaining retrievable exact copies of ePHI, and impermissible access to ePHI and the deletion of ePHI. USR Holdings settled the alleged violations and paid a $337,750 penalty. Read More…

Virtual Private Network Solutions

Virtual Private Network Solutions, a Virginia-based provider of data hosting and cloud services, experienced a ransomware attack on October 31, 2021, that resulted in unauthorized access to the ePHI of at least 23,868 individuals. OCR investigated and determined that Virtual Private Network Solutions had failed to conduct a comprehensive and accurate risk analysis to identify all risks and vulnerabilities to ePHI. This was the third financial penalty to be imposed under OCR’s risk analysis enforcement initiative. The HIPAA violation case was settled for $90,000. Read More…

Elgon Information Systems

Elgon Information Systems, a Massachusetts-based provider of electronic medical records and billing support services, experienced a ransomware attack on March 31, 2023. The investigation revealed the ransomware group first accessed its systems on March 25, 2023, via open ports on its firewall. The ransomware group was able to access the ePHI of 31,248 individuals. OCR investigated and determined Elgon Information Systems had failed to conduct a comprehensive and accurate risk analysis to identify all risks and vulnerabilities to ePHI. The HIPAA violation case was settled, and Elgon Information Systems paid an $80,000 penalty. This was the second HIPAA violation case to result in a financial penalty under OCR’s risk analysis enforcement initiative. Read More…

Inmediata Health Group

In 2018, OCR learned that ePHI provided to Inmediata, a healthcare clearinghouse, could be accessed by anyone via the Internet without authentication. Inmediata’s investigation confirmed that the ePHI of 1,565,338 individuals had been exposed online from May 2016 to January 2019, including names, birth dates, Social Security numbers, health information, and claims information.  OCR determined that Inmediata had not conducted an accurate and thorough risk analysis, was not monitoring activity in information systems containing ePHI, and there had been an impermissible disclosure of ePHI. The case was settled for $250,000. There was no corrective action plan as Inmediata had already implemented measures per a 2023 multi-state settlement with 32 states and Puerto Rico. The multi-state action included a $1.4 million penalty. Read More…

Children’s Hospital Colorado Health System

On July 11, 2017, and between April 6, 2020, and April 13, 2020, Children’s Hospital Colorado Health System, a not-for-profit provider of healthcare services for children and young individuals, fell victim to phishing attacks that involved unauthorized access to ePHI. OCR investigated and determined there had been an impermissible disclosure of the ePHi of 10,840 patients. The investigation also revealed Children’s Hospital Colorado failed to provide HIPAA Privacy Rule training to 6,666 members of the workforce, including 3,495 nursing students, and a HIPAA-compliant risk analysis had not been conducted until February 5, 2021. OCR imposed a civil monetary penalty of $548,265 to resolve the alleged HIPAA Privacy and Security Rule violations. Read More…

Gulf Coast Pain Consultants, dba Clearway Pain Solutions Institute

On February 19, 2019, the Florida-based pain management practice Gulf Coast Pain Consultants discovered a former contractor had accessed the medical records of patients without authorization on three occasions after stopping providing services.  The electronic protected health information of 34,310 patients was accessed by the contractor without authorization. OCR investigated and identified a failure to comply with four provisions of the HIPAA Security Rule. A risk analysis had not been conducted, logs of activity in information systems were not being checked, access rights of workforce members were not promptly terminated, and there were no policies and procedures for modifying workforce members’ access rights. OCR imposed a civil monetary penalty of $1,190,000 to resolve the alleged violations. Read More…

Holy Redeemer Family Medicine

OCR received a complaint from a patient of Holy Redeemer Family Medicine, a Pennsylvania healthcare provider, about an impermissible disclosure of her medical records, including her reproductive healthcare records, to a prospective employer. The patient had given authorization to disclose a single test result unrelated to her reproductive health; however, Holy Redeemer sent the prospective employer the patient’s full records, which included her surgical history, obstetric history, gynecological history, and other sensitive reproductive health information. OCR determined the disclosure violated the HIPAA Privacy Rule. The case was settled for $35,581. Read More…

Rio Hondo Community Mental Health Center

OCR received a complaint from a patient of Rio Hondo Community Mental Health Center, a directly operated Outpatient Program of the County of Los Angeles Department of Mental Health, that she had not been provided with a copy of her medical records, 5 months after making a request and after several phone calls and a visit to the center. OCR investigated and the records were provided to the patient, 7 months after the initial request was made, which included two months under the state governor’s COVID-19 stay-at-home order when the clinic was unstaffed. The clinic failed to respond to an offer to informally settle the alleged HIPAA Right of Access violation, resulting in OCR imposing a $100,000 civil monetary penalty. Read More…

Bryan County Ambulance Authority

Bryan County Ambulance Authority, an Oklahoma emergency medical service provider, suffered a ransomware attack on November 24, 2021, that resulted in the encryption of files on its network. The encrypted files contained the ePHI of 14,273 patients.  OCR investigated and determined that Bryan County Ambulance Authority had never conducted a risk analysis to identify potential risks and vulnerabilities to ePHI. This was the first enforcement action under OCR’s risk analysis enforcement initiative.  The alleged violation was settled for $90,000. Read More…

Gums Dental Care

Gums Dental Care, a Maryland dental practice, was investigated by OCR after a complaint was received from a patient who was not provided with a copy of her or her children’s medical records. The practice claimed the complainant would not pay a $25 administrative fee for mailing the records (certified mail) and that the request was denied because the practice believed she would use the information to commit insurance fraud. OCR stated that the fee was not appropriate since the patient requested the records be sent via email, and the belief that the information would be used for fraud was not a valid reason for a denial of the Right of Access request under the HIPAA Privacy Rule.  A civil monetary penalty of $70,000 was imposed for failing to provide timely access to medical records, in violation of the HIPAA Right of Access. Read More…

Providence Medical Institute

Providence Medical Institute, a Californian healthcare provider, was investigated by OCR after reporting a data breach that occurred between February and March 2018 as a result of a ransomware attack. The protected health information of 85,000 individuals was involved. OCR determined that servers containing ePHI were encrypted 3 times, and there was a potential violation of two HIPAA Security Rule provisions: The failure to restrict access to ePHI to only authorized individuals/software, and a lack of a business associate agreement. OCR imposed a civil monetary penalty of $240,000 to resolve the alleged violations. Read More…

Cascade Eye and Skin Centers

Cascade Eye and Skin Centers, a healthcare provider in Washington state, was investigated by OCR over a ransomware attack in 2017. The hackers gained access to 291,0000 files containing patient data. The OCR investigation determined there was a failure to conduct a comprehensive and accurate risk analysis, and there were insufficient reviews of activity in information systems that contained ePHI. The investigation was settled and a penalty of $250,000 was paid to resolve the alleged HIPAA violations. Read More…

American Medical Response

American Medical Response is a Greenwood Village, CO-based private ambulance company. On October 31, 2018, a patient requested a copy of her medical records, which should have been provided by November 30, 2018. Despite sending multiple requests for those records, they were not provided. A complaint was filed with OCR, and the records were finally provided on November 5, 2019, 370 days after the initial request was submitted. OCR determined that there had been a violation of the HIPAA Right of Access., and provided American Medical Response with the opportunity to settle; however, American Medical Response chose not to, resulting in a civil monetary penalty being imposed for $115,200 to resolve the HIPAA violation. Read More…

Heritage Valley Health System

Heritage Valley Health System is a 3-hospital health system with more than 50 physician offices and many community satellite facilities in Pennsylvania, eastern Ohio, and West Virginia. In 2017, Heritage Valley fell victim to a NotPetya ransomware attack that prevented access to its Windows devices. OCR investigated to establish whether HEritage Valley was compliant with the HIPAA Security Rule and found three areas of non-compliance. Heritage Valley had not conducted a comprehensive risk analysis to identify risks and vulnerabilities to electronic protected health information, there was a lack of a contingency plan for responding to an emergency and a lack of technical policies and procedures for restricting access to systems containing ePHI. OCR agreed to settle the alleged violations for $950,000. Read More…

Essex Residential Care (Hackensack Meridian Health, West Caldwell Care Center)

Essex Residential Care, LLC, which does business as Hackensack Meridian Health and operates the skilled nursing facility West Caldwell Care Center in New Jersey, was found to have failed to provide a son with timely access to the medical records of his mother when the son was the personal representative of his mother. It took 161 days from the initial request for the records to be provided. OCR investigated and notified West Caldwell Care Center of its intention to impose a financial penalty but West Caldwell Care Center disagreed with OCR’s determination. West Caldwell Care Center accepted the records were not provided in 30 days, but submitted evidence of mitigating factors; however, they were rejected by OCR, which imposed a civil monetary penalty of $100,000. Read More…

Phoenix Healthcare

Phoenix Healthcare, an Oklahoma multi-facility organization that provides nursing care, was found to have failed to provide a daughter with timely access to her mother’s medical records when the daughter was the personal representative of her mother. The requested records were provided 323 days after the initial request was made. OCR proposed a $250,000 financial penalty; however, the proposed fine was contested and a hearing was requested with an Administrative Law Judge (ALJ). The ALJ upheld OCR’s determination but reduced the financial penalty to $70,000. The fine was appealed but the Departmental Appeals Board did not reduce the fine. OCR then proposed a $35,000 settlement, on the basis that the penalty was not further contested.  Read More…

Green Ridge Behavioral Health

Green Ridge Behavioral Health is a Gaithersburg, MD-based provider of psychiatric evaluations, medication management, and psychotherapy that experienced a ransomware attack in which the protected health information of 14,000 individuals was exposed. OCR investigated and identified multiple potential violations of the HIPAA Privacy and Security Rules. Green Ridge Behavioral Health was determined to have failed to conduct an accurate risk analysis, failed to reduce risks to ePHI, did not have policies and procedures for reviewing records of information system activity, and there was an impermissible disclosure of the PHI of more than 14,000 patients. Green Ridge Behavioral Health settled the alleged violations with no admission of wrongdoing and paid a $40,000 penalty. Read More…

Montefiore Medical Center

Montefiore Medical Center is a non-profit hospital system based in New York City. In May 2015, the New York Police Department notified the medical center about the theft of patient data. The medical center’s investigation confirmed that an employee had accessed and stolen the data of 12,517 patients. The employee sold the data to an identity theft ring. OCR determined that Montefiore Medical Center had failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; failed to implement procedures to review records of activity in information systems, and failed to implement hardware, software, or procedural mechanisms to record and examine activity in information systems. Montefiore Medical Center settled the investigation and paid a $4,750,000 penalty. Read More…

HIPAA Violation Cases 2023

Optum Medical Care of New Jersey

Optum Medical Care of New Jersey is a private multi-specialty physician group with approximately 150 locations in New Jersey and Southern Connecticut. In the Fall of 2021, OCR received complaints from 6 individuals who claimed not to have been provided with a copy of their requested records in a timely manner. OCR investigated and discovered the patients had not been provided with their records within the time frame permitted by the HIPAA Privacy Rule. The patients had to wait between 84 days and 231 days to receive their requested records. OCR determined this was a violation of the HIPAA Right of Access. The Case was settled for $160,000. Read More…

Lafourche Medical Group

Lafourche Medical Group, a Louisiana-based medical group specializing in emergency medicine, occupational medicine, and laboratory testing, experienced a phishing attack that exposed the PHI of 34,862 individuals. OCR investigated and found that a security risk analysis had not been conducted prior to the phishing attack in 2021, and there were no procedures to regularly review logs of system activity prior to the attack. OCR settled the alleged HIPAA violations for $480,000. Read More…

St. Joseph’s Medical Center

St. Joseph’s Medical Center is a non-profit academic medical center in New York. OCR launched an investigation after seeing a media article about the medical center’s response to the COVID-19 public health emergency. The article included images and information about three of the medical center’s patients. The medical center had allowed an Associated Press reporter to have access to the patients and their clinical information without first obtaining authorizations from the patients. The disclosures were a violation of the HIPAA Privacy Rule. The case was settled for $80,000. Read More…

Doctors’ Management Services

Doctors’ Management Services (DMS) is a Massachusetts-based medical management company whose services include medical billing and payor credentialing. DMS suffered a GandCrab ransomware attack in December 2018. The forensic investigation confirmed the attackers first gained access to its network on April 1, 2017. OCR investigated and identified multiple violations of the HIPAA Rules including a failure to conduct an accurate risk analysis, a failure to review records of system activity, a failure to implement reasonable and appropriate policies/procedures to comply with the HIPAA Security Rule, and an impermissible disclosure of the PHI of 206,695 individuals. The case was settled for $100,000. Read more…

L.A. Care Health Plan

Local Initiative Health Authority for Los Angeles County, operating and doing business as L.A. Care Health Plan, is an independent local public agency that provides health coverage to low-income Los Angeles County residents. OCR conducted two investigations, one of a large breach and another of a separate data breach reported by the media, and found multiple violations of the HIPAA Security Rule: The lack of a comprehensive risk analysis, insufficient security measures, insufficient reviews of records of information system activity, insufficient evaluations in response to environmental/operational changes, insufficient recording and examination of activity in information systems, impermissible disclosure of the ePHI of 1,498 individuals. The case was settled for $1,300,000.  Read More…

UnitedHealthcare

UnitedHealthcare is a health insurer part of Minnetonka, MN-based UnitedHealthcare Group.  OCr received a complaint on March 25, 2021, from a patient who claimed not to have been provided with their requested medical records. OCR notified UnitedHealthcare about the complaint, and the failure to provide the records was attributed to an employee error. OCR determined there had been a HIPAA Right of Access failure and UnitedHealthcare was fined $80,000.  Read More…

iHealth Solutions, dba Advantum Health

iHealth Solutions is a Louisville, Kentucky-based HIPAA business associate that provides management services to healthcare practices. In 2017, a server was left unsecured, allowing an unauthorized individual to steal files that contained the ePHI of 267 individuals. OCR determined there had been a failure to conduct an accurate and thorough risk analysis and an impermissible disclosure of ePHI. The case was settled for $75,000. Read More…

Yakima Valley Memorial Hospital

Yakima Valley Memorial Hospital is a 222-bed non-profit community hospital in Washington State. OCR investigated a report of snooping on 419 medical records by 23 security guards in the emergency department. OCR determined the hospital had failed to implement appropriate policies and procedures to ensure compliance with the HIPAA Rules. The case was settled with OCR for $240,000. Read More…

Manasa Health Center, LLC

Manasa Health Center, LLC, is a New Jersey-based provider of psychiatric services for adults and children. OCR received a complaint in April 2020 about impermissible disclosures of PHI in response to negative Google Reviews. OCR investigated and found there had been impermissible disclosures of the PHI of four patients in response to negative reviews, a lack of policies and procedures related to online disclosures, and a failure to issue breach notification letters to those individuals. The case was settled for $30,000.

MedEvolve Inc.

The Luxottica Group PIVA-owned vision insurance company, EyeMed Vision Care, experienced a data breach in June 2020 involving the protected health information (PHI) of 230,572 individuals. An FTC server had been left exposed over the Internet. OCR’s investigators identified a risk analysis failure, a lack of a business associate agreement with a subcontractor, and an impermissible disclosure of the PHI of 230,572 individuals. The case was settled for $350,000. Read More…

David Mente, MA, LPC

The Pittsburg, PA-based counselor and therapist, David Mente, was found not to have provided a father with a copy of his minor children’s health records. OCR provided technical assistance, but the records were still not provided as requested. OCR determined the delay in providing the records constituted a violation of the HIPAA Right of Access. The case was settled for $15,000. Read More…

Banner Health

The Phoenix, Arizona-based non-profit health system, Banner Health, experienced a hacking incident that resulted in the impermissible disclosure of the PHI of 2.81 million individuals in 2016. OCR’s investigators identified a risk analysis failure, a lack of reviews of system activity, a failure to verify identity for access to PHI, and insufficient technical safeguards. The case was settled for $1,250,000. Read More…

Life Hope Labs, LLC

Life Hope Labs, LLC, in Sandy Springs, Georgia, failed to provide an individual with the medical records of her deceased father in a timely manner. It took 225 days from the initial request for the records to be provided. The diagnostic laboratory settled the case with OCR and paid a $16,500 financial penalty. Read More…

HIPAA Violation Cases 2022

Health Specialists of Central Florida Inc.

Orlando, FL-based primary care provider, Health Specialists of Central Florida Inc., was investigated by OCR after receipt of a complaint from a woman who had not been provided with a copy of her deceased father’s medical records. It took multiple requests and almost 5 months for all of the requested medical records to be provided. Health Specialists of Central Florida Inc. settled the case with OCR and paid a $20,000 penalty. Read More…

New Vision Dental

The Californian general dental practice, New Vision Dental, was investigated by OCR following reports about impermissible disclosures of patients’ protected health information on the review platform Yelp. OCR found that the owner of the practice had responded to several reviews and disclosed ePHI, even disclosing the names of patients in the responses who had chosen to post reviews anonymously. The disclosed information included details of patients’ visits, treatment, and insurance. OCR also found the Notice of Privacy Practices to be inadequate. The case was settled with OCR and a £23,000 financial penalty was imposed. Read More…

Great Expressions Dental Center of Georgia, P.C.

Great Expressions Dental Center of Georgia, P.C.  was investigated by OCR in response to a complaint from a patient that she would be charged a fee of $170 for her medical records. OCR determined this fee to be unreasonable and that there had been a 15-month delay in providing the patient with the requested records. the practice settled the case with OCR for $80,000.  Read More…

Family Dental Care, P.C.

Family Dental Care, P.C. in Chicago, Illinois, was investigated in response to a complaint from a patient who had only been provided with a partial copy of her requested medical records. It took 5 months from the initial request for the complete set of medical records to be provided. The case was settled with OCR for $30,000. Read More…

B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental

Paradise Family Dental was investigated in response to a complaint that a parent had not been provided with a copy of her minor child’s medical records, despite submitting multiple requests to the practice. It took 8 months from the date of the first request for the records to be provided. A settlement was agreed upon with OCR that included a $25,000 penalty. Read More…

New England Dermatology and Laser Center

New England Dermatology and Laser Center in Massachusetts disposed of empty specimen containers in regular dumpsters between  February 4, 2011, and March 31, 2021. The containers had labels that included the PHI of patients. The PHI of 58,106 patients was improperly disposed of during that timeframe. The case was settled with OCR for $300,640. Read More…

ACPM Podiatry

ACPM Podiatry in Illinois did not provide a former patient with his requested records, and despite the intervention of OCR, the patient was still not provided with the requested records due to the non-payment of a bill by the insurance company. OCR imposed a civil monetary penalty of $100,000. Read More…

Memorial Hermann Health System

Memorial Hermann Health System in Texas received five requests from a patient for complete records to be provided between June 2019 and January 2020. It took 564 days from the initial request for all of the records to be provided to the patient. OCR settled the case for $240,000. Read More…

Southwest Surgical Associates

Southwest Surgical Associates in Texas took 13 months to provide a patient with all of the requested records between February 11, 2020, and March 5, 2021. OCR settled the case for $65,000. Read More…

Hillcrest Nursing and Rehabilitation

Hillcrest Nursing and Rehabilitation in Massachusetts received a request from a parent for her son’s medical records on March 22, 2020, but the records were not provided until October 10, 2020. OCR settled the case for $55,000. Read More…

MelroseWakefield Healthcare

MelroseWakefield Healthcare in Massachusetts received a valid request from a personal representative of a patient on June 12, 2020, but it took until October 20, 2020, for the requested records to be provided due to an error regarding the legality of the durable power of attorney. OCR settled the case for $55,000. Read More…

Erie County Medical Center Corporation

Erie County Medical Center Corporation in Buffalo, NY, failed to provide a patient with timely access to his medical records. OCR settled the case for $50,000. Read More…

Fallbrook Family Health Center

Fallbrook Family Health Center in Nebraska failed to provide a patient with timely access to the requested medical records. OCR settled the case for $30,000. Read More…

Associated Retina Specialists

Associated Retina Specialists in New York took 5 months to provide a patient with the requested medical records. The records were provided within days of OCR intervening. OCR settled the case for $22,500. Read More…

Coastal Ear, Nose, and Throat

Coastal Ear, Nose, and Throat in Florida received a request from a patient for a copy of medical records on December 15, 2020, and again on January 8, 2021, but the records were not provided until May 20, 2021. OCR settled the case for $20,000. Read More…

Lawrence Bell, Jr. D.D.S

Lawrence Bell, Jr. D.D.S in Maryland failed to provide a patient with timely access to the requested medical records. OCR settled the case for $5,000. Read More…

Danbury Psychiatric Consultants

Danbury Psychiatric Consultants in Massachusetts received a request for medical records on March 24, 2020, but access to the records was refused due to an outstanding bill. The records were provided on September 14, 2020. OCR settled the case for $3,500. Read More…

Oklahoma State University – Center for Health Sciences

Oklahoma State University – Center for Health Sciences experienced a hacking incident that was reported to OCR in January 2018. The investigation revealed a failure to conduct an accurate risk analysis, noncompliance with the security incident response and reporting requirements of the HIPAA Security Rule, the failure to conduct an evaluation following changes that affected the security of ePHI, a lack of audit controls, breach notification delays, and the impermissible disclosure of the PHI of 279,865 individuals. The case was settled for $850,000. Read More…

Dr. Brockley

The solo dental practitioner in Butler, PA, failed to provide a patient with a copy of their medical record in a timely manner. After being notified by OCR about a proposed fine of $105,000, Dr. Brockley requested a hearing with an Administrative Law Judge, but settled out of court and agreed to a fine of $30,000. Read more…

Jacob & Associates

The California-based psychiatric medical services provider failed to provide a patient with timely access to the requested medical records and charged an unreasonable fee when the records were eventually provided. OCR also identified issues with the notice of privacy practices and a HIPAA privacy officer had not been appointed. The case was settled and a financial penalty of $28,000 was paid. Read more…

Northcutt Dental-Fairhope

The owner of the Fairhope, AL, dental practice impermissibly disclosed patients’ PHI to a campaign manager and a third-party marketing company in relation to a state senate election campaign. OCR also identified issues with the notice of privacy practices and there was no HIPAA privacy officer. The case was settled for $62,500. Read more…

Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A

The dental practice with offices in Charlotte and Monroe, NC, impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review. The failure to cooperate with the investigation and respond to an administrative subpoena resulted in a civil monetary penalty of $50,000. Read more…

HIPAA Violation Cases 2021

Advanced Spine & Pain Management

Advanced Spine & Pain Management, a provider of chronic pain-related medical services in Cincinnati and Springboro, OH, failed to provide a patient with timely access to the requested medical records. The HIPAA Right of Access violation was settled with OCR for $32,150. Read more…

Denver Retina Center

Denver Retina Center, a Denver, CO-based provider of ophthalmological services, failed to provide a patient with timely access to the requested medical records. The HIPAA Right of Access violation was settled with OCR for $30,000. Read more…

Dr. Robert Glaser

Dr. Robert Glaser, a New Hyde Park, NY-based cardiovascular disease and internal medicine doctor, failed to provide a patient with timely access to the requested medical records after repeated requests. Dr. Glazer did not cooperate with OCR during the investigation, resulting in OCR imposing a civil monetary penalty of $100,000 for the HIPAA Right of Access violation. Read more…

Rainrock Treatment Center LLC (dba monte Nido Rainrock)

Rainrock Treatment Center LLC (dba Monte Nido Rainrock), a Eugene, OR-based provider of residential eating disorder treatment services, failed to provide a patient with timely access to the requested medical records after repeated requests. The HIPAA Right of Access violation was settled with OCR for $160,000. Read more…

Wake Health Medical Group

Wake Health Medical Group, a Raleigh, NC-based provider of primary care and other health care services, failed to provide a patient with timely access to the requested medical records. The HIPAA Right of Access violation was settled with OCR for $10,000. Read more…

Children’s Hospital & Medical Center

Children’s Hospital & Medical Center (CHMC), a pediatric care provider in Omaha, Nebraska, received a request from a parent for access to her daughter’s medical records but only provided part of the requested information, despite repeated requests. CHMC settled the HIPAA Right of Access case with OCR and paid an $80,000 penalty. Read more…

The Diabetes, Endocrinology & Lipidology Center, Inc.

The Diabetes, Endocrinology & Lipidology Center, Inc., a West Virginia-based healthcare provider specializing in treating endocrine disorders, failed to provide a parent with a copy of her minor child’s protected health information within 30 days. The HIPAA Right of Access violation was settled with OCR for $5,000. Read more…

AEON Clinical Laboratories (Peachstate)

OCR investigated a breach reported by the Department of Veteran Affairs involving a business associate, Authentidate Holding Corporation. During the investigation, OCR discovered the business associate had acquired Peachstate, a CLIA-certified laboratory that provides clinical and genetic testing services. OCR investigated Peachstate and uncovered multiple potential violations of the HIPAA Security Rule. The case was settled with OCR for $25,000. Read more…

Village Plastic Surgery

Ridgewood, NJ-based Village Plastic Surgery failed to provide a patient with timely access to the requested medical records. The HIPAA Right of Access violation was settled with OCR for $30,000. Read more…

Arbour Hospital

Arbour Hospital, a mental health clinic in Boston, MA, failed to provide a patient with the requested medical records within 30 days. OCR provided technical assistance but received another complaint from the same patient that the records had still not been provided. The HIPAA Right of Access violation was settled with OCR for $65,000. Read more…

Sharp Healthcare

San Diego-based Sharp Healthcare, dba Sharp Rees-Stealy Medical Centers, failed to provide a patient’s medical records to a patient-specified third party for more than 2 months. OCR provided technical assistance and closed the case, but the records were still not provided. The HIPAA Right of Access violation was settled with OCR for $70,000. Read more…

Renown Health

Renown Health, a not-for-profit healthcare network in Northern Nevada, failed to provide a patient’s attorney with a copy of her medical and billing records within 30 days. The patient filed a complaint with OCR and the records were eventually provided more than 10 months later. The HIPAA Right of Access violation was settled with OR for $75,000. Read more…

Excellus Health Plan

In 2015, Excellus Health Plan reported a breach of the ePHI of 9,358,891 individuals. OCR investigated and uncovered multiple potential violations of the HIPAA Rules: A risk analysis failure, risk management failure, lack of information system activity reviews, and insufficient technical policies to prevent unauthorized ePHI access. The case was settled for $5,100,000. Read More…

Banner Health

Phoenix, AZ-based Banner Health is one of the largest healthcare systems in the United States. OCR received two complaints from patients in 2019 alleging they had to wait several months to receive a copy of their medical records. OCR determined this breached the HIPAA Right of Access provision of the HIPAA Privacy Rule. The case was settled for $200,000. Read More…

HIPAA Violation Cases 2020

Premera Blue Cross

Mountlake Terrace, WA-based Premera Blue Cross is the largest health plan in the Pacific Northwest. In 2015, Premera discovered there had been a breach of the ePHI of 10,466,692 individuals. OCR investigated and found multiple potential HIPAA violations such as the failure to conduct a thorough risk analysis, risk management failures, and insufficient mechanisms to identify suspicious network activity. The case was settled for $6,850,000. Read More…

CHSPSC LLC

CHSPSC LLC is a Tennessee-based management company that provides services to affiliates of Community Health Systems. In 2014, hackers accessed its systems and stole the ePHI of 6,121,158 individuals. OCR investigated and found multiple violations of the HIPAA Rules including a delayed response to a known security breach, risk analysis and risk management failures, and a lack of procedures to monitor information system activity logs. The case was settled for $2,300,000. Read More…

Athens Orthopedic Clinic PA

Athens Orthopedic Clinic PA in Georgia had its systems hacked in 2016. The hacker stole data, attempted to extort money, and leaked the ePHI of 208,557 patients online when payment was not received. OCR investigated the incident and discovered risk analysis and risk management failures, insufficient information system activity logging and monitoring, missing business associate agreements, and employees had not been provided with HIPAA Privacy Rule training. The case was settled for $1,500,000. Read More…

Peter Wrobel, M.D., P.C., dba Elite Primary Care

Elite Primary Care is a provider of primary health services in Georgia. OCR received a complaint from a patient who alleged he had been denied access to his medical records. OCR intervened and provided technical assistance on the HIPAA Right of Access but received a second complaint when the practice continued to deny him access. The case was settled for $36,000. Read More…

University of Cincinnati Medical Center

A patient of University of Cincinnati Medical Center filed a complaint with OCR after not being provided with her requested records more than 13 weeks after submitting a request. OCR intervened and provided technical assistance on the HIPAA Right of Access but received a second complaint when the records had still not been provided. The case was settled for $65,000. Read More…

Dr. Rajendra Bhayani

OCR received a complaint from a patient of Dr. Rajendra Bhayani, a Regal Park, NY-based private practitioner specializing in otolaryngology, alleging he had not provided a patient with a copy of her medical records. OCR intervened and closed the case but received a second complaint a year later alleging the records had still not been provided. The case was settled for $15,000. Read More…

Riverside Psychiatric Medical Group

OCR received a complaint from a patient of California-based Riverside Psychiatric Medical Group in March 2019 alleging he had not been provided with a copy of his medical records. OCR intervened but received a second complaint a month later when the records had still not been provided. OCR determined this breached the HIPAA Right of Access provision of the HIPAA Privacy Rule. The case was settled for $25,000. Read More…

City of New Haven, CT

The city of New Haven in Connecticut was investigated over an incident where a former employee accessed its systems after termination and copied a file containing the ePHI of 498 individuals. OCR determined the failure to terminate access rights when employment had ended was in violation of the HIPAA Security Rule. OCR also determined there had been a risk analysis failure, a failure to implement Privacy Rule policies and unique IDs had not been provided to all employees to track information system activity. The case was settled for $202,400. Read More…

Aetna

Aetna Life Insurance Company and the affiliated covered entity (Aetna) were investigated over three data breaches that exposed the ePHI of 18,489 individuals. OCR’s investigation revealed periodic technical and non-technical evaluations of operational changes affecting the security of their electronic PHI had not been performed, procedures had not been implemented to verify the identity of individuals accessing their ePHI, there was a lack of ePHI safeguards, and Aetna had violated the minimum necessary standard. The case was settled for $1,000,000. Read More…

NY Spine

OCR received a complaint from a patient of NY Spine, a private New York medical practice, who alleged she had not been provided with a copy of the diagnostic films she requested. OCR intervened and provided technical assistance, but it took 16 months for the records to be provided. The case was settled for $100,000. Read More…

Dignity Health, dba St. Joseph’s Hospital and Medical Center

OCR investigated a complaint from a mother who requested a copy of her son’s medical records from St. Joseph’s Hospital and Medical Center but had not been provided with a complete set of the records. After OCR intervened, the records were provided, but it took 22 months from the initial date of the request. The case was settled for $160,000. Read More…

Housing Works, Inc.

Housing Works, Inc. is a New York City-based non-profit healthcare organization that provides healthcare, homeless services, and legal aid support for people affected by HIV/AIDS. OCR received a complaint from a patient who had not been provided with a copy of his medical records. OCR intervened and closed the case but received a second complaint a month later when the records had still not been provided. The case was settled for $38,000. Read More…

All Inclusive Medical Services, Inc.

All Inclusive Medical Services, Inc. (AIMS) is a Carmichael, CA-based multi-specialty family medicine clinic. OCR received a complaint from a patient who alleged AIMS refused to give her a copy of her medical records. OCR determined this violated the HIPAA Right of Access provision of the HIPAA Privacy Rule. The case was settled for $15,000. Read More…

Beth Israel Lahey Health Behavioral Services

Beth Israel Lahey Health Behavioral Services (BILHBS) is the largest provider of mental health and substance use disorder services in eastern Massachusetts. OCR received a complaint from a patient alleging BILHBS had not provided a copy of her father’s medical records. OCR intervened and the records were provided 8 months after the initial request. The case was settled for $70,000. Read More…

King MD

King MD is a small provider of psychiatric services in Virginia. OCR received a complaint from a patient who had not been provided with her medical records after a 2-month wait. OCR intervened and closed the case but received a second complaint two months later when the records had still not been provided. The case was settled for $3,500. Read More…

Wise Psychiatry, PC

Wise Psychiatry is a small provider of psychiatric services in Colorado. A mother requested a copy of her son’s medical records, but the records had not been provided three months after submitting the request. OCR intervened and closed the case but received a second complaint 6 months after the first stating the records had still not been provided. The case was settled for $10,000. Read More…

Lifespan Health System Affiliated Covered Entity

Lifespan Health System Affiliated Covered Entity is a Rhode Island healthcare provider. OCR conducted an investigation into an incident involving a stolen laptop that contained the ePHI of 20,431 patients. OCR determined the lack of encryption was in violation of the HIPAA Security Rule, there were insufficient device and media controls, and a business associate agreement had not been entered into with its parent company. The case was settled for $1,040,000. Read More…

Metropolitan Community Health Services dba Agape Health Services

Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center. Operating as Agape Health Services, the company experienced a breach of the ePHI of 1,263 patients. OCR investigated and identified longstanding, systemic noncompliance with the HIPAA Security Rule, including risk analysis and risk management failures, and the failure to provide security awareness training to employees. The case was settled for $25,000. Read More…

Steven A. Porter, M.D

Steven A. Porter, M.D.’s gastroenterological practice in Ogden, UT reported a breach to OCR involving a medical record company that was blocking access to patients’ ePHI until a bill was paid. OCR investigated and found the EHR company had been allowed access to ePHI without signing a business associate agreement and risk analysis and risk management failures. The case was settled for $100,000. Read More…

HIPAA Violation Cases 2019

West Georgia Ambulance

OCR launched an investigation into the Carroll County, GA ambulance company, West Georgia Ambulance, after being notified about the loss of an unencrypted laptop computer that contained the PHI of 500 patients. OCR discovered a risk analysis failure, the lack of a security awareness training program, and a failure to implement HIPAA Security Rule policies and procedures. The case was settled for $65,000. Read More…

Bayfront Health St. Petersburg

Bayfront Health St. Petersburg was investigated following the receipt of a complaint from a patient on August 14, 2018. The patient had requested a copy of her child’s fetal heart monitor records, but 9 months after the request had been submitted the records still had not been provided. A settlement of $85,000 was agreed upon with OCR to resolve the HIPAA violation. This was OCR’s first settlement under the 2019 HIPAA Right of Access enforcement initiative. Read More…

Korunda Medical, LLC

In March 2019, OCR received a complaint from a patient who alleged she had not been provided with a copy of her medical records in the requested electronic format despite making repeated requests. The investigation confirmed there had been a HIPAA Right of Access failure. A settlement of $85,000 was agreed upon to resolve the violation. Read More…

University of Rochester Medical Center

OCR launched an investigation of University of Rochester Medical Center following receipt of two breach reports concerning lost/stolen portable devices containing ePHI – a flash drive and a laptop computer. Technical assistance had previously been provided by OCR, but devices had still not been encrypted. In addition, OCR determined there had been risk analysis failures, a risk management failure, and a lack of device media controls. The case was settled for $3 million. Read More…

Sentara Hospitals

A patient submitted a complaint to OCR about an impermissible disclosure of PHI in a mailing. Sentara Hospitals reported the breach to OCR as having impacted 8 individuals. The OCR investigation determined that 577 patients had been affected, but Sentara Hospitals refused to update its breach notice to reflect the correct number of patients affected. OCR also discovered a business associate failure. The case was settled for $2.175 million. Read More…

Elite Dental Associates

A patient of Elite Dental Associates submitted a complaint to OCR stating her PHI had been disclosed by Elite Dental Associates in response to a review on Yelp. OCR investigated and discovered similar privacy violations had occurred when responding to patient reviews. The impermissible disclosures of PHI resulted in a $10,000 settlement. Read More…

Medical Informatics Engineering

Medical Informatics Engineering, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. OCR determined there had been a risk analysis failure and the case was settled for $100,000. MIE also settled a multi-state action with state attorneys general and paid a penalty of $900,000. Read More…

Touchstone Medical Imaging

On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was accessible over the Internet and allowed anonymous connections to a shared directory. The directory contained files that included the protected health information (PHI) of 307,839 individuals. The OCR investigation revealed a lack of business associate agreements, insufficient access rights, a risk analysis failure, a failure to respond to a security incident, a breach notification failure, and a media notification failure. The case was settled for $3 million. Read More…

Texas Department of Aging and Disability Services

The Department of Health and Human Services’ Office for Civil Rights (OCR) imposed a $1.6 million civil monetary penalty (CMP) on the Texas Health and Human Services Commission (TX HHSC) for multiple violations of HIPAA Rules discovered during the investigation of an exposed internal application containing ePHI. OCR determined there had been a risk analysis failure, access control failure, information system activity monitoring failure, and an impermissible disclosure of 6,617 patients’ ePHI. Read More…

Jackson Health System

OCR imposed a $2.154 million civil monetary penalty against the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS), for a slew of violations of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. OCR determined its compliance program had been in disarray for several years. Read More…

HIPAA Violation Cases 2018

Cottage Health – Exposure of ePHI Over the Internet

OCR agreed to settle multiple alleged HIPAA violations with Cottage Health for $3,000,000. In 2013 and 2015, protections on servers were accidentally removed and files containing ePHI could be accessed over the internet without the need for a username or password. The ePHI of 62,500 patients was exposed. OCR discovered risk analysis failures, risk management failures, a failure to conduct technical and non-technical evaluations following environmental or operational changes, and the disclosure of ePHI to a contractor without first entering into a business associate agreement. Read More…

Pagosa Springs Medical Center – Failure to Terminate Employee Access

OCR fined Pagosa Springs Medical Center $111,400 for the failure to terminate a former employee’s access to a web-based scheduling calendar, which resulted in an impermissible disclosure of 557 patients’ ePHI. The medical center had also failed to enter into a BAA with a business associate. Read More…

Advanced Care Hospitalists – Multiple Compliance Failures Resulting in Impermissible PHI Disclosure

An OCR investigation into an impermissible disclosure of 9,255 individuals’ PHI by Advanced Care Hospitalists, a business associate of a HIPAA-covered entity, revealed serious HIPAA compliance failures including a lack of a BAA, insufficient security measures to protect ePHI, and no documentation showing there had been any HIPAA compliance efforts prior to April 1, 2014. A settlement of $500,000 was agreed upon to resolve the alleged HIPAA violations. Read More…

Allergy Associates of Hartford – PHI Disclosure to Reporter

OCR investigated a complaint about an impermissible disclosure of a patient’s PHI to a reporter. OCR confirmed that PHI had been disclosed without an authorization from the patient and that there had been no sanctions against the physician responsible, despite being warned in advance not to disclose any PHI. Allergy Associates of Hartford paid OCR $125,000 to settle the alleged HIPAA violations. Read More…

Anthem Inc – Multiple Compliance Failures Contributing to 78.8 Million Record Breach

An investigation into Anthem Inc.’s massive 78.8 million-record data breach of 2015 revealed multiple HIPAA violations. OCR determined there had been risk analysis failures, insufficient reviews of system activity, a failure to respond adequately to a detected breach, and insufficient technical controls to prevent unauthorized ePHI access. Anthem agreed to a record-breaking settlement of $16,000,000 to resolve the case. Read More…

Boston Medical Center – Filming Patients Without Consent

Boston Medical Center was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. Boston Medical Center agreed to settle the alleged HIPAA violations with OCR for $100,000. Read More…

Brigham and Women’s Hospital – Filming Patients Without Consent

Brigham and Women’s Hospital was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. Brigham and Women’s Hospital agreed to settle the alleged HIPAA violations with OCR for $384,000. Read More…

Massachusetts General Hospital – Filming Patients Without Consent

Massachusetts General Hospital was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. Massachusetts General Hospital agreed to settle the alleged HIPAA violations with OCR for $515,000. Read More…

Filefax, Inc. – Failure to Protect Physical PHI

After the permanent closure of the company, paperwork containing former patients’ PHI was discarded by FileFax. The paperwork was taken by a member of the public who sold the material to a recycling facility. OCR determined there had been a failure to protect patient information which resulted in an impermissible disclosure of 2,150 patient records. FileFax agreed to settle the alleged HIPAA violations for $100,000. Read More…

Fresenius Medical Care North America – Multiple Compliance Failures Contributing to 5 PHI Breaches

An investigation of five separate breaches at HIPAA-covered entities owned by Fresenius Medical Care North America revealed multiple HIPAA violations had contributed to the breaches. OCR discovered risk analysis failures, a lack of policies covering electronic devices, a lack of encryption or alternative safeguards, insufficient security policies, and insufficient physical safeguards, resulting in an impermissible disclosure of 521 individuals’ PHI. Fresenius Medical Care North America settled the case for $3,500,000. Read More…

University of Texas MD Anderson Cancer Center –Impermissible Disclosures of PHI

OCR investigated three breaches involving the loss of a laptop computer and two unencrypted thumb drives containing patients’ PHI. OCR determined that there had been an impermissible disclosure of 34,883 patients’ ePHI due to a lack of encryption. The case was contested, but an administrative law judge ruled in favor of OCR. University of Texas MD Anderson Cancer Center was ordered to pay a civil monetary penalty of $4,348,000. Read More…

HIPAA Violation Cases 2017

Memorial Hermann Health System – Careless Handling of PHI

Memorial Hermann Health System agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights for $2.4 million. The settlement stems from an impermissible disclosure in a press release issued by MHHS in September 2015. Memorial Hermann Health System has agreed to pay OCR $2,400,000. Read More…

St. Luke’s-Roosevelt Hospital Center Inc. – Unauthorized Disclosure of PHI

The Department of Health and Human Services’ Office for Civil Rights announced a new HIPAA settlement to resolve violations of the HIPAA Privacy Rule. St. Luke’s-Roosevelt Hospital Center Inc. has paid OCR $387,200 to resolve potential HIPAA violations discovered during an OCR investigation of a complaint about an impermissible disclosure of PHI. Read More…

The Center for Children’s Digestive Health – Lack of a Business Associate Agreement

The Department of Health and Human Services’ Office for Civil Rights has sent another warning to HIPAA-covered entities about the need to obtain signed, HIPAA-compliant business associate agreements with all vendors prior to disclosing any protected health information. The Center for Children’s Digestive Health (CCDH); a small 7-center pediatric subspecialty practice based in Park Ridge, Illinois has agreed to pay OCR $31,000 to resolve potential HIPAA violations. Read More…

CardioNet – Impermissible Disclosure of PHI

A $2.5 million settlement has been agreed upon with CardioNet to resolve potential HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias. Settlements have previously been agreed upon with healthcare providers, health plans, and business associates of covered entities, but this is the first time OCR has settled potential HIPAA violations with a wireless health services provider. Read More…

Metro Community Provider Network – Lack of Security Management Process

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation. Read More…

Memorial Healthcare System – Insufficient ePHI Access Controls

OCR has announced a $5.5 million settlement had been reached with Florida-based Memorial Healthcare Systems to resolve potential Privacy Rule and Security Rule violations. Memorial Healthcare Systems has paid the penalty for non-compliance with HIPAA Rules, and in addition to the $5.5 million settlement, a robust corrective action plan must be adopted to address all areas of non-compliance. Read More…

Children’s Medical Center of Dallas – Impermissible Disclosure of ePHI

The Department of Health and Human Services’ Office for Civil Rights has announced that Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. OCR attempted to resolve the matter via informal means between November 6, 2015, to August 30, 2016, before issuing a Notice of Proposed Determination on September 30, 2016. Read More…

MAPFRE Life Insurance Company of Puerto Rico – Impermissible Disclosure of ePHI

The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. On September 29, 2011, a portable USB storage device (pen drive) was left overnight in the IT Department from where it was stolen. The device contained a range of patients’ ePHI, including full names, Social Security numbers, and dates of birth. The device was not protected by a password and data on the device was not encrypted. MAPFRE has agreed to a $2,200,000 settlement with OCR. Read More…

Presense Health – Delayed Breach Notifications

Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA Breach Notification Rule violations. Presence Health took three months to issue breach notifications when the Breach Notification Rule requires notifications to be sent within 60 days of the discovery of a breach. Read More…

HIPAA Violation Cases 2016

University of Massachusetts Amherst – Failure to Manage Security Risks

The Department of Health and Human Services’ Office for Civil Rights has agreed to a $650,000 settlement with University of Massachusetts Amherst (UMass). The settlement resolves HIPAA violations that contributed to the university experiencing a malware infection in 2013. The infection resulted in the impermissible disclosure of the electronic protected health information of 1,670 individuals. Read More…

St. Joseph Health – Failure to Conduct Risk Analysis

Exposure of ePHI as a direct result of the failure to conduct a comprehensive risk analysis and a security assessment on a server prior to using it to share files containing ePHI. The server had been purchased and a file-sharing application was installed, yet no changes were made to the application. The default security settings were left in place, which allowed any individual with an Internet connection to gain access to the ePHI in the files. St. Joseph Health has agreed to pay OCR $2,140,500. Read More…

Care New England Health System – Lack of a Business Associate Agreement

The Department of Health and Human Services’ Office for Civil Rights has announced it has arrived at a settlement with Care New England Health System (CNE) to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). CNE is required to pay a financial penalty of $400,000 and must adopt a comprehensive Corrective Action Plan (CAP) to address various areas of HIPAA non-compliance. Read More…

Advocate Health Care Network – Multiple HIPAA Violations

OCR has just announced it has agreed to the largest ever HIPAA settlement with a single covered entity. Advocate Health Care Network will pay a record $5.55 million to settle multiple potential violations of the Health Insurance Portability and Accountability Act. The previous record was the $3.5 million settlement with Triple S Management Corporation agreed in November 2015. Read More…

University of Mississippi Medical Center – Multiple HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights announced yesterday that the University of Mississippi Medical Center (UMMC) has agreed to settle alleged HIPAA violations and will pay a financial penalty of $2.75 million. UMMC has also agreed to adopt a corrective action plan (CAP) to bring privacy and security standards up to the level required by HIPAA. Read More…

Oregon Health & Science University – Lack of a Business Associate Agreement

Oregon Health & Science University (OHSU) has agreed to settle a case with the Department of Health and Human Services’ Office for Civil Rights stemming from two data breaches experienced in 2013. A penalty of $2.7 million will be paid by OHSU to settle alleged HIPAA violations without admission of liability. The privacy breaches occurred shortly after each other in 2013. Within the space of three months, the protected health information of over 7,000 patients was exposed. Read More…

Catholic Health Care Services of the Archdiocese of Philadelphia – Failure to Safeguard ePHI

Catholic Health Care Services of the Archdiocese of Philadelphia has agreed to settle alleged HIPAA violations with the OCR and implement a Corrective Action Plan (CAP). CHCS will also pay a financial penalty of $650,000. CHCS failed to perform a comprehensive risk analysis since September 23, 2013. CHCS also failed to implement appropriate security measures to address risks to ePHI in accordance with 45 C.F.R. § 164.308(a)(1)(ii)(B). Read More…

New York Presbyterian Hospital – Filming Patients without Authorization

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined New York Presbyterian Hospital (NYP) $2.2 million for allowing patients to be filmed for a TV show without obtaining prior permission from patients. An ABC crew was permitted to film inside NYP facilities for the show “NY Med” featuring Dr. Mehmet Oz. A number of patients were filmed, but consent had not been obtained. Read More…

Raleigh Orthopaedic Clinic, P.A. of North Carolina – Lack of Business Associate Agreement

Raleigh Orthopaedic Clinic, P.A., of North Carolina over alleged violations of HIPAA Rules. Raleigh Orthopaedic has agreed to pay OCR $750,000 for failing to enter into a business associate agreement (BAA) with a vendor before handing over the protected health information (PHI) of 17,300 patients in 2013. Read More…

Feinstein Institute for Medical Research – Impermissible Disclosure of PHI

The Department of Health and Human Services’ Office for Civil Rights has announced it has settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. This is the second-largest settlement amount agreed with OCR. The data breach investigation revealed a substandard security management process and a catalog of HIPAA Security Rule violations. Read More…

North Memorial Health Care of Minnesota – Lack of a Business Associate Agreement

The Department of Health and Human Services’ Office for Civil Rights has announced it has reached a settlement with North Memorial Health Care of Minnesota over alleged HIPAA violations from a 2011 data breach. North Memorial has agreed to pay $1,550,000 to OCR to settle the HIPAA violation charges. Read More…

Complete P.T., Pool & Land Physical Therapy, Inc. – Impermissible Disclosure of PHI

Complete P.T., Pool & Land Physical Therapy, Inc., (CPT) has agreed to pay a fine of $25,000 to the Department of Health and Human Services after the company posted photographs and names of patients on the client testimonial section of its website without first having obtained HIPAA-compliant authorizations from the patients in question. Read More…

Lincare, Inc. – Failure to Safeguard PHI

For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. Lincare Inc. is required to pay $239,800 for violations of the HIPAA Privacy Rule which were discovered during the investigation of a complaint about a breach of 278 patient records. Read More…

HIPAA Violation Cases 2015

University of Washington Medicine – Failure to Conduct Risk Analysis

The University of Washington Medicine has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights and will pay a HIPAA fine of $750,000 for potential HIPAA violations stemming from a 90,000-record data breach suffered in 2013. Read More…

Triple S Management Corporation – Multiple HIPAA Violations

Puerto Rico Blue Cross Blue Shield licensee Triple S Management Corporation has agreed to pay a HIPAA violation fine of $3.5 million to the Department of Health and Human Services’ Office for Civil Rights. Triple S was also required to pay a HIPAA violation penalty of $6.8 million to the Puerto Rico Health Insurance Administration for a failure to comply with the Health Insurance Portability and Accountability Act’s Privacy Rule last year, although the HIPAA violation fine was reduced to $1.5 million on appeal. Read More…

Lahey Hospital and Medical Center – Multiple HIPAA Violations

The HHS has announced that Lahey Hospital and Medical Center has agreed to settle a case with the Office for Civil Rights over alleged HIPAA violations following a data breach that occurred in October 2011. Lahey Hospital and Medical Center agreed to pay $850,000 to settle the case without admission of liability. The nonprofit teaching hospital has also agreed to adopt the OCR’s corrective action plan to address HIPAA-compliance issues discovered by OCR investigators. Read More…

Cancer Care Group, P.C. – Failure to Conduct Risk Analysis

Cancer Care Group, an Indiana-based radiation oncology private physician practice, has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights for $750,000, for potential HIPAA violations relating to a 2012 data breach. In August 2012, Cancer Care Group discovered a laptop computer and unencrypted backup drive had been stolen from the vehicle of an employee. The data breach exposed the Protected Health Information of 55,000 patients. Read More…

St. Elizabeth’s Medical Center – Multiple HIPAA Violations

A HIPAA settlement of $218,400 has been reached with St. Elizabeth Medical Center (SEMC) for violations of HIPAA Privacy, Security, and Breach Notification Rules. The settlement for HIPAA violations was reached with SEMC for violations that led to a document sharing system data breach that exposed 498 records, and a data breach involving the theft of a flash drive containing unencrypted data of 595 patients. Read More…

Cornell Prescription Pharmacy – Improper Disposal of PHI

OCR announced that it has reached a settlement for $125,000 with a Denver-based healthcare provider, Cornell Pharmacy, following the improper disposal of patient health records. Cornell Pharmacy is a single-location healthcare provider that mostly serves hospice care organizations in Denver and provides compound medications. Read More…

HIPAA Violation Cases 2014

Anchorage Community Mental Health Services – Failure to Manage Risks to ePHI

Anchorage Community Mental Health Services (ACMHS) runs five mental health facilities in Alaska and is a non-profit organization. In 2012 it suffered a security breach that exposed the data of 2,700 individuals as a result of a malware infection. Had software patches been installed on the computers the malware would not have been unable to infect the PCs. ACMHS has agreed to settle the case with OCR for $150,000.

Parkview Health System, Inc. – Failure to Safeguard PHI

Parkview Healthcare System has agreed to pay an $800,000 settlement for a violation of the HIPAA Privacy Rule. The incident for which the fine has been issued dates back to 2009 when a data security complaint was filed by a patient of one of its doctors. The doctor was retiring and received a delivery of 71 boxes of medical files containing up to 8,000 patient records; however, the delivery was made, and the boxes were left on the doctor’s driveway while he was out of the house. Read More…

New York and Presbyterian Hospital and Columbia University – Failure to Conduct Risk Analysis

Office for Civil Rights has agreed to its largest-ever financial penalty for a violation of the Health Insurance Portability and Accountability Act’s Privacy and Security Rules. The data breach was caused when a computer server firewall was deactivated by a physician at Columbia University leaving electronic PHI exposed and accessible via search engines. New York and Presbyterian Hospital (NYP) and Columbia University (CU) will jointly pay a penalty of $4,800,000. Read More…

QCA Health Plan, Inc., of Arkansas – Failure to Safeguard ePHI

QCA Health Plan, Inc. of Arkansas reported the theft of a laptop from a car that contained unencrypted data on 148 patients. OCR investigated the breach and discovered multiple violations of the HIPAA Privacy and Security Rules. QCA Health Plan has agreed to settle the HIPAA violations with OCR for $250,000. Read More…

Concentra Health Services – Failure to Safeguard ePHI

Following the report of the theft of a laptop from the Springfield Missouri Physical Therapy Center, Concentra Health Services was subjected to an investigation by the OCR. Documentation was uncovered that clearly showed that mobile devices were believed to represent a critical security risk, yet action was not taken to address this issue in time to prevent the data breach. Concentra has agreed to pay OCR $1,725,220 to resolve the case. Read More…

Skagit County, Washington – Failure to Safeguard ePHI

Skagit County, Washington is paying the price for failing to implement the appropriate controls and safeguards to protect the data it held. Skagit County agreed to pay OCR $215,000 following the exposure of data of seven individuals. Data were accessed by unknown third parties after ePHI data was unwittingly transferred to a server accessible to the public. Read More…

HIPAA Violation Cases 2013

Adult & Pediatric Dermatology, P.C. – Failure to Safeguard ePHI

Office for Civil Rights has issued a statement confirming that an agreement has been reached with Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts following the accidental disclosure of approximately 2,200 patients after a memory stick was stolen from the car of one of the center’s employees. A settlement of $150,000 has been reached with OCR. Read More…

Affinity Health Plan, Inc. – Failure to Permanently Erase ePHI

Office for Civil Rights has announced a settlement of $1,215,780 has been reached with Affinity Health Plan, Inc., to resolve potential HIPAA violations discovered during a breach investigation. A digital photocopier was returned to a leasing company, but the PHI stored on its hard drive had not been erased before the device was returned. Read More…

WellPoint – Failure to Safeguard ePHI

WellPoint is one of the largest providers of Affiliated Health Plans, with almost 36 million policyholders across the United States. Between October 23, 2009, and March 7, 2010 part of its database of policyholders was accessible to unauthorized individuals. A settlement of $1,700,000 has been agreed upon with OCR to resolve the HIPAA violations that contributed to the cause of the breach. Read More…

Shasta Regional Medical Center – Disclosure of PHI Without Patient Consent

An article published in the LA Times started a sequence of events that has now resulted in Shasta Regional Medical Center (SRMC) agreeing to a settlement of $275,000 for its violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. PHI had been intentionally provided to the media on three separate occasions. Read More…

Idaho State University – Failure to Safeguard ePHI

Idaho State University’s Pocatello Family Medicine Clinic disabled the firewall that was protecting a server containing the medical health records of 17,500 patients. The firewall was inactive for a period of 10 months leaving the data exposed and potentially accessible to unauthorized third parties for an unacceptable period of time. A settlement of $400,000 was agreed upon with OCR to resolve the HIPAA violations. Read More…

FAQs

How many HIPAA violation cases are there each year?

The number of alleged HIPAA violation cases received each year by HHS’ Office for Civil Rights varies. The most recent data available shows that in 2021 the agency received 34,077 complaints relating to privacy violations and 64,180 breach notifications. In the majority of cases, the agency resolves complaints without the need for an investigation or finds no HIPAA violation exists. However, up to 500 cases per year result in a fine and/or corrective action being required.

It is important to note that these figures only represent the complaints and notifications received by HHS’ Office for Civil Rights. Complaints can also be made to individual Covered Entities and State Attorneys General, but there is no public record of these.

How are the penalties for HIPAA violations calculated?

The penalties for HIPAA violations are calculated on the “factors considered in determining a civil monetary penalty” plus the “such other matters as justice may require” clause in 45 CFR §160.408. Generally, there are four HIPAA violation classifications that rank the level of an organization’s culpability, the organization’s attempts to mitigate the consequences of the violation, and the organization´s willingness to assist with an investigation.

Can you be fined more than once for the same violation?

You can be fined more than once for the same violation if an organization fails to take corrective action after having been issued an initial fine. An organization´s prior history with regard to HIPAA non-compliance can also be a contributory factor in the calculation of penalties for HIPAA violations and a second or subsequent fine will likely be much larger than the first.

How do you know how much training to provide in order to avoid being in violation of HIPAA?

It can be difficult to know how much training to provide in order to avoid violating HIPAA because other than stipulating training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule) and that CEs and BAs should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule), there are no specific HIPAA training requirements.

Your graphs indicate the penalties for HIPAA violations are increasing. Is this the case?

Although our graphs indicate the penalties for HIPAA violations are increasing, it is important to put the raw data into context. There are two key events to consider when looking at the timeline of penalties for HIPAA violations – the passage of the HITECH Act in 2009 which reversed the burden of proof for HIPAA violations, and the HIPAA Omnibus Rule in 2013 which enacted the passage of the HITECH Act making business associates liable for HIPAA violations that were their fault.

Are all the above cases real life HIPAA violation cases?

All the above cases are real life HIPAA violation cases that have been reported to and investigated by HHS’ Office for Civil Rights. As mentioned previously, there are many, many more real life HIPAA violation cases that do not get published in the public domain because either they affect fewer than 500 individuals or they are resolved internally by the Covered Entity they are reported to.

Where can I find recent HIPAA violation cases?

Recent HIPAA violation cases that result in a civil monetary penalty are added to this page as soon as details are publicly available. For details of recent HIPAA violation cases that have not resulted in a civil monetary penalty, visit HHS’ Breach Report and click on the link to the Archive. This database contains thousands of HIPAA violation cases that have not resulted in a civil monetary penalty.

Have there been any HIPAA lawsuit cases?

HIPAA lawsuit cases are not recorded as such because HIPAA has no private right of action. However, there have been cases in which a HIPAA data breach is subsequently pursued in court in a civil lawsuit – the best example being the Anthem breach of 2014. More than 100 private class action lawsuits were filed against Anthem – the ultimately consolidated case being settled for $115 million.

Why are there not more HIPAA violations in the news?

The reason there are not more HIPAA violations in the news is that only a few violations each year justify column inches because of their nature or the size of the penalty imposed by HHS’ Office for Civil Rights. Many HIPAA violations are not deliberate acts of theft, but rather mistakes that are resolved by the tightening up of security measures and further employee training.

Who investigates cases of HIPAA violations other than HHS’ Office for Civil Rights?

Cases of HIPAA violations are investigated most often by the Covered Entity to whom they are reported. Indeed, many Covered Entities don´t provide the contact details for HHS’ Office for Civil Rights on their Notices of Privacy Practices so most complaints about HIPAA violations are reported directly to them rather than the HHS’ Office for Civil Rights or State Attorneys General.

Cases of HIPAA violations can also be reported internally by members of a Covered Entity’s workforce, and HIPAA requires Business Associates to report all security incidents to the Covered Entity – including those that do not constitute a HIPAA violation – so again, the Covered Entity gets to hear about violations first before deciding whether the events are notifiable.

HIPAA violations that are not violations of the Privacy, Security, and Breach Notification Rules are investigated by other federal agencies. For example, the Centers for Medicare and Medicaid Services investigates cases of Part 162 HIPAA violations, the Department of Labor investigates violations of HIPAA’s portability provisions, and the Federal Trade Commission investigates violations of the Breach Notification Rule by companies that are not Covered Entities or Business Associates.

What are the worst HIPAA violation cases?

The worst HIPAA violation cases are the ones that continue for long periods of time without being identified and corrected. This is especially true when individually identifiable health information is disclosed knowingly and wrongfully to commit identity theft and fraud as this type of HIPAA violation case can impact individuals’ lives for many years.

Why have patients’ rights violation cases been prioritized?

Patients’ rights violation cases appear to have been prioritized in recent years because in 2019 HHS’ Office for Civil Rights announced a Right of Access enforcement initiative. The initiative aims to address issues related to patients being able to access a copy of their PHI and an Accounting of Disclosures to see who their PHI has been disclosed to up to six years previously.

Why are most HIPAA violation cases medical HIPAA violation cases?

Most HIPAA violation cases are medical HIPAA violation cases because there are many more medical facilities that qualify as Covered Entities as there are health plans or healthcare clearinghouses that qualify as Covered Entities. There are more than 6,000 hospitals, 9,000 urgent care centers, and 27,000 pharmacies that qualify as Covered Entities in the U.S. compared to fewer than 1,000 covered health plans and healthcare clearinghouses combined.

What can Covered Entities learn from HIPAA violation stories?

What Covered Entities can learn from HIPAA violation stories about other Covered Entities is what measures they may need to implement to mitigate the risk of a violation or data breach. Some HIPAA violation stories are quite unique in how they happened or how their consequences could have been prevented, and hearing about these stories helps Covered Entities conduct better-informed risk analyses and implement reasonable and appropriate measures where necessary.

Is a breach of patient confidentiality a HIPAA violation?

A breach of patient confidentiality is not necessarily a HIPAA violation because some disclosures of PHI permitted by the Privacy Rule may be considered a breach of patient confidentiality by the patient, even though they are not. For example, under §164.512 of the Privacy Rule, there are a number of scenarios in which healthcare providers can disclose individually identifiable health information to public health agencies, law enforcement officers, and employers.

In addition to the above example, there may be times when a healthcare provider breaches patient confidentiality – but does not violate HIPAA – because the information being disclosed is not protected by the Privacy Rule. For example, if a healthcare provider maintains a database of names and telephone numbers – and there is no health information maintained in the same database – the names and telephone numbers are not Protected Health Information and not protected by the Privacy Rule.

The post HIPAA Violation Cases appeared first on The HIPAA Journal.

Mystic Valley Elder Services, a Malden, Massachusetts-based non-profit agency providing home and community-based care to elders and adults living with disabilities, has started issuing individual notifications about a cyberattack and data breach that was identified on April 5, 2024.

A digital forensics company was engaged to investigate the unauthorized activity and confirmed that there had been unauthorized access to its internal systems on April 5, 2024, during which time files may have been acquired. A review was conducted of all affected files which confirmed on July 11, 2024, that protected health information had been exposed. The data involved varied from individual to individual and may have included names, dates of birth, passport numbers, financial account numbers, payment card numbers, online credentials, taxpayer identification numbers, Social Security numbers, driver’s license numbers, health insurance information, and medical information.

Notification letters are now being mailed to the affected individuals and complimentary credit monitoring and identity theft protection services have been made available. Mystic Valley Elder Services said it is enhancing its technical safeguards to prevent similar breaches in the future. The HHS’ Office for Civil Rights shows two listings about this incident, one involving the records of 85,133 individuals in its capacity as a healthcare provider and a breach involving the protected health information of 2,402 individuals in its capacity as a business associate.

St. Anthony Regional Hospital, Iowa

St. Anthony Regional Hospital in Carroll, Iowa, has recently announced it fell victim to a cyberattack in August. Suspicious activity was identified within its network on August 26, 2024, and the forensic investigation confirmed there had been unauthorized access to a subset of its network between August 14, 2024, and August 28, 2024. During that time, the threat actor accessed or downloaded files on the network that contained patients’ protected health information.

St. Anthony Regional Hospital said it is still reviewing the affected files to determine the patients and data involved but has confirmed that the breached information is likely to include names, addresses, dates of birth, Social Security numbers, financial information, and medical information such as diagnosis and treatment information. Notification letters will be mailed to the affected individuals when the investigation is concluded. St. Anthony Regional Hospital is unaware of any misuse of the affected information; however, patients have been advised to remain vigilant against incidents of identity theft and fraud by reviewing their account statements, credit reports, and explanation of benefits statements.

The breach has been reported to the HHS’ Office for Civil Rights using a placeholder figure of 501 affected individuals. The total will be updated when the file review has been completed.

The post Data Breaches Reported by Mystic Valley Elder Services & St. Anthony Regional Hospital appeared first on The HIPAA Journal.

Wichita County in Texas experienced a cyberattack in May 2024 that exposed the sensitive data of 47,784 individuals, the majority of which are residents of Wichita County. According to County officials, the incident was detected on May 7, 2024, when network disruption was experienced. Immediate action was taken to secure its network and prevent further unauthorized access and independent forensics experts were engaged to investigate the security breach.

Experts were engaged to conduct a data review to determine the types of data that may have been acquired in the incident, and the review was completed on September 3, 2024. Contact information was then verified contact information to allow the notification letters to be sent. That process was completed on October 2, 2024, and notifications were mailed to the affected individuals on October 22, 2024.

The types of data involved varied from individual to individual and may have included name along with one or more of the following: date of birth, Social Security number, driver’s license number, other government ID, passport number, financial account information, health insurance information and medical information related to the treatment of mental or physical health conditions.

Complimentary credit monitoring and identity theft protection services have been made available to the affected individuals for 2 years. The Medusa ransomware group appears to have been responsible for the attack, although that has not been confirmed by Wichita County officials.

Parkland Health Investigating Cyberattack and Data Breach

Parkland Health, the community public health system for Dallas County in Texas which includes Parkland Memorial Hospital in Dallas, has experienced a cyberattack involving unauthorized access to the protected health information of 6,523 patients. In an October 22 notice to the Texas Attorney General, Parkland Health confirmed that the breach included names, dates of birth, and medical information.

No other details about the breach are known at this stage. Parkland Health said it is still investigating the cyberattack and will release further information when the investigation is concluded. Individual notifications have been mailed to the affected individuals.

The post Wichita County and Parkland Health Suffer Data Breaches appeared first on The HIPAA Journal.

Security breaches have been reported by the Center for Urban Community Services in New York, Riverview Health in Indiana, and Smile Design Management in Florida.

The Center for Urban Community Services, New York

The Center for Urban Community Services, a New York social services organization, has notified 38,000 individuals about a network intrusion that occurred between September 4, 2023, and September 9, 2023. The intrusion was detected on September 9, 2023, and an investigation was launched, but data acquisition was not confirmed at the time. Center for Urban Community Services has now confirmed sensitive data was exfiltrated in the incident. The types of information involved varied from individual to individual and may have included names, addresses, telephone numbers, dates of birth, Social Security numbers, benefit identification numbers, health information, and prescription information. The Center for Urban Community Services is unaware of any misuse of the affected information.

Riverview Health, Indiana

Riverview Health in Noblesville, IN has discovered unauthorized access to an employee’s email account. An unidentified third party had access to the account for less than an hour on August 23, 2024, before the intrusion was detected by its security software and access to the account was blocked. The investigation confirmed that a single email account had been compromised after an employee was tricked by a social engineering scam. The window of opportunity for viewing and copying sensitive information in the account was short but it is possible that electronic files in the account may have been compromised. The files were reviewed and confirmed to contain patients’ protected health information such as name, sex, date of birth, medical record number, admission date(s), and medical information such as diagnosis.

Since social security numbers, financial information, bank account numbers, and health insurance information were not compromised, Riverview Health believes the risk of misuse of patient data is low. Riverview Health is reviewing its policies around phishing and social engineering and is evaluating methods and procedures for improving electronic access and controls. Notification letters were mailed to the affected individuals on October 24, 2024. The HHS’ Office for Civil Rights portal indicates that 1,562 individuals were affected.

Smile Design Management, Florida

Smile Design Management, a Tampa, FL-based operator of 50 dental care facilities in Florida, has discovered unauthorized access to files on its network. The breach was detected on February 22, 2024, when unusual network activity related to a third-party software solution was detected.

Third-party cybersecurity specialists were engaged to investigate the activity and confirmed unauthorized access to its network between February 22, 2024, and February 23, 2024. The review of the affected files was completed on August 15, 2024, and after verifying contact information, notification letters were sent to the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services. The substitute breach notice does not state the types of information compromised in the incident.

Smile Design Management said it has implemented additional technical safeguards to prevent similar breaches in the future. The breach was reported to the HHS’ Office for Civil Rights on October 10, 2024, as involving the protected health information of 500 individuals.

The post 38,000 Individuals Affected by Center for Urban Community Services Cyberattack appeared first on The HIPAA Journal.