Small Medical Fines and Penalties

HIPAA Violation Cases: Types & Consequences

HIPAA violation cases are compliance investigations that result from a data breach being reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) or a privacy complaint being submitted to OCR via the complaints portal. When OCR identifies a violation of HIPAA, violation cases can be resolved in multiple ways.

OCR may choose to take no action if the HIPAA-regulated entity has identified and voluntarily corrected the HIPAA violation. If the HIPAA violation is not severe, OCR often chooses to provide technical assistance to help the regulated entity correct the violation. When there has been a serious violation of the HIPAA Rules or evidence is found suggesting widespread noncompliance, OCR may initiate a more extensive review. Serious violations are sometimes resolved with a financial penalty.

OCR will notify the regulated entity about the findings of the investigation and typically gives the regulated entity an opportunity to settle the alleged violations informally. These settlements involve a reduced financial penalty and generally include a corrective action plan (CAP) with specific measures the regulated entity must implement to ensure compliance with the HIPAA Rules. The regulated entity will then be monitored for compliance with the HIPAA Rules by OCR for a set period, typically 1-3 years.

If a regulated entity contests the findings and maintains that there was no wrongdoing, they have the opportunity to submit evidence to support a waiver of the proposed penalty. Should OCR determine that the evidence does not support a waiver, a civil monetary penalty will be imposed, but no CAP. The regulated entity can request a hearing of their HIPAA violation case before an Administrative Law Judge. If the appeal is not successful, a civil monetary penalty will be imposed.

There are many different types of HIPAA violation cases. For example:

  • Failure to conduct a risk analysis
  • Failure to create and monitor logs of activity in information systems containing ePHI
  • Impermissible uses and disclosures of PHI
  • Failure to comply with individuals’ rights under HIPAA
  • Lack of Notice of Privacy Practices
  • Failure to provide HIPAA training to the workforce training and sanctions failures
  • Failure to provide security awareness training to the workforce
  • Non-compliance with audit control standards
  • Failure to develop a contingency plan
  • Lack of physical or technical safeguards
  • Business Associate Agreement failures
  • Failure to comply with the General Provisions for Transactions

Detailed below is a summary of all HIPAA violation cases that have resulted in civil monetary penalties or settlements with OCR, including cases that have been pursued by OCR after potential HIPAA violations were discovered during data breach investigations and investigations of complaints.

Ten Most Common HIPAA Violations You can also use the article in conjunction with our free HIPAA Violations Checklist to understand what is required to ensure full HIPAA compliance. Use the form on this page to arrange to receive your copy of the checklist.

OCR has increased its enforcement activities in recent years. OCR stepped up enforcement of compliance with the HIPAA Rules in 2016, more than doubling the number of financial penalties imposed. In 2016, 12 entities agreed to settle their compliance investigations and pay a financial penalty, with one case seeing a civil monetary penalty imposed. The following three years saw similar numbers of financial penalties; however, there was another major increase in HIPAA fines in 2020 when 19 HIPAA violation cases were settled with OCR. In 2022, OCR resolved 22 HIPAA violation cases with financial penalties, and OCR Director Melanie Fontes Rainer announced that OCR closed 22 investigations with penalties in 2024, although six of those were not announced until January 2025.

The 2020 increase is largely due to OCR’s HIPAA Right of Access enforcement initiative, which was launched in late 2019. Since then, OCR has been cracking down on entities that have failed to provide individuals with timely access to their medical records. As of December 2024, OCR has settled or imposed civil monetary penalties in 51 HIPAA violation cases under this compliance initiative.

In 2024, OCR announced a new enforcement initiative targeting noncompliance with the risk analysis provision of the HIPAA Security Rule. Risk analysis failures are among the most commonly identified HIPAA violations. In OCR’s last round of HIPAA audits in 2016 and 2017, most audited entities were not fully compliant with this important Security Rule provision, as they had either failed to conduct a HIPAA-compliant risk analysis, had not conducted one frequently enough, or their risk analyses were not comprehensive and/or accurate. Since this is the main focus of OCR when investigating hacking-related data breaches, not only will it help to improve compliance with this vital HIPAA Security Rule requirement, but it should also help to accelerate data breach investigations, allowing OCR to clear the backlog of investigations more rapidly.

By increasing its enforcement activity, OCR is sending a message to all covered entities, large and small, that violations of HIPAA Rules will not be tolerated. OCR also announced in 2024 that the HIPAA compliance audit program will be recommencing imminently.

What are the Consequences of Violating HIPAA?

The consequences of violating HIPAA can be significant, and it is important to note that fines for a HIPAA violation can be applied by the HHS’ Office for Civil Rights (OCR) even if no breach of PHI has occurred. The financial consequences of violating HIPAA depend on the level of negligence, the severity of the violation, the number of individuals affected and the risk posed by the violation, the length of time that the violation has persisted, the financial position of the regulated entity, and in the case of a security breach, whether the entity has implemented recommended security practices continuously for the 12 months prior to the security incident.

  • A violation of HIPAA attributable to ignorance of the HIPAA Rules can attract a fine of $141 – $35,581.
  • A violation that occurred despite reasonable vigilance can attract a fine of $1,424 – $71,162.
  • A violation due to willful neglect, which is corrected within thirty days, will attract a fine of between $14,232 and $71,162.
  • A violation due to willful neglect, which is not corrected within thirty days, will attract a fine of between $71,162 and $2,134,831.

The maximum financial penalty, for willful neglect of the HIPAA Rules, is $2,134,831 per violation category, per year. The above penalties were implemented as demanded by the HITECH Act of 2009 and are increased annually in line with inflation.

The last update to the HIPAA violation penalty amounts applies to cases assessed on or after August 8, 2024, as detailed in the table below:

Penalty Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit 
Tier 1 Reasonable Efforts $141 $71,162 $2,134,831
Tier 2 Lack of Oversight $1,424 $71,162 $2,134,831
Tier 3 Neglect – Rectified within 30 days $14,232 $71,162 $2,134,831
Tier 4 Neglect – Not rectified within 30 days $71,162 $2,134,831 $2,134,831

In April 2019, OCR reexamined the language of the HITECH Act and determined it had been misinterpreted and issued a Notice of Enforcement Discretion stating that the maximum annual penalties in three of the four penalty tiers would be changed. Under the Notice of Enforcement Discretion, the maximum annual penalty for a violation will be capped at $25,000 for Tier 1, $100,000 for Tier 2, and $250,000 for Tier 3 plus annual inflation increases. Taking this into account, the figures OCR is working with are detailed in the table below and will apply indefinitely, until the next inflation increase.

The Notice of Enforcement Discretion only applied a new annual penalty cap in three of the four penalty tiers. It did not change the maximum penalty for a violation, which means that the maximum penalty for a Tier 1 violation is higher than the annual penalty cap, therefore, OCR must use the annual cap as the maximum penalty in that penalty tier.

Annual Penalty Limit  Annual Penalty Limit  Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Cap
Tier 1 Lack of Knowledge $141 $35,581 $35,581
Tier 2 Reasonable Cause  $1,424 $71,162 $142,355
Tier 3 Willful Neglect $14,232 $71,162 $355,808
Tier 4 Willful neglect (not corrected within 30 days $71,162 $2,134,831 $2,134,831

*Table last updated on August 10, 2024.

The inflation multiplier for 2025 was set by the Office of Management and Budget (OMB) as 1.02598. OMB requires all federal agencies to adjust their CMPs by January 15, 2025; however, before the new penalty amounts are applied, each federal agency is required to publish a final rule in the Federal Register applying the multiplier to existing penalties. OCR has been slow to apply the updates in recent years and did not apply the 2024 update until August 8, 2024. Another increase is due to be applied on January 15, 2025, but will likely be applied much later.

State Attorneys General can also impose financial penalties on HIPAA-covered entities and business associates for violations of the HIPAA Rules. Alternatively, financial penalties can be imposed if a breach of ePHI violates state laws. Some states are active enforcers of HIPAA compliance, including California, Connecticut, Indiana, Massachusetts, New Jersey, and New York.

When state laws are violated, the individuals whose ePHI has been compromised may be able to take legal action against the breached entity if it can be proven that they have suffered harm due to the negligence of a covered entity or business associate; however, there is no private cause of action in HIPAA, so it is not possible to sue a HIPAA-regulated entity for a HIPAA violation.

Financial Penalties Imposed on Covered Entities and Business Associates by the HHS’ Office for Civil Rights

OCR penalties for HIPAA violations 2009-2025

Penalties for HIPAA Violations 2008-2025

Funds raised by OCR enforcement actions (2008-2025)

Listed below are all the OCR HIPAA violation cases that have resulted in a financial penalty. These cases include civil monetary penalties, where it has been established that HIPAA Rules have been violated, and settlements, where HIPAA violations have been alleged to have occurred but the covered entity or business associate has decided not to contest the case and has instead chosen to pay a financial penalty to resolve the potential HIPAA violations with no admission of liability.

HIPAA Violation Cases 2025

BST & Co. CPAs, LLP

BST & Co. CPAs, LLP, a public accounting, business advisory, and management consulting firm in New York, experienced a ransomware attack in December 2019, involving unauthorized access to the protected health information of up to 170,000 individuals. The ransomware group gained access to its network after an employee responded to a phishing email. OCR investigated and determined that a comprehensive and accurate risk analysis had not been conducted to identify all risks and vulnerabilities to ePHI. The case was settled with a $175,000 financial penalty and a corrective action plan. Read More…

Syracuse ASC, doing business as Specialty Surgery Center of Central New York

Syracuse ASC, a single-location ambulatory surgery center in New York (Specialty Surgery Center of Central New York), experienced a ransomware attack in 2021. A threat actor had access to its network for two weeks and used ransomware to encrypt files. The protected health information of 24,891 individuals was potentially stolen. The ransomware attack was detected on March 31, 2021, yet notifications to the affected individuals and the HHS Secretary were not issued until October 14, 2021. OCR investigated and determined that a risk analysis had never been conducted, and timely notifications were not issued, in violation of the HIPAA Security Rule and HIPAA Breach Notification Rule. The case was settled with a $250,000 financial penalty. Read More…

Deer Oaks – The Behavioral Health Solution

Deer Oaks is a long-term care-focused behavioral healthcare provider that offers psychological and psychiatric services to residents of long-term care and assisted living facilities across the United States. OCR launched an investigation after receiving a complaint that patient data had been exposed online. The investigation confirmed that the discharge summaries of 35 patients had been exposed online from at least December 2021 until May 19, 2023. Deer Oaks also fell victim to a ransomware attack involving unauthorized access to the ePHI of 171,871 patients. OCR determined there had been an impermissible disclosure of ePHI and a failure to conduct a risk analysis. Deer Oaks agreed to pay a $225,000 financial penalty. Read More…

Comstar

Comstar LLC is a Massachusetts-based provider of billing, collection, and related services to non-profit and municipal emergency ambulance services. OCR investigated Comstar over a 2022 ransomware attack and data breach that affected 585,621 individuals. A ransomware group gained access to its network on March 19, 2022, and the breach was detected on March 26, when ransomware was deployed. OCR’s investigation determined that Comstar had not conducted a comprehensive risk analysis to identify risks and vulnerabilities to electronic protected health information. The case was settled with a $75,000 financial penalty. Read More..

BayCare Health System

BayCare Health System, a Florida healthcare provider, was investigated over a complaint from an individual who alleged that her printed and electronic medical record was accessed by an unknown third party after a visit to BayCare Health’s St. Joseph Hospital. OCR investigated and determined that BayCare Health failed to implement policies and procedures for authorizing access to electronic protected health information to restrict information per the minimum necessary standard, failed to implement security measures to manage risks to ePHI, and failed to regularly review records of information system activity. The case was settled, and BayCare Health paid an $800,000 financial penalty. Read More…

Vision Upright MRI

Vision Upright MRI is a small Californian medical imaging service provider. In December 2020, OCR initiated an investigation to assess compliance with the HIPAA Rules. OCR determined that Vision Upright MRI had never conducted a HIPAA-compliant risk analysis to identify risks and vulnerabilities to ePHI, and failed to inform the HHS, the media, and the affected individuals about a security breach involving its Picture Archiving and Communication System (PACS) server. The server had been left unsecured and contained the ePHI of 21,778 patients. A settlement was agreed and Vision Upright MRI agreed to pay $5,000 to resolve the alleged violations.  Read More…

Comprehensive Neurology

Comprehensive Neurology is a small New York neurology practice. In December 2020, the practice fell victim to a ransomware attack that saw hackers encrypt medical records and gain access to the electronic protected health information of 6,800 individuals. OCR investigated and determined that the practice had not conducted a comprehensive risk analysis to identify risks and vulnerabilities to ePHI. A settlement was reached, and Comprehensive Neurology agreed to pay a $25,000 financial penalty to resolve the alleged HIPAA Security Rule violation. Read more…

PIH Health

The California healthcare network PIH Health was investigated over a phishing attack between June 11 and June 21, 2019, that saw a hacker gain access to 145 employee email accounts that contained the electronic protected health information of 189,763 individuals. The exposed ePHI included names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information. OCR determined there had been an impermissible disclosure of the ePHI of 189,763 individuals, a failure to conduct a HIPAA-compliant risk analysis, and three HIPAA Breach Notification Rule failures – No timely breach notice to OCR and the affected individuals, and a failure to issue a media notice about the data breach. The alleged violations were settled, and PIH Health paid a $600,000 financial penalty. Read more…

Guam Memorial Hospital Authority

Guam Memorial Hospital Authority, the operator of a public hospital in the U.S. territory of Guam, was investigated after a complaint was received about a December 2018 ransomware attack. Another complaint was received while the first complaint was being investigated about unauthorized access to ePHI by employees after their employment had ended. The ransomware attack involved unauthorized access to the ePHI of up to 5,000 individuals, and OCR confirmed the second breach by former employees. OCR determined that a HIPAA-compliant risk analysis had not been conducted to identify risks and vulnerabilities to ePHI. OCR agreed to settle the alleged HIPAA violation, and Guam Memorial Hospital Authority agreed to pay a $25,000 financial penalty. Read more…

Northeast Radiology

Northeast Radiology, the operator of several medical imaging centers in New York and Connecticut, submitted a breach report to OCR in March 2020 involving unauthorized access to the protected health information of up to 298,532 individuals. Hackers had exploited a vulnerability in the Picture Archiving and Communication Systems (PACS) via its vendor Alliance HealthCare. Hackers had access to the system between April 2019 and January 2020. OCR investigated and determined that there had been a failure to conduct a comprehensive and accurate risk analysis. The alleged violation was settled, and Northeast Radiology agreed to pay a $350,000 financial penalty. This was the 6th financial penalty to be imposed under OCR’s risk analysis enforcement initiative. Read more…

Health Fitness Corporation

Health Fitness Corporation, an Illinois business associate that provides wellness plans to clients, submitted multiple breach reports to OCR between October 15, 2018, and January 25, 2019, on behalf of clients affected by a data breach. A misconfigured server had exposed protected health information on the Internet and files had been indexed by search engines. The data was exposed online between August 2015 and July 2018. According to Health Fitness, fewer than 4,304 individuals were affected.  OCR investigated and determined that a HIPAA-compliant risk analysis was not completed until January 19, 2024. A settlement was agreed upon that included a $227,816 financial penalty. Read More…

Oregon Health & Science University

Oregon Health & Science University was found to have failed to provide a personal representative with timely access to a patient’s full medical records. While some of the requested records were provided within a few days of the request being received, it took multiple requests, two interventions from OCR, and 16 months from the initial request for all of the requested records to be provided. OCR gave the university the opportunity to settle the case informally, but when a settlement could not be agreed, OCR proceeded to impose a civil monetary penalty of $200,000. Read More…

Warby Parker, Inc.

Warby Parker, Inc., a manufacturer and online retailer of prescription and non-prescription eyewear, was ordered to pay a civil monetary penalty of $1,500,000 to resolve alleged violations of the HIPAA Security Rule that were identified by OCR following an investigation of multiple data breaches. The first breach involved unauthorized access to the ePHI of 197,986 individuals between September 25, 2018, and November 30, 2018. Hackers compromised accounts in a credential stuffing attack on its website. Further data breach reports were filed with OCR in September 2019, January 2020, April 2020, and June 2022, which were also due to credential stuffing attacks, although the subsequent attacks only affected 484 individuals. OCR determined that Warby Parker had failed to conduct a HIPAA-compliant risk analysis, had not sufficiently reduced risks and vulnerabilities to ePHI, and was not conducting regular reviews of logs of activity in information systems containing ePHI. Read More…

Northeast Surgical Group

Northeast Surgical Group, a Michigan-based provider of surgical services, experienced a ransomware attack in 2023 that resulted in unauthorized access to ePHI and the encryption of the ePHI of all 15,298 of its patients. OCR investigated and determined that Northeast Surgical Group has not conducted a comprehensive and accurate risk analysis to identify risks and vulnerabilities to all ePHI. This was OCR’s 4th enforcement action under its new risk analysis enforcement initiative. The HIPAA violation case was settled with a $10,000 penalty. Read More…

South Broward Hospital District (Memorial Health System)

South Broward Hospital District, dba Memorial Health System in Florida, was investigated over a complaint from a patient who had not been provided with a copy of an EEG tracing, despite making one mailed request and three requests via the patient portal. The first request was made on December 30, 2020; however, the EEG tracing was not provided until September 29, 2021, 9 months after the first request was made. OCR determined that this was a violation of the HIPAA Right of Access; however Memorial Health System disagreed with the determination, as a copy of the EEG tracing had been provided to the patient on a previous occasion; however, the case was settled to avoid the time and cost of litigation and Memorial Health System paid a $60,000 penalty. Read More…

Solara Medical Supplies

Solara Medical Supplies, a supplier of continuous glucose monitors, insulin pumps, and other supplies to patients with diabetes, fell victim to a phishing attack that saw a threat actor gain access to the email accounts of 8 employees between April 2019 and June 2019. The email accounts contained the ePHI of 114,007 individuals. When issuing notification letters, 1,531 letters were sent to incorrect addresses, resulting in an impermissible disclosure of patients’ demographic information. OCR identified multiple violations of the HIPAA Security Rule and Breach Notification Rule – The failure to conduct a HIPAA-compliant risk analysis, the failure to manage risks and reduce them to an acceptable level, the impermissible disclosure of the ePHI of 114,007 patients in the first breach and 1,531 in the second breach, and the failure to issue timely notifications to OCR, the media, and the affected individuals. Solara settled the alleged violations and paid a $3,000,000 financial penalty. Read More…

USR Holdings

USR Holdings, a holding company that owns and manages primary mental health and substance abuse treatment facilities in Florida, Maryland, and Kentucky, discovered between December 8, 2018, and January 9, 2019, there had been unauthorized access to a database containing ePHI from August 23, 2018, to December 8, 2018. Unauthorized individuals were able to access the ePHI of 2,903 individuals and delete data.

OCR investigated and determined that USR Holdings failed to conduct a HIPAA-compliant risk analysis, had not implemented procedures for reviewing records of information system activity, had not established and implemented procedures for creating and maintaining retrievable exact copies of ePHI, and impermissible access to ePHI and the deletion of ePHI. USR Holdings settled the alleged violations and paid a $337,750 penalty. Read More…

Virtual Private Network Solutions

Virtual Private Network Solutions, a Virginia-based provider of data hosting and cloud services, experienced a ransomware attack on October 31, 2021, that resulted in unauthorized access to the ePHI of at least 23,868 individuals. OCR investigated and determined that Virtual Private Network Solutions had failed to conduct a comprehensive and accurate risk analysis to identify all risks and vulnerabilities to ePHI. This was the third financial penalty to be imposed under OCR’s risk analysis enforcement initiative. The HIPAA violation case was settled for $90,000. Read More…

Elgon Information Systems

Elgon Information Systems, a Massachusetts-based provider of electronic medical records and billing support services, experienced a ransomware attack on March 31, 2023. The investigation revealed the ransomware group first accessed its systems on March 25, 2023, via open ports on its firewall. The ransomware group was able to access the ePHI of 31,248 individuals. OCR investigated and determined that Elgon Information Systems had failed to conduct a comprehensive and accurate risk analysis to identify all risks and vulnerabilities to ePHI. The HIPAA violation case was settled, and Elgon Information Systems paid an $80,000 penalty. This was the second HIPAA violation case to result in a financial penalty under OCR’s risk analysis enforcement initiative. Read More…

HIPAA Violation Cases 2024

OCR confirmed that 22 HIPAA violation cases were closed in 2024 with civil monetary penalties or settlements; however, OCR only announced 16 of those enforcement actions in 2024, with the remainder announced in January 2025. The enforcement actions announced in 2024 were:

Inmediata Health Group

In 2018, OCR learned that ePHI provided to Inmediata, a healthcare clearinghouse, could be accessed by anyone via the Internet without authentication. Inmediata’s investigation confirmed that the ePHI of 1,565,338 individuals had been exposed online from May 2016 to January 2019, including names, birth dates, Social Security numbers, health information, and claims information.  OCR determined that Inmediata had not conducted an accurate and thorough risk analysis, was not monitoring activity in information systems containing ePHI, and there had been an impermissible disclosure of ePHI. The case was settled for $250,000. There was no corrective action plan as Inmediata had already implemented measures per a 2023 multi-state settlement with 32 states and Puerto Rico. The multi-state action included a $1.4 million penalty. Read More…

Children’s Hospital Colorado Health System

On July 11, 2017, and between April 6, 2020, and April 13, 2020, Children’s Hospital Colorado Health System, a not-for-profit provider of healthcare services for children and young individuals, fell victim to phishing attacks that involved unauthorized access to ePHI. OCR investigated and determined that there had been an impermissible disclosure of the ePHI of 10,840 patients. The investigation also revealed that Children’s Hospital Colorado failed to provide HIPAA Privacy Rule training to 6,666 members of the workforce, including 3,495 nursing students, and a HIPAA-compliant risk analysis had not been conducted until February 5, 2021. OCR imposed a civil monetary penalty of $548,265 to resolve the alleged HIPAA Privacy and Security Rule violations. Read More…

Gulf Coast Pain Consultants, dba Clearway Pain Solutions Institute

On February 19, 2019, the Florida-based pain management practice Gulf Coast Pain Consultants discovered a former contractor had accessed the medical records of patients without authorization on three occasions after stopping providing services.  The electronic protected health information of 34,310 patients was accessed by the contractor without authorization. OCR investigated and identified a failure to comply with four provisions of the HIPAA Security Rule. A risk analysis had not been conducted, logs of activity in information systems were not being checked, access rights of workforce members were not promptly terminated, and there were no policies and procedures for modifying workforce members’ access rights. OCR imposed a civil monetary penalty of $1,190,000 to resolve the alleged violations. Read More…

Holy Redeemer Family Medicine

OCR received a complaint from a patient of Holy Redeemer Family Medicine, a Pennsylvania healthcare provider, about an impermissible disclosure of her medical records, including her reproductive healthcare records, to a prospective employer. The patient had given authorization to disclose a single test result unrelated to her reproductive health; however, Holy Redeemer sent the prospective employer the patient’s full records, which included her surgical history, obstetric history, gynecological history, and other sensitive reproductive health information. OCR determined the disclosure violated the HIPAA Privacy Rule. The case was settled for $35,581. Read More…

Rio Hondo Community Mental Health Center

OCR received a complaint from a patient of Rio Hondo Community Mental Health Center, a directly operated Outpatient Program of the County of Los Angeles Department of Mental Health, that she had not been provided with a copy of her medical records, 5 months after making a request and after several phone calls and a visit to the center. OCR investigated, and the records were provided to the patient, 7 months after the initial request was made, which included two months under the state governor’s COVID-19 stay-at-home order when the clinic was unstaffed. The clinic failed to respond to an offer to informally settle the alleged HIPAA Right of Access violation, resulting in OCR imposing a $100,000 civil monetary penalty. Read More…

Bryan County Ambulance Authority

Bryan County Ambulance Authority, an Oklahoma emergency medical service provider, suffered a ransomware attack on November 24, 2021, that resulted in the encryption of files on its network. The encrypted files contained the ePHI of 14,273 patients.  OCR investigated and determined that Bryan County Ambulance Authority had never conducted a risk analysis to identify potential risks and vulnerabilities to ePHI. This was the first enforcement action under OCR’s risk analysis enforcement initiative.  The alleged violation was settled for $90,000. Read More…

Gums Dental Care

Gums Dental Care, a Maryland dental practice, was investigated by OCR after a complaint was received from a patient who was not provided with a copy of her or her children’s medical records. The practice claimed the complainant would not pay a $25 administrative fee for mailing the records (certified mail) and that the request was denied because the practice believed she would use the information to commit insurance fraud. OCR stated that the fee was not appropriate since the patient requested the records be sent via email, and the belief that the information would be used for fraud was not a valid reason for a denial of the Right of Access request under the HIPAA Privacy Rule.  A civil monetary penalty of $70,000 was imposed for failing to provide timely access to medical records, in violation of the HIPAA Right of Access. Read More…

Providence Medical Institute

Providence Medical Institute, a California healthcare provider, was investigated by OCR after reporting a data breach that occurred between February and March 2018 as a result of a ransomware attack. The protected health information of 85,000 individuals was involved. OCR determined that servers containing ePHI were encrypted 3 times, and there was a potential violation of two HIPAA Security Rule provisions: The failure to restrict access to ePHI to only authorized individuals/software, and a lack of a business associate agreement. OCR imposed a civil monetary penalty of $240,000 to resolve the alleged violations. Read More…

Cascade Eye and Skin Centers

Cascade Eye and Skin Centers, a healthcare provider in Washington state, was investigated by OCR over a ransomware attack in 2017. The hackers gained access to 291,0000 files containing patient data. The OCR investigation determined there was a failure to conduct a comprehensive and accurate risk analysis, and there were insufficient reviews of activity in information systems that contained ePHI. The investigation was settled, and a penalty of $250,000 was paid to resolve the alleged HIPAA violations. Read More…

American Medical Response

American Medical Response is a Greenwood Village, CO-based private ambulance company. On October 31, 2018, a patient requested a copy of her medical records, which should have been provided by November 30, 2018. Despite sending multiple requests for those records, they were not provided. A complaint was filed with OCR, and the records were finally provided on November 5, 2019, 370 days after the initial request was submitted. OCR determined that there had been a violation of the HIPAA Right of Access and provided American Medical Response with the opportunity to settle; however, American Medical Response chose not to, resulting in a civil monetary penalty being imposed for $115,200 to resolve the HIPAA violation. Read More…

Heritage Valley Health System

Heritage Valley Health System is a 3-hospital health system with more than 50 physician offices and many community satellite facilities in Pennsylvania, eastern Ohio, and West Virginia. In 2017, Heritage Valley fell victim to a NotPetya ransomware attack that prevented access to its Windows devices. OCR investigated to establish whether Heritage Valley was compliant with the HIPAA Security Rule and found three areas of non-compliance. Heritage Valley had not conducted a comprehensive risk analysis to identify risks and vulnerabilities to electronic protected health information, there was a lack of a contingency plan for responding to an emergency and a lack of technical policies and procedures for restricting access to systems containing ePHI. OCR agreed to settle the alleged violations for $950,000. Read More…

Essex Residential Care (Hackensack Meridian Health, West Caldwell Care Center)

Essex Residential Care, LLC, which does business as Hackensack Meridian Health and operates the skilled nursing facility West Caldwell Care Center in New Jersey, was found to have failed to provide a son with timely access to the medical records of his mother when the son was the personal representative of his mother. It took 161 days from the initial request for the records to be provided. OCR investigated and notified West Caldwell Care Center of its intention to impose a financial penalty, but West Caldwell Care Center disagreed with OCR’s determination. West Caldwell Care Center accepted that the records were not provided within 30 days, but submitted evidence of mitigating factors; however, they were rejected by OCR, which imposed a civil monetary penalty of $100,000. Read More…

Phoenix Healthcare

Phoenix Healthcare, an Oklahoma multi-facility organization that provides nursing care, was found to have failed to provide a daughter with timely access to her mother’s medical records when the daughter was the personal representative of her mother. The requested records were provided 323 days after the initial request was made. OCR proposed a $250,000 financial penalty; however, the proposed fine was contested, and a hearing was requested with an Administrative Law Judge (ALJ). The ALJ upheld OCR’s determination but reduced the financial penalty to $70,000. The fine was appealed, but the Departmental Appeals Board did not reduce the fine. OCR then proposed a $35,000 settlement, on the basis that the penalty was not further contested.  Read More…

Green Ridge Behavioral Health

Green Ridge Behavioral Health is a Gaithersburg, MD-based provider of psychiatric evaluations, medication management, and psychotherapy that experienced a ransomware attack in which the protected health information of 14,000 individuals was exposed. OCR investigated and identified multiple potential violations of the HIPAA Privacy and Security Rules. Green Ridge Behavioral Health was determined to have failed to conduct an accurate risk analysis, failed to reduce risks to ePHI, did not have policies and procedures for reviewing records of information system activity, and there was an impermissible disclosure of the PHI of more than 14,000 patients. Green Ridge Behavioral Health settled the alleged violations with no admission of wrongdoing and paid a $40,000 penalty. Read More…

Montefiore Medical Center

Montefiore Medical Center is a non-profit hospital system based in New York City. In May 2015, the New York Police Department notified the medical center about the theft of patient data. The medical center’s investigation confirmed that an employee had accessed and stolen the data of 12,517 patients. The employee sold the data to an identity theft ring. OCR determined that Montefiore Medical Center had failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; failed to implement procedures to review records of activity in information systems, and failed to implement hardware, software, or procedural mechanisms to record and examine activity in information systems. Montefiore Medical Center settled the investigation and paid a $4,750,000 penalty. Read More…

HIPAA Violation Cases 2023

Optum Medical Care of New Jersey

Optum Medical Care of New Jersey is a private multi-specialty physician group with approximately 150 locations in New Jersey and Southern Connecticut. In the Fall of 2021, OCR received complaints from 6 individuals who claimed not to have been provided with a copy of their requested records in a timely manner. OCR investigated and discovered the patients had not been provided with their records within the time frame permitted by the HIPAA Privacy Rule. The patients had to wait between 84 days and 231 days to receive their requested records. OCR determined this was a violation of the HIPAA Right of Access. The Case was settled for $160,000. Read More…

Lafourche Medical Group

Lafourche Medical Group, a Louisiana-based medical group specializing in emergency medicine, occupational medicine, and laboratory testing, experienced a phishing attack that exposed the PHI of 34,862 individuals. OCR investigated and found that a security risk analysis had not been conducted prior to the phishing attack in 2021, and there were no procedures to regularly review logs of system activity prior to the attack. OCR settled the alleged HIPAA violations for $480,000. Read More…

St. Joseph’s Medical Center

St. Joseph’s Medical Center is a non-profit academic medical center in New York. OCR launched an investigation after seeing a media article about the medical center’s response to the COVID-19 public health emergency. The article included images and information about three of the medical center’s patients. The medical center had allowed an Associated Press reporter to have access to the patients and their clinical information without first obtaining authorization from the patients. The disclosures were a violation of the HIPAA Privacy Rule. The case was settled for $80,000. Read More…

Doctors’ Management Services

Doctors’ Management Services (DMS) is a Massachusetts-based medical management company whose services include medical billing and payor credentialing. DMS suffered a GandCrab ransomware attack in December 2018. The forensic investigation confirmed that the attackers first gained access to its network on April 1, 2017. OCR investigated and identified multiple violations of the HIPAA Rules, including a failure to conduct an accurate risk analysis, a failure to review records of system activity, a failure to implement reasonable and appropriate policies/procedures to comply with the HIPAA Security Rule, and an impermissible disclosure of the PHI of 206,695 individuals. The case was settled for $100,000. Read more…

L.A. Care Health Plan

Local Initiative Health Authority for Los Angeles County, operating and doing business as L.A. Care Health Plan, is an independent local public agency that provides health coverage to low-income Los Angeles County residents. OCR conducted two investigations, one of a large breach and another of a separate data breach reported by the media, and found multiple violations of the HIPAA Security Rule: The lack of a comprehensive risk analysis, insufficient security measures, insufficient reviews of records of information system activity, insufficient evaluations in response to environmental/operational changes, insufficient recording and examination of activity in information systems, impermissible disclosure of the ePHI of 1,498 individuals. The case was settled for $1,300,000.  Read More…

UnitedHealthcare

UnitedHealthcare is a health insurer part of Minnetonka, MN-based UnitedHealthcare Group.  OCr received a complaint on March 25, 2021, from a patient who claimed not to have been provided with their requested medical records. OCR notified UnitedHealthcare about the complaint, and the failure to provide the records was attributed to an employee error. OCR determined there had been a HIPAA Right of Access failure, and UnitedHealthcare was fined $80,000.  Read More…

iHealth Solutions, dba Advantum Health

iHealth Solutions is a Louisville, Kentucky-based HIPAA business associate that provides management services to healthcare practices. In 2017, a server was left unsecured, allowing an unauthorized individual to steal files that contained the ePHI of 267 individuals. OCR determined there had been a failure to conduct an accurate and thorough risk analysis and an impermissible disclosure of ePHI. The case was settled for $75,000. Read More…

Yakima Valley Memorial Hospital

Yakima Valley Memorial Hospital is a 222-bed non-profit community hospital in Washington State. OCR investigated a report of snooping on 419 medical records by 23 security guards in the emergency department. OCR determined the hospital had failed to implement appropriate policies and procedures to ensure compliance with the HIPAA Rules. The case was settled with OCR for $240,000. Read More…

Manasa Health Center, LLC

Manasa Health Center, LLC, is a New Jersey-based provider of psychiatric services for adults and children. OCR received a complaint in April 2020 about impermissible disclosures of PHI in response to negative Google Reviews. OCR investigated and found there had been impermissible disclosures of the PHI of four patients in response to negative reviews, a lack of policies and procedures related to online disclosures, and a failure to issue breach notification letters to those individuals. The case was settled for $30,000.

MedEvolve Inc.

The Luxottica Group PIVA-owned vision insurance company, EyeMed Vision Care, experienced a data breach in June 2020 involving the protected health information (PHI) of 230,572 individuals. An FTC server had been left exposed on the Internet. OCR’s investigators identified a risk analysis failure, a lack of a business associate agreement with a subcontractor, and an impermissible disclosure of the PHI of 230,572 individuals. The case was settled for $350,000. Read More…

David Mente, MA, LPC

The Pittsburgh, PA-based counselor and therapist, David Mente, was found not to have provided a father with a copy of his minor children’s health records. OCR provided technical assistance, but the records were still not provided as requested. OCR determined that the delay in providing the records constituted a violation of the HIPAA Right of Access. The case was settled for $15,000. Read More…

Banner Health

The Phoenix, Arizona-based non-profit health system, Banner Health, experienced a hacking incident that resulted in the impermissible disclosure of the PHI of 2.81 million individuals in 2016. OCR’s investigators identified a risk analysis failure, a lack of reviews of system activity, a failure to verify identity for access to PHI, and insufficient technical safeguards. The case was settled for $1,250,000. Read More…

Life Hope Labs, LLC

Life Hope Labs, LLC, in Sandy Springs, Georgia, failed to provide an individual with the medical records of her deceased father in a timely manner. It took 225 days from the initial request for the records to be provided. The diagnostic laboratory settled the case with OCR and paid a $16,500 financial penalty. Read More…

HIPAA Violation Cases 2022

Health Specialists of Central Florida Inc.

Orlando, FL-based primary care provider, Health Specialists of Central Florida Inc., was investigated by OCR after receipt of a complaint from a woman who had not been provided with a copy of her deceased father’s medical records. It took multiple requests and almost 5 months for all of the requested medical records to be provided. Health Specialists of Central Florida Inc. settled the case with OCR and paid a $20,000 penalty. Read More…

New Vision Dental

The California general dental practice, New Vision Dental, was investigated by OCR following reports about impermissible disclosures of patients’ protected health information on the review platform Yelp. OCR found that the owner of the practice had responded to several reviews and disclosed ePHI, even disclosing the names of patients in the responses who had chosen to post reviews anonymously. The disclosed information included details of patients’ visits, treatment, and insurance. OCR also found the Notice of Privacy Practices to be inadequate. The case was settled with OCR, and a £23,000 financial penalty was imposed. Read More…

Great Expressions Dental Center of Georgia, P.C.

Great Expressions Dental Center of Georgia, P.C.  was investigated by OCR in response to a complaint from a patient that she would be charged a fee of $170 for her medical records. OCR determined this fee to be unreasonable and that there had been a 15-month delay in providing the patient with the requested records. The practice settled the case with OCR for $80,000.  Read More…

Family Dental Care, P.C.

Family Dental Care, P.C. in Chicago, Illinois, was investigated in response to a complaint from a patient who had only been provided with a partial copy of her requested medical records. It took 5 months from the initial request for the complete set of medical records to be provided. The case was settled with OCR for $30,000. Read More…

B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental

Paradise Family Dental was investigated in response to a complaint that a parent had not been provided with a copy of her minor child’s medical records, despite submitting multiple requests to the practice. It took 8 months from the date of the first request for the records to be provided. A settlement was agreed upon with OCR that included a $25,000 penalty. Read More…

New England Dermatology and Laser Center

New England Dermatology and Laser Center in Massachusetts disposed of empty specimen containers in regular dumpsters between  February 4, 2011, and March 31, 2021. The containers had labels that included the PHI of patients. The PHI of 58,106 patients was improperly disposed of during that timeframe. The case was settled with OCR for $300,640. Read More…

ACPM Podiatry

ACPM Podiatry in Illinois did not provide a former patient with his requested records, and despite the intervention of OCR, the patient was still not provided with the requested records due to the non-payment of a bill by the insurance company. OCR imposed a civil monetary penalty of $100,000. Read More…

Memorial Hermann Health System

Memorial Hermann Health System in Texas received five requests from a patient for complete records to be provided between June 2019 and January 2020. It took 564 days from the initial request for all of the records to be provided to the patient. OCR settled the case for $240,000. Read More…

Southwest Surgical Associates

Southwest Surgical Associates in Texas took 13 months to provide a patient with all of the requested records between February 11, 2020, and March 5, 2021. OCR settled the case for $65,000. Read More…

Hillcrest Nursing and Rehabilitation

Hillcrest Nursing and Rehabilitation in Massachusetts received a request from a parent for her son’s medical records on March 22, 2020, but the records were not provided until October 10, 2020. OCR settled the case for $55,000. Read More…

MelroseWakefield Healthcare

MelroseWakefield Healthcare in Massachusetts received a valid request from a personal representative of a patient on June 12, 2020, but it took until October 20, 2020, for the requested records to be provided due to an error regarding the legality of the durable power of attorney. OCR settled the case for $55,000. Read More…

Erie County Medical Center Corporation

Erie County Medical Center Corporation in Buffalo, NY, failed to provide a patient with timely access to his medical records. OCR settled the case for $50,000. Read More…

Fallbrook Family Health Center

Fallbrook Family Health Center in Nebraska failed to provide a patient with timely access to the requested medical records. OCR settled the case for $30,000. Read More…

Associated Retina Specialists

Associated Retina Specialists in New York took 5 months to provide a patient with the requested medical records. The records were provided within days of OCR intervening. OCR settled the case for $22,500. Read More…

Coastal Ear, Nose, and Throat

Coastal Ear, Nose, and Throat in Florida received a request from a patient for a copy of medical records on December 15, 2020, and again on January 8, 2021, but the records were not provided until May 20, 2021. OCR settled the case for $20,000. Read More…

Lawrence Bell, Jr., D.D.S

Lawrence Bell, Jr. D.D.S in Maryland failed to provide a patient with timely access to the requested medical records. OCR settled the case for $5,000. Read More…

Danbury Psychiatric Consultants

Danbury Psychiatric Consultants in Massachusetts received a request for medical records on March 24, 2020, but access to the records was refused due to an outstanding bill. The records were provided on September 14, 2020. OCR settled the case for $3,500. Read More…

Oklahoma State University – Center for Health Sciences

Oklahoma State University – Center for Health Sciences experienced a hacking incident that was reported to OCR in January 2018. The investigation revealed a failure to conduct an accurate risk analysis, noncompliance with the security incident response and reporting requirements of the HIPAA Security Rule, the failure to conduct an evaluation following changes that affected the security of ePHI, a lack of audit controls, breach notification delays, and the impermissible disclosure of the PHI of 279,865 individuals. The case was settled for $850,000. Read More…

Dr. Brockley

The solo dental practitioner in Butler, PA, failed to provide a patient with a copy of their medical record in a timely manner. After being notified by OCR about a proposed fine of $105,000, Dr. Brockley requested a hearing with an Administrative Law Judge, but settled out of court and agreed to a fine of $30,000. Read more…

Jacob & Associates

The California-based psychiatric medical services provider failed to provide a patient with timely access to the requested medical records and charged an unreasonable fee when the records were eventually provided. OCR also identified issues with the notice of privacy practices, and a HIPAA privacy officer had not been appointed. The case was settled, and a financial penalty of $28,000 was paid. Read more…

Northcutt Dental-Fairhope

The owner of the Fairhope, AL, dental practice impermissibly disclosed patients’ PHI to a campaign manager and a third-party marketing company in relation to a state senate election campaign. OCR also identified issues with the notice of privacy practices, and there was no HIPAA privacy officer. The case was settled for $62,500. Read more…

Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A

The dental practice with offices in Charlotte and Monroe, NC, impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review. The failure to cooperate with the investigation and respond to an administrative subpoena resulted in a civil monetary penalty of $50,000. Read more…

HIPAA Violation Cases 2021

Advanced Spine & Pain Management

Advanced Spine & Pain Management, a provider of chronic pain-related medical services in Cincinnati and Springboro, OH, failed to provide a patient with timely access to the requested medical records. The HIPAA Right of Access violation was settled with OCR for $32,150. Read more…

Denver Retina Center

Denver Retina Center, a Denver, CO-based provider of ophthalmological services, failed to provide a patient with timely access to the requested medical records. The HIPAA Right of Access violation was settled with OCR for $30,000. Read more…

Dr. Robert Glaser

Dr. Robert Glaser, a New Hyde Park, NY-based cardiovascular disease and internal medicine doctor, failed to provide a patient with timely access to the requested medical records after repeated requests. Dr. Glazer did not cooperate with OCR during the investigation, resulting in OCR imposing a civil monetary penalty of $100,000 for the HIPAA Right of Access violation. Read more…

Rainrock Treatment Center LLC (dba monte Nido Rainrock)

Rainrock Treatment Center LLC (dba Monte Nido Rainrock), a Eugene, OR-based provider of residential eating disorder treatment services, failed to provide a patient with timely access to the requested medical records after repeated requests. The HIPAA Right of Access violation was settled with OCR for $160,000. Read more…

Wake Health Medical Group

Wake Health Medical Group, a Raleigh, NC-based provider of primary care and other health care services, failed to provide a patient with timely access to the requested medical records. The HIPAA Right of Access violation was settled with OCR for $10,000. Read more…

Children’s Hospital & Medical Center

Children’s Hospital & Medical Center (CHMC), a pediatric care provider in Omaha, Nebraska, received a request from a parent for access to her daughter’s medical records but only provided part of the requested information, despite repeated requests. CHMC settled the HIPAA Right of Access case with OCR and paid an $80,000 penalty. Read more…

The Diabetes, Endocrinology & Lipidology Center, Inc.

The Diabetes, Endocrinology & Lipidology Center, Inc., a West Virginia-based healthcare provider specializing in treating endocrine disorders, failed to provide a parent with a copy of her minor child’s protected health information within 30 days. The HIPAA Right of Access violation was settled with OCR for $5,000. Read more…

AEON Clinical Laboratories (Peachstate)

OCR investigated a breach reported by the Department of Veterans Affairs involving a business associate, Authentidate Holding Corporation. During the investigation, OCR discovered the business associate had acquired Peachstate, a CLIA-certified laboratory that provides clinical and genetic testing services. OCR investigated Peachstate and uncovered multiple potential violations of the HIPAA Security Rule. The case was settled with OCR for $25,000. Read more…

Village Plastic Surgery

Ridgewood, NJ-based Village Plastic Surgery failed to provide a patient with timely access to the requested medical records. The HIPAA Right of Access violation was settled with OCR for $30,000. Read more…

Arbour Hospital

Arbour Hospital, a mental health clinic in Boston, MA, failed to provide a patient with the requested medical records within 30 days. OCR provided technical assistance, but received another complaint from the same patient that the records had still not been provided. The HIPAA Right of Access violation was settled with OCR for $65,000. Read more…

Sharp Healthcare

San Diego-based Sharp Healthcare, dba Sharp Rees-Stealy Medical Centers, failed to provide a patient’s medical records to a patient-specified third party for more than 2 months. OCR provided technical assistance and closed the case, but the records were still not provided. The HIPAA Right of Access violation was settled with OCR for $70,000. Read more…

Renown Health

Renown Health, a not-for-profit healthcare network in Northern Nevada, failed to provide a patient’s attorney with a copy of her medical and billing records within 30 days. The patient filed a complaint with OCR, and the records were eventually provided more than 10 months later. The HIPAA Right of Access violation was settled with OR for $75,000. Read more…

Excellus Health Plan

In 2015, Excellus Health Plan reported a breach of the ePHI of 9,358,891 individuals. OCR investigated and uncovered multiple potential violations of the HIPAA Rules: A risk analysis failure, a risk management failure, a lack of information system activity reviews, and insufficient technical policies to prevent unauthorized ePHI access. The case was settled for $5,100,000. Read More…

Banner Health

Phoenix, AZ-based Banner Health is one of the largest healthcare systems in the United States. OCR received two complaints from patients in 2019 alleging they had to wait several months to receive a copy of their medical records. OCR determined this breached the HIPAA Right of Access provision of the HIPAA Privacy Rule. The case was settled for $200,000. Read More…

HIPAA Violation Cases 2020

Premera Blue Cross

Mountlake Terrace, WA-based Premera Blue Cross is the largest health plan in the Pacific Northwest. In 2015, Premera discovered there had been a breach of the ePHI of 10,466,692 individuals. OCR investigated and found multiple potential HIPAA violations, such as the failure to conduct a thorough risk analysis, risk management failures, and insufficient mechanisms to identify suspicious network activity. The case was settled for $6,850,000. Read More…

CHSPSC LLC

CHSPSC LLC is a Tennessee-based management company that provides services to affiliates of Community Health Systems. In 2014, hackers accessed its systems and stole the ePHI of 6,121,158 individuals. OCR investigated and found multiple violations of the HIPAA Rules, including a delayed response to a known security breach, risk analysis and risk management failures, and a lack of procedures to monitor information system activity logs. The case was settled for $2,300,000. Read More…

Athens Orthopedic Clinic PA

Athens Orthopedic Clinic PA in Georgia had its systems hacked in 2016. The hacker stole data, attempted to extort money, and leaked the ePHI of 208,557 patients online when payment was not received. OCR investigated the incident and discovered risk analysis and risk management failures, insufficient information system activity logging and monitoring, missing business associate agreements, and employees had not been provided with HIPAA Privacy Rule training. The case was settled for $1,500,000. Read More…

Peter Wrobel, M.D., P.C., dba Elite Primary Care

Elite Primary Care is a provider of primary health services in Georgia. OCR received a complaint from a patient who alleged he had been denied access to his medical records. OCR intervened and provided technical assistance on the HIPAA Right of Access, but received a second complaint when the practice continued to deny him access. The case was settled for $36,000. Read More…

University of Cincinnati Medical Center

A patient of the University of Cincinnati Medical Center filed a complaint with OCR after not being provided with her requested records more than 13 weeks after submitting a request. OCR intervened and provided technical assistance on the HIPAA Right of Access, but received a second complaint when the records had still not been provided. The case was settled for $65,000. Read More…

Dr. Rajendra Bhayani

OCR received a complaint from a patient of Dr. Rajendra Bhayani, a Regal Park, NY-based private practitioner specializing in otolaryngology, alleging he had not provided a patient with a copy of her medical records. OCR intervened and closed the case, but received a second complaint a year later, alleging the records had still not been provided. The case was settled for $15,000. Read More…

Riverside Psychiatric Medical Group

OCR received a complaint from a patient of California-based Riverside Psychiatric Medical Group in March 2019, alleging he had not been provided with a copy of his medical records. OCR intervened but received a second complaint a month later when the records had still not been provided. OCR determined this breached the HIPAA Right of Access provision of the HIPAA Privacy Rule. The case was settled for $25,000. Read More…

City of New Haven, CT

The city of New Haven in Connecticut was investigated over an incident where a former employee accessed its systems after termination and copied a file containing the ePHI of 498 individuals. OCR determined that the failure to terminate access rights when employment had ended was in violation of the HIPAA Security Rule. OCR also determined there had been a risk analysis failure, a failure to implement Privacy Rule policies, and unique IDs had not been provided to all employees to track information system activity. The case was settled for $202,400. Read More…

Aetna

Aetna Life Insurance Company and the affiliated covered entity (Aetna) were investigated over three data breaches that exposed the ePHI of 18,489 individuals. OCR’s investigation revealed periodic technical and non-technical evaluations of operational changes affecting the security of their electronic PHI had not been performed, procedures had not been implemented to verify the identity of individuals accessing their ePHI, there was a lack of ePHI safeguards, and Aetna had violated the minimum necessary standard. The case was settled for $1,000,000. Read More…

NY Spine

OCR received a complaint from a patient of NY Spine, a private New York medical practice, who alleged she had not been provided with a copy of the diagnostic films she requested. OCR intervened and provided technical assistance, but it took 16 months for the records to be provided. The case was settled for $100,000. Read More…

Dignity Health, dba St. Joseph’s Hospital and Medical Center

OCR investigated a complaint from a mother who requested a copy of her son’s medical records from St. Joseph’s Hospital and Medical Center, but had not been provided with a complete set of the records. After OCR intervened, the records were provided, but it took 22 months from the initial date of the request. The case was settled for $160,000. Read More…

Housing Works, Inc.

Housing Works, Inc. is a New York City-based non-profit healthcare organization that provides healthcare, homeless services, and legal aid support for people affected by HIV/AIDS. OCR received a complaint from a patient who had not been provided with a copy of his medical records. OCR intervened and closed the case, but received a second complaint a month later when the records had still not been provided. The case was settled for $38,000. Read More…

All Inclusive Medical Services, Inc.

All Inclusive Medical Services, Inc. (AIMS) is a Carmichael, CA-based multi-specialty family medicine clinic. OCR received a complaint from a patient who alleged AIMS refused to give her a copy of her medical records. OCR determined this violated the HIPAA Right of Access provision of the HIPAA Privacy Rule. The case was settled for $15,000. Read More…

Beth Israel Lahey Health Behavioral Services

Beth Israel Lahey Health Behavioral Services (BILHBS) is the largest provider of mental health and substance use disorder services in eastern Massachusetts. OCR received a complaint from a patient alleging BILHBS had not provided a copy of her father’s medical records. OCR intervened, and the records were provided 8 months after the initial request. The case was settled for $70,000. Read More…

King MD

King MD is a small provider of psychiatric services in Virginia. OCR received a complaint from a patient who had not been provided with her medical records after a 2-month wait. OCR intervened and closed the case but received a second complaint two months later when the records had still not been provided. The case was settled for $3,500. Read More…

Wise Psychiatry, PC

Wise Psychiatry is a small provider of psychiatric services in Colorado. A mother requested a copy of her son’s medical records, but the records had not been provided three months after she submitted the request. OCR intervened and closed the case, but received a second complaint 6 months after the first, stating the records had still not been provided. The case was settled for $10,000. Read More…

Lifespan Health System Affiliated Covered Entity

Lifespan Health System Affiliated Covered Entity is a Rhode Island healthcare provider. OCR conducted an investigation into an incident involving a stolen laptop that contained the ePHI of 20,431 patients. OCR determined that the lack of encryption was in violation of the HIPAA Security Rule, there were insufficient device and media controls, and a business associate agreement had not been entered into with its parent company. The case was settled for $1,040,000. Read More…

Metropolitan Community Health Services dba Agape Health Services

Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center. Operating as Agape Health Services, the company experienced a breach of the ePHI of 1,263 patients. OCR investigated and identified longstanding, systemic noncompliance with the HIPAA Security Rule, including risk analysis and risk management failures, and the failure to provide security awareness training to employees. The case was settled for $25,000. Read More…

Steven A. Porter, M.D

Steven A. Porter, M.D.’s gastroenterological practice in Ogden, UT reported a breach to OCR involving a medical record company that was blocking access to patients’ ePHI until a bill was paid. OCR investigated and found the EHR company had been allowed access to ePHI without signing a business associate agreement, and risk analysis and risk management failures. The case was settled for $100,000. Read More…

HIPAA Violation Cases 2019

West Georgia Ambulance

OCR launched an investigation into the Carroll County, GA ambulance company, West Georgia Ambulance, after being notified about the loss of an unencrypted laptop computer that contained the PHI of 500 patients. OCR discovered a risk analysis failure, the lack of a security awareness training program, and a failure to implement HIPAA Security Rule policies and procedures. The case was settled for $65,000. Read More…

Bayfront Health St. Petersburg

Bayfront Health St. Petersburg was investigated following the receipt of a complaint from a patient on August 14, 2018. The patient had requested a copy of her child’s fetal heart monitor records, but 9 months after the request had been submitted, the records still had not been provided. A settlement of $85,000 was agreed upon with OCR to resolve the HIPAA violation. This was OCR’s first settlement under the 2019 HIPAA Right of Access enforcement initiative. Read More…

Korunda Medical, LLC

In March 2019, OCR received a complaint from a patient who alleged she had not been provided with a copy of her medical records in the requested electronic format despite making repeated requests. The investigation confirmed there had been a HIPAA Right of Access failure. A settlement of $85,000 was agreed upon to resolve the violation. Read More…

University of Rochester Medical Center

OCR launched an investigation of the University of Rochester Medical Center following receipt of two breach reports concerning lost/stolen portable devices containing ePHI – a flash drive and a laptop computer. Technical assistance had previously been provided by OCR, but devices had still not been encrypted. In addition, OCR determined there had been risk analysis failures, a risk management failure, and a lack of device media controls. The case was settled for $3 million. Read More…

Sentara Hospitals

A patient submitted a complaint to OCR about an impermissible disclosure of PHI in a mailing. Sentara Hospitals reported the breach to OCR as having impacted 8 individuals. The OCR investigation determined that 577 patients had been affected, but Sentara Hospitals refused to update its breach notice to reflect the correct number of patients affected. OCR also discovered a business associate failure. The case was settled for $2.175 million. Read More…

Elite Dental Associates

A patient of Elite Dental Associates submitted a complaint to OCR stating her PHI had been disclosed by Elite Dental Associates in response to a review on Yelp. OCR investigated and discovered similar privacy violations had occurred when responding to patient reviews. The impermissible disclosures of PHI resulted in a $10,000 settlement. Read More…

Medical Informatics Engineering

Medical Informatics Engineering, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. OCR determined there had been a risk analysis failure, and the case was settled for $100,000. MIE also settled a multi-state action with state attorneys general and paid a penalty of $900,000. Read More…

Touchstone Medical Imaging

On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was accessible over the Internet and allowed anonymous connections to a shared directory. The directory contained files that included the protected health information (PHI) of 307,839 individuals. The OCR investigation revealed a lack of business associate agreements, insufficient access rights, a risk analysis failure, a failure to respond to a security incident, a breach notification failure, and a media notification failure. The case was settled for $3 million. Read More…

Texas Department of Aging and Disability Services

The Department of Health and Human Services’ Office for Civil Rights (OCR) imposed a $1.6 million civil monetary penalty (CMP) on the Texas Health and Human Services Commission (TX HHSC) for multiple violations of HIPAA Rules discovered during the investigation of an exposed internal application containing ePHI. OCR determined there had been a risk analysis failure, access control failure, information system activity monitoring failure, and an impermissible disclosure of 6,617 patients’ ePHI. Read More…

Jackson Health System

OCR imposed a $2.154 million civil monetary penalty against the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS), for a slew of violations of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. OCR determined its compliance program had been in disarray for several years. Read More…

HIPAA Violation Cases 2018

Cottage Health – Exposure of ePHI Over the Internet

OCR agreed to settle multiple alleged HIPAA violations with Cottage Health for $3,000,000. In 2013 and 2015, protections on servers were accidentally removed, and files containing ePHI could be accessed over the internet without the need for a username or password. The ePHI of 62,500 patients was exposed. OCR discovered risk analysis failures, risk management failures, a failure to conduct technical and non-technical evaluations following environmental or operational changes, and the disclosure of ePHI to a contractor without first entering into a business associate agreement. Read More…

Pagosa Springs Medical Center – Failure to Terminate Employee Access

OCR fined Pagosa Springs Medical Center $111,400 for the failure to terminate a former employee’s access to a web-based scheduling calendar, which resulted in an impermissible disclosure of 557 patients’ ePHI. The medical center had also failed to enter into a BAA with a business associate. Read More…

Advanced Care Hospitalists – Multiple Compliance Failures Resulting in Impermissible PHI Disclosure

An OCR investigation into an impermissible disclosure of 9,255 individuals’ PHI by Advanced Care Hospitalists, a business associate of a HIPAA-covered entity, revealed serious HIPAA compliance failures including a lack of a BAA, insufficient security measures to protect ePHI, and no documentation showing there had been any HIPAA compliance efforts prior to April 1, 2014. A settlement of $500,000 was agreed upon to resolve the alleged HIPAA violations. Read More…

Allergy Associates of Hartford – PHI Disclosure to Reporter

OCR investigated a complaint about an impermissible disclosure of a patient’s PHI to a reporter. OCR confirmed that PHI had been disclosed without authorization from the patient and that there had been no sanctions against the physician responsible, despite being warned in advance not to disclose any PHI. Allergy Associates of Hartford paid OCR $125,000 to settle the alleged HIPAA violations. Read More…

Anthem Inc. – Multiple Compliance Failures Contributing to 78.8 Million Record Breach

An investigation into Anthem Inc.’s massive 78.8 million-record data breach of 2015 revealed multiple HIPAA violations. OCR determined there had been risk analysis failures, insufficient reviews of system activity, a failure to respond adequately to a detected breach, and insufficient technical controls to prevent unauthorized ePHI access. Anthem agreed to a record-breaking settlement of $16,000,000 to resolve the case. Read More…

Boston Medical Center – Filming Patients Without Consent

Boston Medical Center was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. Boston Medical Center agreed to settle the alleged HIPAA violations with OCR for $100,000. Read More…

Brigham and Women’s Hospital – Filming Patients Without Consent

Brigham and Women’s Hospital was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. Brigham and Women’s Hospital agreed to settle the alleged HIPAA violations with OCR for $384,000. Read More…

Massachusetts General Hospital – Filming Patients Without Consent

Massachusetts General Hospital was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. Massachusetts General Hospital agreed to settle the alleged HIPAA violations with OCR for $515,000. Read More…

Filefax, Inc. – Failure to Protect Physical PHI

After the permanent closure of the company, paperwork containing former patients’ PHI was discarded by FileFax. The paperwork was taken by a member of the public who sold the material to a recycling facility. OCR determined there had been a failure to protect patient information, which resulted in an impermissible disclosure of 2,150 patient records. FileFax agreed to settle the alleged HIPAA violations for $100,000. Read More…

Fresenius Medical Care North America – Multiple Compliance Failures Contributing to 5 PHI Breaches

An investigation of five separate breaches at HIPAA-covered entities owned by Fresenius Medical Care North America revealed that multiple HIPAA violations had contributed to the breaches. OCR discovered risk analysis failures, a lack of policies covering electronic devices, a lack of encryption or alternative safeguards, insufficient security policies, and insufficient physical safeguards, resulting in an impermissible disclosure of 521 individuals’ PHI. Fresenius Medical Care North America settled the case for $3,500,000. Read More…

University of Texas MD Anderson Cancer Center –Impermissible Disclosures of PHI

OCR investigated three breaches involving the loss of a laptop computer and two unencrypted thumb drives containing patients’ PHI. OCR determined that there had been an impermissible disclosure of 34,883 patients’ ePHI due to a lack of encryption. The case was contested, but an administrative law judge ruled in favor of OCR. University of Texas MD Anderson Cancer Center was ordered to pay a civil monetary penalty of $4,348,000. Read More…

HIPAA Violation Cases 2017

Memorial Hermann Health System – Careless Handling of PHI

Memorial Hermann Health System agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights for $2.4 million. The settlement stems from an impermissible disclosure in a press release issued by MHHS in September 2015. Memorial Hermann Health System has agreed to pay OCR $2,400,000. Read More…

St. Luke’s-Roosevelt Hospital Center Inc. – Unauthorized Disclosure of PHI

The Department of Health and Human Services’ Office for Civil Rights announced a new HIPAA settlement to resolve violations of the HIPAA Privacy Rule. St. Luke’s-Roosevelt Hospital Center Inc. has paid OCR $387,200 to resolve potential HIPAA violations discovered during an OCR investigation of a complaint about an impermissible disclosure of PHI. Read More…

The Center for Children’s Digestive Health – Lack of a Business Associate Agreement

The Department of Health and Human Services’ Office for Civil Rights has sent another warning to HIPAA-covered entities about the need to obtain signed, HIPAA-compliant business associate agreements with all vendors prior to disclosing any protected health information. The Center for Children’s Digestive Health (CCDH); a small 7-center pediatric subspecialty practice based in Park Ridge, Illinois, has agreed to pay OCR $31,000 to resolve potential HIPAA violations. Read More…

CardioNet – Impermissible Disclosure of PHI

A $2.5 million settlement has been agreed upon with CardioNet to resolve potential HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias. Settlements have previously been agreed upon with healthcare providers, health plans, and business associates of covered entities, but this is the first time OCR has settled potential HIPAA violations with a wireless health services provider. Read More…

Metro Community Provider Network – Lack of Security Management Process

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation. Read More…

Memorial Healthcare System – Insufficient ePHI Access Controls

OCR has announced that a $5.5 million settlement has been reached with Florida-based Memorial Healthcare Systems to resolve potential Privacy Rule and Security Rule violations. Memorial Healthcare Systems has paid the penalty for non-compliance with HIPAA Rules, and in addition to the $5.5 million settlement, a robust corrective action plan must be adopted to address all areas of non-compliance. Read More…

Children’s Medical Center of Dallas – Impermissible Disclosure of ePHI

The Department of Health and Human Services’ Office for Civil Rights has announced that Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. OCR attempted to resolve the matter via informal means between November 6, 2015, to August 30, 2016, before issuing a Notice of Proposed Determination on September 30, 2016. Read More…

MAPFRE Life Insurance Company of Puerto Rico – Impermissible Disclosure of ePHI

The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. On September 29, 2011, a portable USB storage device (pen drive) was left overnight in the IT Department, from where it was stolen. The device contained a range of patients’ ePHI, including full names, Social Security numbers, and dates of birth. The device was not protected by a password, and data on the device was not encrypted. MAPFRE has agreed to a $2,200,000 settlement with OCR. Read More…

Presense Health – Delayed Breach Notifications

Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA Breach Notification Rule violations. Presence Health took three months to issue breach notifications when the Breach Notification Rule requires notifications to be sent within 60 days of the discovery of a breach. Read More…

HIPAA Violation Cases 2016

University of Massachusetts Amherst – Failure to Manage Security Risks

The Department of Health and Human Services’ Office for Civil Rights has agreed to a $650,000 settlement with the University of Massachusetts Amherst (UMass). The settlement resolves HIPAA violations that contributed to the university experiencing a malware infection in 2013. The infection resulted in the impermissible disclosure of the electronic protected health information of 1,670 individuals. Read More…

St. Joseph Health – Failure to Conduct Risk Analysis

Exposure of ePHI as a direct result of the failure to conduct a comprehensive risk analysis and a security assessment on a server prior to using it to share files containing ePHI. The server had been purchased, and a file-sharing application was installed, yet no changes were made to the application. The default security settings were left in place, which allowed any individual with an Internet connection to gain access to the ePHI in the files. St. Joseph Health has agreed to pay OCR $2,140,500. Read More…

Care New England Health System – Lack of a Business Associate Agreement

The Department of Health and Human Services’ Office for Civil Rights has announced it has arrived at a settlement with Care New England Health System (CNE) to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). CNE is required to pay a financial penalty of $400,000 and must adopt a comprehensive Corrective Action Plan (CAP) to address various areas of HIPAA non-compliance. Read More…

Advocate Health Care Network – Multiple HIPAA Violations

OCR has just announced it has agreed to the largest ever HIPAA settlement with a single covered entity. Advocate Health Care Network will pay a record $5.55 million to settle multiple potential violations of the Health Insurance Portability and Accountability Act. The previous record was the $3.5 million settlement with Triple S Management Corporation, agreed in November 2015. Read More…

University of Mississippi Medical Center – Multiple HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights announced yesterday that the University of Mississippi Medical Center (UMMC) has agreed to settle alleged HIPAA violations and will pay a financial penalty of $2.75 million. UMMC has also agreed to adopt a corrective action plan (CAP) to bring privacy and security standards up to the level required by HIPAA. Read More…

Oregon Health & Science University – Lack of a Business Associate Agreement

Oregon Health & Science University (OHSU) has agreed to settle a case with the Department of Health and Human Services’ Office for Civil Rights stemming from two data breaches experienced in 2013. A penalty of $2.7 million will be paid by OHSU to settle alleged HIPAA violations without admission of liability. The privacy breaches occurred shortly after each other in 2013. Within the space of three months, the protected health information of over 7,000 patients was exposed. Read More…

Catholic Health Care Services of the Archdiocese of Philadelphia – Failure to Safeguard ePHI

Catholic Health Care Services of the Archdiocese of Philadelphia has agreed to settle alleged HIPAA violations with the OCR and implement a Corrective Action Plan (CAP). CHCS will also pay a financial penalty of $650,000. CHCS failed to perform a comprehensive risk analysis since September 23, 2013. CHCS also failed to implement appropriate security measures to address risks to ePHI in accordance with 45 C.F.R. § 164.308(a)(1)(ii)(B). Read More…

New York Presbyterian Hospital – Filming Patients without Authorization

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined New York Presbyterian Hospital (NYP) $2.2 million for allowing patients to be filmed for a TV show without obtaining prior permission from patients. An ABC crew was permitted to film inside NYP facilities for the show “NY Med” featuring Dr. Mehmet Oz. A number of patients were filmed, but consent had not been obtained. Read More…

Raleigh Orthopaedic Clinic, P.A. of North Carolina – Lack of Business Associate Agreement

Raleigh Orthopaedic Clinic, P.A., of North Carolina, over alleged violations of HIPAA Rules. Raleigh Orthopaedic has agreed to pay OCR $750,000 for failing to enter into a business associate agreement (BAA) with a vendor before handing over the protected health information (PHI) of 17,300 patients in 2013. Read More…

Feinstein Institute for Medical Research – Impermissible Disclosure of PHI

The Department of Health and Human Services’ Office for Civil Rights has announced it has settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. This is the second-largest settlement amount agreed with OCR. The data breach investigation revealed a substandard security management process and a catalog of HIPAA Security Rule violations. Read More…

North Memorial Health Care of Minnesota – Lack of a Business Associate Agreement

The Department of Health and Human Services’ Office for Civil Rights has announced it has reached a settlement with North Memorial Health Care of Minnesota over alleged HIPAA violations from a 2011 data breach. North Memorial has agreed to pay $1,550,000 to OCR to settle the HIPAA violation charges. Read More…

Complete P.T., Pool & Land Physical Therapy, Inc. – Impermissible Disclosure of PHI

Complete P.T., Pool & Land Physical Therapy, Inc., (CPT) has agreed to pay a fine of $25,000 to the Department of Health and Human Services after the company posted photographs and names of patients on the client testimonial section of its website without first having obtained HIPAA-compliant authorizations from the patients in question. Read More…

Lincare, Inc. – Failure to Safeguard PHI

For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. Lincare Inc. is required to pay $239,800 for violations of the HIPAA Privacy Rule, which were discovered during the investigation of a complaint about a breach of 278 patient records. Read More…

HIPAA Violation Cases 2015

University of Washington Medicine – Failure to Conduct Risk Analysis

The University of Washington Medicine has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights and will pay a HIPAA fine of $750,000 for potential HIPAA violations stemming from a 90,000-record data breach suffered in 2013. Read More…

Triple S Management Corporation – Multiple HIPAA Violations

Puerto Rico Blue Cross Blue Shield licensee Triple S Management Corporation has agreed to pay a HIPAA violation fine of $3.5 million to the Department of Health and Human Services’ Office for Civil Rights. Triple S was also required to pay a HIPAA violation penalty of $6.8 million to the Puerto Rico Health Insurance Administration for a failure to comply with the Health Insurance Portability and Accountability Act’s Privacy Rule last year, although the HIPAA violation fine was reduced to $1.5 million on appeal. Read More…

Lahey Hospital and Medical Center – Multiple HIPAA Violations

The HHS has announced that Lahey Hospital and Medical Center has agreed to settle a case with the Office for Civil Rights over alleged HIPAA violations following a data breach that occurred in October 2011. Lahey Hospital and Medical Center agreed to pay $850,000 to settle the case without admission of liability. The nonprofit teaching hospital has also agreed to adopt the OCR’s corrective action plan to address HIPAA-compliance issues discovered by OCR investigators. Read More…

Cancer Care Group, P.C. – Failure to Conduct Risk Analysis

Cancer Care Group, an Indiana-based radiation oncology private physician practice, has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights for $750,000 for potential HIPAA violations relating to a 2012 data breach. In August 2012, Cancer Care Group discovered a laptop computer and an unencrypted backup drive had been stolen from the vehicle of an employee. The data breach exposed the Protected Health Information of 55,000 patients. Read More…

St. Elizabeth’s Medical Center – Multiple HIPAA Violations

A HIPAA settlement of $218,400 has been reached with St. Elizabeth Medical Center (SEMC) for violations of HIPAA Privacy, Security, and Breach Notification Rules. The settlement for HIPAA violations was reached with SEMC for violations that led to a document sharing system data breach that exposed 498 records, and a data breach involving the theft of a flash drive containing unencrypted data of 595 patients. Read More…

Cornell Prescription Pharmacy – Improper Disposal of PHI

OCR announced that it has reached a settlement for $125,000 with a Denver-based healthcare provider, Cornell Pharmacy, following the improper disposal of patient health records. Cornell Pharmacy is a single-location healthcare provider that mostly serves hospice care organizations in Denver and provides compound medications. Read More…

HIPAA Violation Cases 2014

Anchorage Community Mental Health Services – Failure to Manage Risks to ePHI

Anchorage Community Mental Health Services (ACMHS) runs five mental health facilities in Alaska and is a non-profit organization. In 2012, it suffered a security breach that exposed the data of 2,700 individuals as a result of a malware infection. Had software patches been installed on the computers, the malware would not have been able to infect the PCs. ACMHS has agreed to settle the case with OCR for $150,000.

Parkview Health System, Inc. – Failure to Safeguard PHI

Parkview Healthcare System has agreed to pay an $800,000 settlement for a violation of the HIPAA Privacy Rule. The incident for which the fine has been issued dates back to 2009 when a data security complaint was filed by a patient of one of its doctors. The doctor was retiring and received a delivery of 71 boxes of medical files containing up to 8,000 patient records; however, the delivery was made, and the boxes were left on the doctor’s driveway while he was out of the house. Read More…

New York and Presbyterian Hospital and Columbia University – Failure to Conduct Risk Analysis

Office for Civil Rights has agreed to its largest-ever financial penalty for a violation of the Health Insurance Portability and Accountability Act’s Privacy and Security Rules. The data breach was caused when a computer server firewall was deactivated by a physician at Columbia University, leaving electronic PHI exposed and accessible via search engines. New York and Presbyterian Hospital (NYP) and Columbia University (CU) will jointly pay a penalty of $4,800,000. Read More…

QCA Health Plan, Inc., of Arkansas – Failure to Safeguard ePHI

QCA Health Plan, Inc. of Arkansas reported the theft of a laptop from a car that contained unencrypted data on 148 patients. OCR investigated the breach and discovered multiple violations of the HIPAA Privacy and Security Rules. QCA Health Plan has agreed to settle the HIPAA violations with OCR for $250,000. Read More…

Concentra Health Services – Failure to Safeguard ePHI

Following the report of the theft of a laptop from the Springfield, Missouri, Physical Therapy Center, Concentra Health Services was subjected to an investigation by the OCR. Documentation was uncovered that clearly showed that mobile devices were believed to represent a critical security risk, yet action was not taken to address this issue in time to prevent the data breach. Concentra has agreed to pay OCR $1,725,220 to resolve the case. Read More…

Skagit County, Washington – Failure to Safeguard ePHI

Skagit County, Washington, is paying the price for failing to implement the appropriate controls and safeguards to protect the data it held. Skagit County agreed to pay OCR $215,000 following the exposure of the data of seven individuals. Data were accessed by unknown third parties after ePHI data was unwittingly transferred to a server accessible to the public. Read More…

HIPAA Violation Cases 2013

Adult & Pediatric Dermatology, P.C. – Failure to Safeguard ePHI

Office for Civil Rights has issued a statement confirming that an agreement has been reached with Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts, following the accidental disclosure of approximately 2,200 patients after a memory stick was stolen from the car of one of the center’s employees. A settlement of $150,000 has been reached with OCR. Read More…

Affinity Health Plan, Inc. – Failure to Permanently Erase ePHI

The Office for Civil Rights has announced that a settlement of $1,215,780 has been reached with Affinity Health Plan, Inc., to resolve potential HIPAA violations discovered during a breach investigation. A digital photocopier was returned to a leasing company, but the PHI stored on its hard drive had not been erased before the device was returned. Read More…

WellPoint – Failure to Safeguard ePHI

WellPoint is one of the largest providers of Affiliated Health Plans, with almost 36 million policyholders across the United States. Between October 23, 2009, and March 7, 2010, part of its database of policyholders was accessible to unauthorized individuals. A settlement of $1,700,000 has been agreed upon with OCR to resolve the HIPAA violations that contributed to the cause of the breach. Read More…

Shasta Regional Medical Center – Disclosure of PHI Without Patient Consent

An article published in the LA Times started a sequence of events that has now resulted in Shasta Regional Medical Center (SRMC) agreeing to a settlement of $275,000 for its violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. PHI had been intentionally provided to the media on three separate occasions. Read More…

Idaho State University – Failure to Safeguard ePHI

Idaho State University’s Pocatello Family Medicine Clinic disabled the firewall that was protecting a server containing the medical records of 17,500 patients. The firewall was inactive for a period of 10 months, leaving the data exposed and potentially accessible to unauthorized third parties for an unacceptable period of time. A settlement of $400,000 was agreed upon with OCR to resolve the HIPAA violations. Read More…

FAQs

How many HIPAA violation cases are there each year?

The number of alleged HIPAA violation cases received each year by HHS’ Office for Civil Rights varies. The most recent data available shows that in 2021, the agency received 34,077 complaints relating to privacy violations and 64,180 breach notifications. In the majority of cases, the agency resolves complaints without the need for an investigation or finds no HIPAA violation exists. However, up to 500 cases per year result in a fine and/or corrective action being required.

It is important to note that these figures only represent the complaints and notifications received by HHS’ Office for Civil Rights. Complaints can also be made to individual Covered Entities and State Attorneys General, but there is no public record of these.

How are the penalties for HIPAA violations calculated?

The penalties for HIPAA violations are calculated on the “factors considered in determining a civil monetary penalty” plus the “such other matters as justice may require” clause in 45 CFR §160.408. Generally, there are four HIPAA violation classifications that rank the level of an organization’s culpability, the organization’s attempts to mitigate the consequences of the violation, and the organization´s willingness to assist with an investigation.

Can you be fined more than once for the same violation?

You can be fined more than once for the same violation if an organization fails to take corrective action after having been issued an initial fine. An organization´s prior history with regard to HIPAA non-compliance can also be a contributory factor in the calculation of penalties for HIPAA violations, and a second or subsequent fine will likely be much larger than the first.

How do you know how much training to provide in order to avoid being in violation of HIPAA?

It can be difficult to know how much training to provide in order to avoid violating HIPAA because other than stipulating training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule) and that CEs and BAs should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule), there are no specific HIPAA training requirements.

Your graphs indicate the penalties for HIPAA violations are increasing. Is this the case?

Although our graphs indicate the penalties for HIPAA violations are increasing, it is important to put the raw data into context. There are two key events to consider when looking at the timeline of penalties for HIPAA violations – the passage of the HITECH Act in 2009 which reversed the burden of proof for HIPAA violations, and the HIPAA Omnibus Rule in 2013 which enacted the passage of the HITECH Act making business associates liable for HIPAA violations that were their fault.

Are all the above cases real-life HIPAA violation cases?

All the above cases are real-life HIPAA violation cases that have been reported to and investigated by HHS’ Office for Civil Rights. As mentioned previously, there are many, many more real-life HIPAA violation cases that do not get published in the public domain because either they affect fewer than 500 individuals or they are resolved internally by the Covered Entity they are reported to.

Where can I find recent HIPAA violation cases?

Recent HIPAA violation cases that result in a civil monetary penalty are added to this page as soon as details are publicly available. For details of recent HIPAA violation cases that have not resulted in a civil monetary penalty, visit the HHS’ Breach Portal and click on the link to the Archive. This database contains thousands of HIPAA violation cases that have not resulted in a civil monetary penalty.

Have there been any HIPAA lawsuit cases?

HIPAA lawsuit cases are not recorded as such because HIPAA has no private right of action. However, there have been cases in which a HIPAA data breach is subsequently pursued in court in a civil lawsuit – the best example being the Anthem breach of 2014. More than 100 private class action lawsuits were filed against Anthem, the ultimately consolidated case being settled for $115 million.

Why are there not more HIPAA violations in the news?

The reason there are not more HIPAA violations in the news is that only a few violations each year justify column inches because of their nature or the size of the penalty imposed by the HHS’ Office for Civil Rights. Many HIPAA violations are not deliberate acts of theft, but rather mistakes that are resolved by the tightening up of security measures and further employee training.

Who investigates cases of HIPAA violations other than HHS’ Office for Civil Rights?

Cases of HIPAA violations are investigated most often by the Covered Entity to whom they are reported. Indeed, many Covered Entities don´t provide the contact details for HHS’ Office for Civil Rights on their Notices of Privacy Practices, so most complaints about HIPAA violations are reported directly to them rather than the HHS’ Office for Civil Rights or State Attorneys General.

Cases of HIPAA violations can also be reported internally by members of a Covered Entity’s workforce, and HIPAA requires Business Associates to report all security incidents to the Covered Entity – including those that do not constitute a HIPAA violation – so again, the Covered Entity gets to hear about violations first before deciding whether the events are notifiable.

HIPAA violations that are not violations of the Privacy, Security, and Breach Notification Rules are investigated by other federal agencies. For example, the Centers for Medicare and Medicaid Services investigates cases of Part 162 HIPAA violations, the Department of Labor investigates violations of HIPAA’s portability provisions, and the Federal Trade Commission investigates violations of the Breach Notification Rule by companies that are not Covered Entities or Business Associates.

What are the worst HIPAA violation cases?

The worst HIPAA violation cases are the ones that continue for long periods of time without being identified and corrected. This is especially true when individually identifiable health information is disclosed knowingly and wrongfully to commit identity theft and fraud, as this type of HIPAA violation case can impact individuals’ lives for many years.

Why have patients’ rights violation cases been prioritized?

Patients’ rights violation cases appear to have been prioritized in recent years because in 2019, HHS’ Office for Civil Rights announced a Right of Access enforcement initiative. The initiative aims to address issues related to patients being able to access a copy of their PHI and an Accounting of Disclosures to see who their PHI has been disclosed to up to six years previously.

Why are most HIPAA violation cases medical HIPAA violation cases?

Most HIPAA violation cases are medical HIPAA violation cases because there are many more medical facilities that qualify as Covered Entities, as there are health plans or healthcare clearinghouses that qualify as Covered Entities. There are more than 6,000 hospitals, 9,000 urgent care centers, and 27,000 pharmacies that qualify as Covered Entities in the U.S. compared to fewer than 1,000 covered health plans and healthcare clearinghouses combined.

What can Covered Entities learn from HIPAA violation stories?

What Covered Entities can learn from HIPAA violation stories about other Covered Entities is what measures they may need to implement to mitigate the risk of a violation or data breach. Some HIPAA violation stories are quite unique in how they happened or how their consequences could have been prevented, and hearing about these stories helps Covered Entities conduct better-informed risk analyses and implement reasonable and appropriate measures where necessary.

Is a breach of patient confidentiality a HIPAA violation?

A breach of patient confidentiality is not necessarily a HIPAA violation because some disclosures of PHI permitted by the Privacy Rule may be considered a breach of patient confidentiality by the patient, even though they are not. For example, under §164.512 of the Privacy Rule, there are a number of scenarios in which healthcare providers can disclose individually identifiable health information to public health agencies, law enforcement officers, and employers.

In addition to the above example, there may be times when a healthcare provider breaches patient confidentiality – but does not violate HIPAA – because the information being disclosed is not protected by the Privacy Rule. For example, if a healthcare provider maintains a database of names and telephone numbers – and there is no health information maintained in the same database – the names and telephone numbers are not Protected Health Information and not protected by the Privacy Rule.

The post HIPAA Violation Cases: Types & Consequences appeared first on The HIPAA Journal.

Healthcare Data Breach Statistics

The HIPAA Journal has compiled healthcare data breach statistics from October 2009, when the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) started publishing summaries of healthcare data breaches on its website.

HIPAA Compliance Checklist To Avoid HIPAA BreachesThis page is regularly updated to reflect the latest healthcare data breach statistics. These statistics and graphs were last updated on August 27, 2025, and are based on data obtained from OCR up to and including July 31, 2025.  Check back regularly to get the latest healthcare data breach statistics and healthcare data breach trends. You can view our 2024 healthcare data breach report here. You can also receive a free copy of our HIPAA Compliance Checklist to understand your organization’s responsibilities under HIPAA.

Trends In Healthcare Data Breach Statistics

Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 14 years, with 2021 seeing more data breaches reported than any other year since records first started being published by OCR.

Data breaches increased once again in 2022, with OCR receiving reports of 720 data breaches of 500 or more records. There was no letup in cyberattacks on healthcare organizations in 2023, which set two new records: The most reported data breaches and the most breached records. In 2023, 725 data breaches were reported to OCR, and across those breaches, more than 133 million records were exposed or impermissibly disclosed.

The healthcare data breach statistics below only include data breaches of 500 or more records that have been reported to OCR, as while HIPAA requires all data breaches to be reported regardless of size, OCR does not publish details of smaller data breaches. The breaches included in the statistics and graphs below include closed cases and breaches that are still being investigated by OCR for potential HIPAA violations.

Avoid HIPAA Breaches with HIPAA Compliance SoftwareBetween October 21, 2009, when OCR first started publishing summaries of data breach reports on its “Wall of Shame”, and December 31, 2023, 5,887 large healthcare data breaches have been reported. On January 22, 2023, the breach portal listed 857 data breaches as still under investigation. This time last year, there were 882 breaches listed as under investigation, which shows OCR has made little progress in clearing its backlog of investigations – something that is unlikely to change given the chronic lack of funding for the department.

There have been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015. The move to digital record keeping, more accurate tracking of electronic devices, and more widespread adoption of data encryption have been key in reducing these data breaches. There has also been a downward trend in improper disposal incidents and unauthorized access/disclosure incidents, but data breaches continue to increase due to a massive increase in hacking incidents and ransomware attacks. In 2023, OCR reported a 239% increase in hacking-related data breaches between January 1, 2018, and September 30, 2023, and a 278% increase in ransomware attacks over the same period. In 2019, hacking accounted for 49% of all reported breaches. In 2023, 79.7% of data breaches were due to hacking incidents.

It is not just the number of data breaches that is increasing, as the breaches are becoming more severe. 2021 was a bad year for data breaches, with 45.9 million records breached, and 2022 was worse with 51.9 million records breached, but 2023 smashed all previous records with an astonishing 168 million records exposed, stolen, or otherwise impermissibly disclosed. The huge total for 2023 includes 26 data breaches of more than 1 million records and four breaches of more than 8 million records. The largest data breach of the year affected 11,270,000 individuals – the second-largest healthcare data breach of all time.

There appears to have been a slight reduction in healthcare data breaches in 2024, although it is a little too early to tell, as OCR has yet to add all reported data breaches for last year to the data breach portal. While healthcare data breaches are down, the number of compromised records has increased again from last year’s record-breaking total to more than 276 million breached records, including the largest-ever healthcare data breach – the ransomware attack at Change Healthcare, which affected an estimated 190 million individuals.

The breach data is updated at least monthly, with the previous month’s figures typically added around the 21st of each month, so check back frequently to see the emerging trends for the current year.

The Biggest U.S. Healthcare Data Breaches of All Time

Rank Year Name of HIPAA-Regulated Entity State Entity Type Individuals Affected Type of Breach
1 2024 Change Healthcare, Inc. MN Business Associate 192,700,000 Hacking/IT Incident
2 2015 Anthem Inc. IN Health Plan 78,800,000 Hacking/IT Incident
3 2023 Welltok, Inc. CO Business Associate 14,782,887 Hacking/IT Incident
4 2024 Kaiser Foundation Health Plan, Inc. CA Health Plan 13,400,000 Unauthorized Access/Disclosure
5 2019 Optum360, LLC MN Business Associate 11,500,000 Hacking/IT Incident
6 2023 HCA Healthcare TN Business Associate 11,270,000 Hacking/IT Incident
7 2015 Premera Blue Cross WA Health Plan 11,000,000 Hacking/IT Incident
8 2019 Laboratory Corporation of America Holdings dba LabCorp NC Healthcare Provider 10,251,784 Hacking/IT Incident
9 2015 Excellus Health Plan, Inc. NY Health Plan 9,358,891 Hacking/IT Incident
10 2023 Perry Johnson & Associates, Inc. dba PJ&A NV Business Associate 9,302,588 Hacking/IT Incident
11 2023 Maximus, Inc. VA Business Associate 9,179,390 Hacking/IT Incident
12 2023 Managed Care of North America GA Business Associate 8,627,242 Hacking/IT Incident
13 2014 Community Health Systems Professional Services Corporations TN Healthcare Provider 6,121,158 Hacking/IT Incident
14 2023 PharMerica Corporation KY Healthcare Provider 5,815,591 Hacking/IT Incident
15 2025 Yale New Haven Health System CT Healthcare Provider 5,556,702 Hacking/IT Incident
16 2024 Ascension Health MO Healthcare Provider 5,466,931 Hacking/IT Incident
17 2025 Episource, LLC CA Business Associate 5,418,866 Hacking/IT Incident
18 2011 Science Applications International Corporation (SA VA Business Associate 4,900,000 Loss
19 2023 HealthEC LLC NJ Business Associate 4,786,241 Hacking/IT Incident
20 2025 Blue Shield of California CA Business Associate 4,700,000 Hacking/IT Incident
21 2015 University of California, Los Angeles Health CA Healthcare Provider 4,500,000 Hacking/IT Incident
22 2014 Community Health Systems Professional Services Corporation TN Business Associate 4,500,000 Theft
23 2024 HealthEquity, Inc. UT Business Associate 4,300,000 Hacking/IT Incident
24 2022 Independent Living Systems, LLC FL Business Associate 4,226,508 Hacking/IT Incident
25 2023 Reventics, LLC FL Business Associate 4,212,823 Hacking/IT Incident
26 2021 20/20 Eye Care Network, Inc FL Business Associate 4,142,440 Hacking/IT Incident
27 2022 OneTouchPoint, Inc. WI Business Associate 4,112,892 Hacking/IT Incident
28 2023 Colorado Department of Health Care Policy & Financing CO Health Plan 4,091,794 Hacking/IT Incident
29 2013 Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group IL Healthcare Provider 4,029,530 Theft
30 2024 Concentra Health Services, Inc. TX Healthcare Provider 3,998,163 Hacking/IT Incident
31 2016 Banner Health AZ Healthcare Provider 3,620,000 Hacking/IT Incident
32 2021 Florida Healthy Kids Corporation FL Health Plan 3,500,000 Hacking/IT Incident
33 2015 Medical Informatics Engineering IN Business Associate 3,500,000 Hacking/IT Incident
34 2016 Newkirk Products, Inc. NY Business Associate 3,466,120 Hacking/IT Incident
35 2023 Regal Medical Group,Lakeside Medical Organization, ADOC Acquisition, & Greater Covina Medical Group CA Healthcare Provider 3,388,856 Hacking/IT Incident
36 2020 Trinity Health MI Business Associate 3,320,726 Hacking/IT Incident
37 2023 CareSource OH Business Associate 3,180,537 Hacking/IT Incident
38 2023 Cerebral, Inc DE Business Associate 3,179,835 Unauthorized Access/Disclosure
39 2024 Centers for Medicare & Medicaid Services MD Health Plan 3,112,815 Hacking/IT Incident
40 2023 NationsBenefits Holdings, LLC FL Business Associate 3,099,502 Hacking/IT Incident
41 2022 Advocate Aurora Health WI Healthcare Provider 3,000,000 Unauthorized Access/Disclosure
42 2019 Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. VA Health Plan 2,964,778 Hacking/IT Incident
43 2021 Lincare Holdings Inc. FL Healthcare Provider 2,918,444 Hacking/IT Incident
44 2024 Acadian Ambulance Service, Inc. LA Healthcare Provider 2,896,985 Hacking/IT Incident
45 2022 Connexin Software, Inc. PA Business Associate 2,846,039 Hacking/IT Incident
46 2023 Navvis & Company, LLC MO Business Associate 2,824,726 Hacking/IT Incident
47 2024 A&A Services d/b/a Sav-Rx NE Business Associate 2,812,336 Hacking/IT Incident
48 2023 ESO Solutions, Inc. TX Business Associate 2,700,000 Hacking/IT Incident
49 2025 DaVita Inc. CO Healthcare Provider 2,689,826 Hacking/IT Incident
50 2023 Harvard Pilgrim Health Care MA Health Plan 2,662,337 Hacking/IT Incident
51 2018  AccuDoc Solutions, Inc. NC Business Associate 2,652,537 Hacking/IT Incident
52 2021 NEC Networks, LLC d/b/a CaptureRx TX Business Associate 2,600,000 Hacking/IT Incident
53 2021 Smile Brands, Inc. CA Business Associate 2,592,494 Hacking/IT Incident
54 2024 WebTPA Employer Services, LLC (“WebTPA”) TX Business Associate 2,518,533 Hacking/IT Incident
55 2023 Norton Healthcare Inc. KY Healthcare Provider 2,500,000 Hacking/IT Incident
56 2023 Enzo Clinical Labs, Inc. NY Healthcare Provider 2,470,000 Hacking/IT Incident
57 2023 Florida Health Sciences Center, Inc. dba Tampa General Hospital FL Healthcare Provider 2,430,920 Hacking/IT Incident
58 2021 Forefront Dermatology, S.C. WI Healthcare Provider 2,413,553 Hacking/IT Incident
59 2024 INTEGRIS Health OK Healthcare Provider 2,385,646 Hacking/IT Incident
60 2022 Shields Health Care Group, Inc. MA Business Associate 2,380,483 Hacking/IT Incident
61 2023 Postmeds, Inc. CA Healthcare Provider 2,364,359 Hacking/IT Incident
62 2023 Centers for Medicare & Medicaid Services MD Health Plan 2,342,357 Hacking/IT Incident
63 2024 Medical Management Resource Group, L.L.C. AZ Business Associate 2,264,157 Hacking/IT Incident
64 2016 21st Century Oncology FL Healthcare Provider 2,213,597 Hacking/IT Incident
65 2023 McLaren Health Care MI Healthcare Provider 2,103,881 Hacking/IT Incident
66 2023 Berry, Dunn, McNeil & Parker, LLC ME Business Associate 2,068,426 Hacking/IT Incident
67 2014 Xerox State Healthcare, LLC TX Business Associate 2,000,000 Unauthorized Access/Disclosure
68 2023 Arietis Health, LLC FL Business Associate 1,975,066 Hacking/IT Incident
69 2023 Great Expressions Dental Centers MI Healthcare Provider 1,925,397 Hacking/IT Incident
70 2022 Professional Finance Company, Inc. CO Business Associate 1,918,941 Hacking/IT Incident
71 2025 Anne Arundel Dermatology MD Healthcare Provider 1,905,000 Hacking/IT Incident
72 2011 IBM NY Business Associate 1,900,000 Unknown
73 2022 Apria Healthcare LLC IN Healthcare Provider 1,868,831 Hacking/IT Incident
74 2023 Pension Benefit Information, LLC MN Business Associate 1,866,694 Hacking/IT Incident
75 2023 Fred Hutchinson Cancer Center WA Healthcare Provider 1,840,927 Hacking/IT Incident
76 2024 Summit Pathology and Summit Pathology Laboratories, Inc. CO Healthcare Provider 1,813,538 Hacking/IT Incident
77 2023 Performance Health Technology OR Business Associate 1,752,076 Hacking/IT Incident
78 2023 NASCO GA Business Associate 1,744,655 Hacking/IT Incident
79 2024 OnePoint Patient Care AZ Healthcare Provider 1,741,152 Hacking/IT Incident
80 2019 Clinical Pathology Laboratories, Inc. TX Healthcare Provider 1,733,836 Hacking/IT Incident
81 2020 Dental Care Alliance, LLC FL Business Associate 1,723,375 Hacking/IT Incident
82 2011 GRM Information Management Services NJ Business Associate 1,700,000 Theft
83 2022 Baptist Medical Center TX Healthcare Provider 1,608,549 Hacking/IT Incident
84 2019 Inmediata Health Group PR Healthcare Clearing House 1,565,338 Unauthorized Access/Disclosure
85 2021 Eskenazi Health IN Healthcare Provider 1,515,918 Hacking/IT Incident
86 2022 Community Health Network, Inc. as an Affiliated Covered Entity IN Healthcare Provider 1,500,000 Unauthorized Access/Disclosure

Healthcare Data Breaches by Year

Between 2009 and 2024, 6,759 healthcare data breaches of 500 or more records were reported to OCR. Those breaches have resulted in the exposure or impermissible disclosure of the protected health information of 846,962,011 individuals. That equates to more than 2.6x the population of the United States. In 2018, healthcare data breaches of 500 or more records were being reported at a rate of around 1 per day. Fast forward 5 years, and the rate has more than doubled. In 2023, an average of 1.99 healthcare data breaches of 500 or more records were reported each day, and on average, 364,571 healthcare records were breached every day. While similar numbers of healthcare data breaches were reported in 2024, the number of individuals affected by those breaches has increased significantly. In 2024, the protected health information of 276,775,457 individuals was exposed or stolen. On average, that is 758,288 records per day!

healthcare data breaches of 500 or more records 2009-2025

Healthcare Records Exposed by Year

Records compromised in U.S. healthcare data breaches 2009-2025

There has been a general upward trend in the number of records exposed each year, with a massive increase in 2015. Until 2023, 2015 was the worst year in history for breached healthcare records, with more than 112 million records exposed or impermissibly disclosed. 2015 was particularly bad due to three massive data breaches at health plans: Anthem Inc., Premera Blue Cross, and Excellus. The Anthem breach affected 78.8 million of its members, with the Premera Blue Cross and Excellus data breaches both affecting around 10 million+ individuals. Those data breaches are small in comparison to the data breach at Change Healthcare in 2024, which affected an estimated 190 million individuals. The second-largest data breach of 2024 was reported by Kaiser Foundation Health Plan and affected 13.4 million individuals.

Average/Median Healthcare Data Breach Size by Year

Healthcare data breaches - average breach size 2009-2025

Healthcare data breaches - median breach size 2009-2025

Largest Healthcare Data Breaches (2009 – 2024)

The largest healthcare data breach occurred at Anthem Inc. in 2015 and involved the records of 78.8 million individuals. A data breach as large as that seemed unlikely to occur again, but this year that record has been smashed. A ransomware attack on Change Healthcare has resulted in the theft of the protected health information of 190 million individuals.  You can read more about this devastating cyberattack in this article.

* PJ&A reported the data breach to OCR as affecting 8,952,212 individuals, but some of its covered entity clients reported the data breach themselves. In total, more than 13 million individuals are known to have been affected by the PJ&A data breach.

These figures are calculated based on the reporting entity. When a data breach occurs at a business associate, it may be reported by the business associate or by each affected HIPAA-covered entity. For instance, in 2022, the electronic health record provider Eye Care Leaders suffered a ransomware attack. Each covered entity reported the breach separately. The HIPAA Journal has tracked the breach reports, and at least 39 HIPAA-covered entities were affected, and the records of more than 3.09 million individuals were exposed. Similarly, a major data breach occurred at American Medical Collection Agency in 2019 that was reported by each covered entity, rather than AMCA. That breach affected more than 25 million individuals. Even when business associates of HIPAA-covered entities self-report the data breaches, some of their covered entity clients choose to report the breach themselves. As a result, business associate data breaches tend to be under-represented in analyses of healthcare data breaches.

Causes of Healthcare Data Breaches

causes of healthcare security breaches 2009-2025

exposed, stolen and impermissibly disclosed healthcare records 2009-2024

Healthcare Hacking Incidents by Year

Our healthcare data breach statistics show hacking is now the leading cause of healthcare data breaches, although it should be noted that healthcare organizations are now much better at detecting hacking incidents than they were in 2010. The low number of hacking/IT incidents in the earlier years could be partially due to the failure to detect hacking incidents and malware infections, although it is clear that there has been a massive increase in attacks in recent years. Many of the hacking incidents between 2014 and 2018 occurred many months – and in some cases, years – before they were detected.

Hacking incidents in healthcare 2009-2025

healthcare hacking incidents 2009-2025 - records compromised

Unauthorized Access/Disclosures by Year

As with hacking, healthcare organizations are getting better at detecting insider breaches and reporting those breaches to the Office for Civil Rights, although as the chart below shows, the severity of these breaches has increased significantly in recent years. These incidents include employee errors, negligence, snooping on medical records, and data theft by malicious insiders. Better HIPAA and security awareness training, along with the use of technologies for monitoring access to medical records, are helping to reduce these data breaches.

Unauthorized access/disclosure incidents in healthcare 2009-2025

Unauthorized access/disclosure incidents in healthcare 2009-2025 - records compromised

Loss/Theft of PHI and Unencrypted ePHI by Year

Our healthcare data breach statistics show that HIPAA-covered entities and business associates have gotten significantly better at protecting healthcare records with administrative, physical, and technical controls such as encryption, although unencrypted laptops and other electronic devices are still being left unsecured in vehicles and locations accessible by the public. Many of these theft/loss incidents involve paper records, which can equally result in the exposure of large amounts of patient information.

Loss and theft incidents in healthcare 2009-2025

healthcare loss/theft incidents 2009-2025 - records compromised

Improper Disposal of PHI/ePHI by Year

HIPAA requires healthcare data, whether in physical or electronic form, to be permanently destroyed when no longer required. The improper disposal of PHI is a relatively infrequent breach cause and typically involves paper records that have not been sent for shredding or have been abandoned.

Improper disposal incidents in healthcare 2009-2025

healthcare improper disposal incidents 2009-2025 - records compromised

Healthcare Data Breaches by HIPAA-Regulated Entity Type

The table below shows the raw data from OCR of the data breaches by the entity reporting the breaches; however, this data does not tell the whole story, as data breaches occurring at business associates may be reported by the business associate or each affected covered entity or a combination of the two. Many online reports that provide healthcare data breach statistics fail to accurately reflect where many data breaches are occurring.

Healthcare Data Breaches: Reporting Entity (2009 – 2025)

Year Healthcare Provider Health Plan Business Associate Healthcare Clearinghouse Total
2009 14 1 3 0 18
2010 134 21 44 0 199
2011 135 19 45 1 200
2012 154 23 40 1 218
2013 191 20 64 2 277
2014 200 40 74 0 314
2015 195 61 14 0 270
2016 256 50 22 0 328
2017 285 52 21 0 358
2018 274 53 42 0 369
2019 396 59 54 2 511
2020 514 73 74 2 663
2021 516 104 93 2 715
2022 504 86 129 0 719
2023 469 103 172 2 746
2024 538 77 118 3 736
2025 334 30 78 2 444
Total 5,109 872 1,087 17 7,085

The graphs below paint a more accurate picture of where healthcare data breaches are occurring, rather than the entities that have reported the data breaches, and clearly show the extent to which business associate data breaches have increased in recent years. In 2023, more than 93 million healthcare records were exposed or stolen in data breaches at business associates compared to 34.9 million records in breaches at healthcare providers. The charts below show data breaches by reporting entity.

Data breaches at HIPAA-regulated entities 2009-2025

breached records at HIPAA-regulated entities 2009-2025

These data highlight the importance of securing the supply chain, conducting due diligence on vendors before their products and services are used, and monitoring existing vendors for HIPAA Security Rule compliance and cybersecurity. In 2023, one of the biggest challenges in healthcare cybersecurity is securing the supply chain.

OCR Settlements and Fines for HIPAA Violations

The penalties for HIPAA violations can be severe. Multi-million-dollar fines are possible when violations have been allowed to persist for several years or when there is systemic non-compliance with the HIPAA Rules, making HIPAA compliance financially as well as ethically important.

The penalty structure for HIPAA violations is detailed in the infographic below. These figures are adjusted annually for inflation. The current penalty amounts can be found here.

Penalties for HIPAA violations

OCR Settlements and Fines Over the Years

Further information on HIPAA fines and settlements can be viewed on our HIPAA violation fines page, which details all HIPAA violation fines imposed by OCR since 2008. As the graph below shows, HIPAA enforcement activity has steadily increased over the past 14 years, with 2022 being a record year, with 22 penalties imposed. The major rise in HIPAA violation penalties in 2020 was largely due to a new enforcement initiative by OCR targeting non-compliance with the HIPAA Right of Access – the right of patients to access and obtain a copy of their healthcare data. 11 settlements were reached with healthcare providers in 2020 to resolve cases where patients were not given timely access to their medical records, and in 2021, all but two of the 14 penalties were for HIPAA Right of Access violations. From September 2019 to December 2023, 46 penalties have been imposed to resolve HIPAA Right of Access violations.

There was an increase in HIPAA enforcement activity in 2024, as while OCR only announced 16 civil monetary penalties and settlements in 2024 to resolve alleged HIPAA violations, OCR Director Melanie Fontes Rainer explained that OCR had in fact closed 22 HIPAA investigations with financial penalties, although OCr announced six of those HIPAA cases in early January 2024 before the administration change. The high level of HIPAA enforcement has continued in 2025, largely due to the new HIPAA risk analysis enforcement initiative. Under this initiative, OCR is focused on compliance with the risk analysis provision of the HIPAA Security Rule – the most commonly identified HIPAA Security Rule violation. By focusing on this aspect of Security Rule compliance, OCR is able to complete investigations more quickly, helping to reduce the large backlog of data breach cases, while also holding HIPAA-regulated entities to account for risk analysis failures. As of May 31, 2025, OCR has closed 9 investigations with financial penalties for HIPAA risk analysis failures under this enforcement initiative.

OCR penalties for HIPAA violations 2009-2025

How Much Has OCR Fined HIPAA Covered Entities and Business Associates?

In addition to an increase in fines and settlements, penalty amounts increased considerably between 2015 and 2018. In 2018, the largest ever financial penalty for HIPAA violations was paid by Anthem Inc. to resolve potential violations of the HIPAA Security Rule that were discovered by OCR during the investigation of its 78.8 million record data breach in 2015. Anthem paid $16 million to settle the case. In 2020, Premera Blue Cross settled potential violations of the HIPAA Rules and paid a $6,850,000 penalty to resolve its 2015 data breach of the PHI of almost 10.5 million individuals, and in 2021 a $5,000,000 settlement was agreed upon with Excellus Health Plan to resolve HIPAA violations identified that contributed to its 2015 data breach of the PHI of almost 9.4 million individuals.

While large financial penalties are still imposed to resolve HIPAA violations, the trend has been for smaller penalties to be issued in recent years, with those penalties imposed on healthcare organizations of all sizes. It is no longer the case that smaller healthcare organizations escape HIPAA fines. In 2022, 55% of the financial penalties imposed by OCR were on small medical practices.

The fall in revenues from OCR’s enforcement activities in recent years is due to OCR reassessing the language of the HITECH Act, which called for penalties for HIPAA violations to be increased. OCR determined that the language of the HITECH Act had been misinterpreted at the time and reduced the penalty caps in three of the four penalty tiers. OCR is now petitioning Congress to increase the penalty caps to increase the deterrent effect.

Funds raised by OCR enforcement actions (2008-2025)

Average HIPAA penalty (2008-2025)

Median HIPAA penalty (2008-2025)

It was expected that 2018 would see fewer fines for HIPAA-covered entities than in the past two years due to HHS budget cuts, but that did not prove to be the case. 2018 was a record-breaking year for HIPAA fines and settlements, beating the previous record of $23,505,300 set in 2016 by 22%. OCR received payments totaling $28,683,400 in 2018 from HIPAA-covered entities and business associates who had violated HIPAA Rules, and 2020 saw a major increase in enforcement activity with 19 settlements. The number of financial penalties was reduced in 2021; however, 2022 saw penalties increase, with 22 financial penalties announced by OCR, more than in any other year to date. There was a reduction in enforcement actions in 2023, although there was an increase in penalty amounts. OCR had been concentrating on HIPAA Right of Access violations, for which the penalties are generally relatively low, as only one HIPAA provision is typically violated. In 2023, OCR imposed more fines for HIPAA Security Rule violations, where the entity concerned violated multiple aspects of the Security Rule, hence the higher penalties.

In 2024, OCR closed 22 HIPAA investigations with financial penalties, although only 16 were announced in 2024. The remainder were announced by OCR in early January 2025, and the high level of enforcement activity has continued in 2025, with this year looking like it will be a record year for HIPAA enforcement. More detailed information on these settlements and civil monetary penalties can be found on our HIPAA Violation Cases page.

OCR Penalties for HIPAA Violations (2008 – 2025)

Year Covered Entity Amount Penalty Type
2025 BST & Co. CPAs, LLP $175,000 Settlement
2025 Syracuse ASC (Specialty Surgery Center of Central New York) $250,000 Settlement
2025 Deer Oaks – The Behavioral Health Solution $225,000 Settlement
2025 Comstar LLC $75,000 Settlement
2025 BayCare Health System $800,000 Settlement
2025 Vision Upright MRI $5,000 Settlement
2025 Comprehensive Neurology $25,000 Settlement
2025 PIH Health $600,000 Settlement
2025 Guam Memorial Hospital Authority $25,000 Settlement
2025 Northeast Radiology $350,000 Settlement
2025 Health Fitness Corporation $227,816 Settlement
2025 Oregon Health & Science University $200,000 Civil Monetary Penalty
2025 Warby Parker Inc. $1,500,000 Civil Monetary Penalty
2025 Northeast Surgical Group $10,000 Settlement
2025 South Broward Hospital District (Memorial Health System) $60,000 Settlement
2025 Solara Medical Supplies $3,000,000 Settlement
2025 USR Holdings $337,750 Settlement
2025 Virtual Private Network Solutions $90,000 Settlement
2025 Elgon Information Systems $80,000 Settlement
2024 Inmediata Health Group $250,000 Settlement
2024 Children’s Hospital Colorado Health System $548,265 Civil Monetary Penalty
2024 Gulf Coast Pain Consultants, dba Clearway Pain Solutions Institute $1,190,000 Civil Monetary Penalty
2024 Holy Redeemer Family Medicine $35,581 Settlement
2024 Rio Hondo Community Mental Health Center $100,000 Civil Monetary Penalty
2024 Bryan County Ambulance Authority $90,000 Settlement
2024 Plastic Surgery Associates of South Dakota $500,000 Settlement
2024 Gums Dental Care $70,000 Civil Monetary Penalty
2024 Providence Medical Institute $240,000 Civil Monetary Penalty
2024 Cascade Eye and Skin Centers $250,000 Settlement
2024 American Medical Response $115,200 Civil Monetary Penalty
2024 Heritage Valley Health System $950,000 Settlement
2024 Essex Residential Care (Hackensack Meridian Health, West Caldwell Care Center) $100,000 Civil Monetary Penalty
2024 Phoenix Healthcare $35,000 Settlement
2024 Green Ridge Behavioral Health $40,000 Settlement
2024 Montefiore Medical Center $4,750,000 Settlement
2023 Optum Medical Care of New Jersey $160,000 Settlement
2023 Lafourche Medical Group $480,000 Settlement
2023 St. Joseph’s Medical Center $80,000 Settlement
2023 Doctors’ Management Services $100,000 Settlement
2023 L.A. Care Health Plan $1,300,000 Settlement
2023 UnitedHealthcare $80,000 Settlement
2023 iHealth Solutions (dba Advantum Health) $75,000 Settlement
2023 Yakima Valley Memorial Hospital $240,000 Settlement
2023 Manasa Health Center, LLC $30,000 Settlement
2023 MedEvolve Inc. $350,000 Settlement
2023 David Mente, MA, LPC $15,000 Settlement
2023 Banner Health $1,250,000 Settlement
2023 Life Hope Labs, LLC $16,500 Settlement
2022 Health Specialists of Central Florida Inc $20,000 Settlement
2022 New Vision Dental $23,000 Settlement
2022 Great Expressions Dental Center of Georgia, P.C. $80,000 Settlement
2022 Family Dental Care, P.C. $30,000 Settlement
2022 B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental $25,000 Settlement
2022 New England Dermatology and Laser Center $300,640 Settlement
2022 ACPM Podiatry $100,000 Civil Monetary Penalty
2022 Memorial Hermann Health System $240,000 Settlement
2022 Southwest Surgical Associates $65,000 Settlement
2022 Hillcrest Nursing and Rehabilitation $55,000 Settlement
2022 MelroseWakefield Healthcare $55,000 Settlement
2022 Erie County Medical Center Corporation $50,000 Settlement
2022 Fallbrook Family Health Center $30,000 Settlement
2022 Associated Retina Specialists $22,500 Settlement
2022 Coastal Ear, Nose, and Throat $20,000 Settlement
2022 Lawrence Bell, Jr. D.D.S $5,000 Settlement
2022 Danbury Psychiatric Consultants $3,500 Settlement
2022 Oklahoma State University – Center for Health Sciences $875,000 Settlement
2022 Dr. Brockley $30,000 Settlement
2022 Jacob & Associates $28,000 Settlement
2022 Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. $50,000 Civil Monetary Penalty
2022 Northcutt Dental-Fairhope $62,500 Settlement
2021 Advanced Spine & Pain Management $32,150 Settlement
2021 Denver Retina Center $30,000 Settlement
2021 Dr. Robert Glaser $100,000 Civil Monetary Penalty
2021 Rainrock Treatment Center LLC (dba monte Nido Rainrock) $160,000 Settlement
2021 Wake Health Medical Group $10,000 Settlement
2021 Children’s Hospital & Medical Center $80,000 Settlement
2021 The Diabetes, Endocrinology & Lipidology Center, Inc. $5,000 Settlement
2021 AEON Clinical Laboratories (Peachstate) $25,000 Settlement
2021 Village Plastic Surgery $30,000 Settlement
2021 Arbour Hospital $65,000 Settlement
2021 Sharpe Healthcare $70,000 Settlement
2021 Renown Health $75,000 Settlement
2021 Excellus Health Plan $5,100,000 Settlement
2021 Banner Health $200,000 Settlement
2020 Peter Wrobel, M.D., P.C., dba Elite Primary Care $36,000 Settlement
2020 University of Cincinnati Medical Center $65,000 Settlement
2020 Dr. Rajendra Bhayani $15,000 Settlement
2020 Riverside Psychiatric Medical Group $25,000 Settlement
2020 City of New Haven, CT $202,400 Settlement
2020 Aetna $1,000,000 Settlement
2020 NY Spine $100,000 Settlement
2020 Dignity Health, dba St. Joseph’s Hospital and Medical Center $160,000 Settlement
2020 Premera Blue Cross $6,850,000 Settlement
2020 CHSPSC LLC $2,300,000 Settlement
2020 Athens Orthopedic Clinic PA $1,500,000 Settlement
2020 Housing Works, Inc. $38,000 Settlement
2020 All Inclusive Medical Services, Inc. $15,000 Settlement
2020 Beth Israel Lahey Health Behavioral Services $70,000 Settlement
2020 King MD $3,500 Settlement
2020 Wise Psychiatry, PC $10,000 Settlement
2020 Lifespan Health System Affiliated Covered Entity $1,040,000 Settlement
2020 Metropolitan Community Health Services dba Agape Health Services $25,000 Settlement
2020 Steven A. Porter, M.D $100,000 Settlement
2019 Jackson Health System $2,154,000 Civil Monetary Penalty
2019 Texas Department of Aging and Disability Services $1,600,000 Civil Monetary Penalty
2019 University of Rochester Medical Center $3,000,000 Settlement
2019 Touchstone Medical imaging $3,000,000 Settlement
2019 Sentara Hospitals $2,175,000 Settlement
2019 Medical Informatics Engineering $100,000 Settlement
2019 Korunda Medical, LLC $85,000 Settlement
2019 Bayfront Health St. Petersburg $85,000 Settlement
2019 West Georgia Ambulance $65,000 Settlement
2019 Elite Dental Associates $10,000 Settlement
2018* University of Texas MD Anderson Cancer Center $4,348,000 Civil Monetary Penalty
2018 Anthem Inc $16,000,000 Settlement
2018 Fresenius Medical Care North America $3,500,000 Settlement
2018 Massachusetts General Hospital $515,000 Settlement
2018 Brigham and Women’s Hospital $384,000 Settlement
2018 Boston Medical Center $100,000 Settlement
2018 Filefax, Inc. $100,000 Settlement
2017 Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty
2017 Memorial Healthcare System $5,500,000 Settlement
2017 Cardionet $2,500,000 Settlement
2017 Memorial Hermann Health System $2,400,000 Settlement
2017 21st Century Oncology $2,300,000 Settlement
2017 MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement
2017 Presense Health $475,000 Settlement
2017 Metro Community Provider Network $400,000 Settlement
2017 St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement
2017 The Center for Children’s Digestive Health $31,000 Settlement
2016 Lincare, Inc. $239,800 Civil Monetary Penalty
2016 Advocate Health Care Network $5,550,000 Settlement
2016 Feinstein Institute for Medical Research $3,900,000 Settlement
2016 University of Mississippi Medical Center $2,750,000 Settlement
2016 Oregon Health & Science University $2,700,000 Settlement
2016 New York Presbyterian Hospital $2,200,000 Settlement
2016 St. Joseph Health $2,140,500 Settlement
2016 North Memorial Health Care of Minnesota $1,550,000 Settlement
2016 Raleigh Orthopaedic Clinic, P.A. of North Carolina $750,000 Settlement
2016 University of Massachusetts Amherst (UMass) $650,000 Settlement
2016 Catholic Health Care Services of the Archdiocese of Philadelphia $650,000 Settlement
2016 Care New England Health System $400,000 Settlement
2016 Complete P.T., Pool & Land Physical Therapy, Inc. $25,000 Settlement
2015 Triple S Management Corporation $3,500,000 Settlement
2015  Lahey Hospital and Medical Center $850,000 Settlement
2015 University of Washington Medicine $750,000 Settlement
2015 Cancer Care Group, P.C. $750,000 Settlement
2015 St. Elizabeth’s Medical Center $218,400 Settlement
2015 Cornell Prescription Pharmacy $125,000 Settlement
2014 New York and Presbyterian Hospital and Columbia University $4,800,000 Settlement
2014 Concentra Health Services $1,725,220 Settlement
2014 Parkview Health System, Inc. $800,000 Settlement
2014 QCA Health Plan, Inc., of Arkansas $250,000 Settlement
2014 Skagit County, Washington $215,000 Settlement
2014 Anchorage Community Mental Health Services $150,000 Settlement
2013 WellPoint $1,700,000 Settlement
2013 Affinity Health Plan, Inc. $1,215,780 Settlement
2013 Idaho State University $400,000 Settlement
2013 Shasta Regional Medical Center $275,000 Settlement
2013 Adult & Pediatric Dermatology, P.C. $150,000 Settlement
2012 Alaska DHSS $1,700,000 Settlement
2012 Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. $1,500,000 Settlement
2012 Blue Cross Blue Shield of Tennessee $1,500,000 Settlement
2012 Phoenix Cardiac Surgery $100,000 Settlement
2012 The Hospice of Northern Idaho $50,000 Settlement
2011 Cignet Health of Prince George’s County $4,300,000 Civil Monetary Penalty
2011 General Hospital Corp. & Massachusetts General Physicians Organization Inc. $1,000,000 Settlement
2011 University of California at Los Angeles Health System $865,500 Settlement
2010 Rite Aid Corporation $1,000,000 Settlement
2010 Management Services Organization Washington Inc. $35,000 Settlement
2009 CVS Pharmacy Inc. $2,250,000 Settlement
2008 Providence Health & Services $100,000 Settlement

*In 2021, following an appeal, the civil monetary penalty imposed on the University of Texas MD Anderson Cancer Center by the HHS’ Office for Civil Rights was vacated.

State Attorneys General HIPAA Fines and Other Financial Penalties for Healthcare Organizations

State attorneys general can bring actions against HIPAA-covered entities and their business associates for violations of the HIPAA Rules. Penalties range from $100 per HIPAA violation up to a maximum of $25,000 per violation category, per year.

Only a handful of U.S. states have imposed penalties for HIPAA violations; however, that changed in 2019 when many state Attorneys General started participating in multistate actions against HIPAA-covered entities and business associates that experienced major data breaches and were found not to be in compliance with the HIPAA Rules.

The penalties detailed below have been imposed by state attorneys general for HIPAA violations and violations of state laws. It is common for penalties to be imposed solely for violations of state laws, even though there are corresponding HIPAA violations.

Attorneys General HIPAA Fines (2008 – 2025)

Year State Covered Entity Amount
2024 Indiana Westend Dental $350,000
2024 New York HealthAlliance $1,400,000 ($850,000 suspended)
2024 New York Albany ENT & Allergy Specialists $1,000,000 ($500,000 suspended); $2.25M investment in cybersecurity
2024 New York, New Jersey, Connecticut Enzo Biochem/Enzo Clinical Labs $4,500,000
2024 Washington Allure Esthetic $5,000,000
2024 California Adventist Health Hanford $10,000
2024 California Blackbaud $6,750,000
2024 California Quest Diagnostics $5,000,000
2024 New York Refuah Health Center $450,000 and an investment of $1.2 million in cybersecurity
2023 New York New York Presbyterian Hospital $300,000
2023 New York Healthplex $400,000
2023 Indiana CarePointe ENT $120,000
2023 New York U.S. Radiology Specialists Inc. $450,000
2023 Multistate (32 states and PR) Inmediata $1,400,000
2023 New York Personal Touch Holding Corp $350,000
2023 Multistate (49 states and DC) Blackbaud $49,500,000
2023 Colorado Broomfield Skilled Nursing and Rehabilitation Center $60,000 ($25,000 suspended)
2023 Indiana Schneck Medical Center $250,000
2023 California Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals $49,000,000
2023 California Kaiser Permanente $450,000
2023 New York Professional Business Systems Inc. dba Practicefirst Medical Management Solutions $550,000
2023 Multi-state: Oregon, New Jersey, Florida, Pennsylvania EyeMed Vision Care $2,500,000
2023 New York Heidell, Pittoni, Murphy & Bach LLP $200,000
2023 Pennsylvania & Ohio DNA Diagnostics Center $400,000
2022 Oregon & Utah Avalon Healthcare $200,000
2022 Massachusetts Aveanna Healthcare $425,000
2022 New York EyeMed Vision Care $600,000
2021 New Jersey Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC) $425,000
2021 New Jersey Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC) $425,000
2021 New Jersey Diamond Institute for Infertility and Menopause $495,000
2021 Multistate American Medical Collection Agency $21 million (suspended)
2020 Multistate CHSPSC LLC $5,000,000
2020 Multistate Anthem Inc. $39.5 million
2020 California Anthem Inc. $8.7 million
2019 Multistate Premera Blue Cross $10,000,000
2019 Multistate Medical Informatics Engineering $900,000
2019 California Aetna $935,000
2018 Massachusetts McLean Hospital $75,000
2018 New Jersey EmblemHealth $100,000
2018 New Jersey Best Transcription Medical $200,000
2018 Connecticut Aetna $99,959
2018 New Jersey Aetna $365,211.59
2018 District of Columbia Aetna $175,000
2018 Massachusetts UMass Memorial Medical Group / UMass Memorial Medical Center $230,000
2018 New York Arc of Erie County $200,000
2018 New Jersey Virtua Medical Group $417,816
2018 New York EmblemHealth $575,000
2018 New York Aetna $1,150,000
2017 California Cottage Health System $2,000,000
2017 Massachusetts Multi-State Billing Services $100,000
2017 New Jersey Horizon Healthcare Services Inc., $1,100,000
2017 Vermont SAManage USA, Inc. $264,000
2017 New York CoPilot Provider Support Services, Inc $130,000
2015 New York University of Rochester Medical Center $15,000
2015 Connecticut Hartford Hospital/ EMC Corporation $90,000
2014 Massachusetts Women & Infants Hospital of Rhode Island $150,000
2014 Massachusetts Boston Children’s Hospital $40,000
2014 Massachusetts Beth Israel Deaconess Medical Center $100,000
2013 Massachusetts Goldthwait Associates $140,000
2012 MN Accretive Health $2,500,000
2012 Massachusetts South Shore Hospital $750,000
2011 Vermont Health Net Inc. $55,000
2011 Indiana WellPoint Inc. $100,000
2010 Connecticut Health Net Inc. $250,000

Click for further information HIPAA enforcement by State Attorneys General.

Federal Trade Commission Fines and Penalties

In 2009, the Federal Trade Commission (FTC) published a new rule that required vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. The FTC Health Breach Notification Rule applies only to identifying health information that is not covered by HIPAA. The Rule does not apply to HIPAA-covered entities or business associates, which have reporting requirements per the HIPAA Breach Notification Rule.

The FTC issued a policy update in 2021 stating its intention to start actively enforcing compliance. Prior to 2023, no financial penalties had been imposed for breach notification failures but that changed in February 2023.

Entity Company Type Penalty Type Amount Reason
Cerebral Mental health telehealth company Settlement $7.1 million ($10 million CMP, $8 million suspended. $5.1 million in refunds to customers) Impermissible disclosure of personal and health information to third parties such as Google and Snapchat
Monument Alcohol addiction treatment company Settlement $2.5 million (suspended) Impermissible disclosure of personal and health information to third parties such as Google.
Easy Healthcare (Premom) Fertility tracking health app provider Settlement $200,000 Impermissible disclosure of personal and health information to third parties such as Google and Facebook. Failure to issue timely notifications
BetterHelp Inc. Online counseling service provider Settlement $7,800,000 Impermissible disclosure of personal and health information to third parties such as Google and Facebook
GoodRx Holdings Inc. Telemedicine platform provider Settlement $1,500,000 Failure to notify consumers about the impermissible disclosure of personal and health information to third parties such as Google and Facebook

Healthcare Data Breach Statistics FAQs

How does the number of data breaches in the healthcare sector compare with other sectors?

The number of data breaches in the healthcare sector compares poorly with other sectors. An analysis of data breaches recorded on the Privacy Rights database between 2015 and 2022 showed that 32% of all recorded data breaches were in the healthcare sector – almost double the number recorded in the financial and manufacturing sectors.

Top 5 Sector by Cost of Cybersecurity Breaches HIPAAJournal.com

Why are there so many more data breaches in the healthcare sector than in other sectors?

There are so many more data breaches in the healthcare sector than in other sectors because healthcare data is more valuable on the black market than any other type of data. This is because it takes longer for healthcare fraud to be discovered and stolen data can be used for longer compared to (for example) a stolen credit card which can be stopped as soon as the breach is discovered.

It is also the case that organizations in the healthcare sector have stricter breach notification requirements than in other sectors. Certain types of breaches (i.e., ransomware attacks) have to be reported even if it cannot be established data has been compromised. The increasing number of recent ransomware attacks may have influenced the healthcare data breach statistics.

Why has the average HIPAA penalty decreased since 2018 despite increases in the number of breaches and median breach size?

The average HIPAA penalty has decreased since 2018 despite increases in the number of breaches and median breach size because in recent years the Office for Civil Rights (OCR) has been running a right of access initiative to clamp down on providers who fail to provide patients with access to their PHI within the thirty days allowed.

Penalties for right of access failures are less than for high-volume data breaches, and this has resulted in a decrease in the average HIPAA penalty in recent years. However, while the average HIPAA penalty issued by OCR has decreased, penalties issued by State Attorneys General have remained constant, while it is too early to find trends in fines issued by the FTC.

If a healthcare professional discloses PHI without authorization, is this included in the healthcare data breach statistics?

If a healthcare professional discloses PHI without authorization, the disclosure is unlikely to appear in the healthcare data breach statistics because the statistics are compiled from breaches involving 500 or more records. Therefore, individual unauthorized disclosures of PHI are not included in the figures. However, if the unauthorized disclosure is investigated by OCR and found to be attributable to willful neglect, any subsequent fines will be included in the settlement statistics.

How can healthcare organizations mitigate data breaches?

Healthcare organizations can mitigate data breaches using various methods. The most effective is to encrypt protected health information to render it unusable, unreadable, or indecipherable in the event of a data breach attack. This will ensure data is not compromised and the attack will not have to be reported to the Office for Civil Rights.

Other steps include implementing two-factor authentication on privileged accounts to mitigate the consequences of credential theft, running checks on all storage volumes (cloud and on-premises) to ensure appropriate permissions are applied, checking network connections for unauthorized open ports, and eliminating Shadow IT environments developed as workarounds.

How are successful phishing attacks recorded in the HIPAA breach reports?

Successful phishing attacks are recorded in the HIPAA breach reports as Hacking/IT Incidents. However, as other cybersecurity incidents such as ransomware attacks and events attributable to malware are also categorized as Hacking/IT Incidents, it is not possible to determine how many successful phishing attacks there have been affecting more than 500 individuals.

Why doesn’t HHS fine every covered organization when a HIPAA data breach occurs?

HHS doesn’t fine every covered organization when a HIPAA data breach occurs because not all data breaches are attributable to HIPAA violations. For example, successful ransomware attacks are notifiable events even when no PHI is disclosed and when systems can be quickly restored from backups because, for a period of time, PHI was unavailable.

Why is the number of HIPAA breaches increasing despite more awareness about HIPAA compliance?

The number of HIPAA breaches is increasing despite more awareness about HIPAA compliance due to the increasing digitalization of healthcare data and the increasing sophistication of cyberattacks. While there is an argument that more awareness about HIPAA compliance is having an impact on the lower number of HIPAA breaches attributable to lost or stolen drives and devices, there is a counterargument that, because of the increase in cloud computing, fewer covered organizations are transporting unencrypted PHI on drives and devices.

How can HIPAA covered entities better secure their supply chains to prevent data breaches attributable to business associates?

HIPAA covered entities can better secure their supply chains to prevent data breaches attributable to business associates by conducting more thorough due diligence on each business associate. Many covered entities rely on “good faith assurances” rather than investigating the measures each business associate has in place to prevent data breaches, the training provided to business associate workforces, and the security of communication channels used to transmit PHI.

What is the difference between a healthcare data breach and a HIPAA data breach?

The difference between a healthcare data breach and a HIPAA data breach is that a healthcare data breach is one in which healthcare data is accessed without authorization from a healthcare provider (who may or may not be a HIPAA covered entity or business associate), while a HIPAA data breach is a breach of any Protected Health Information (which can include financial information) from any covered health plan, health care clearinghouse, or healthcare provider, or any business associate providing a service for or on behalf of a covered entity.

Therefore, not only is it the nature of the data that distinguishes a healthcare data breach from a HIPAA data breach (i.e., healthcare data vs healthcare, payment, and other data with protected status), but also the status of the organization where data was accessed without authorization (i.e., covered or non-covered healthcare provider vs HIPAA covered entity or business associate). The difference may be subtle, but it can impact the breach notification requirements, the regulatory authority, and the penalty for a data breach.

The post Healthcare Data Breach Statistics appeared first on The HIPAA Journal.

What are the Penalties for HIPAA Violations?

The penalties for HIPAA violations include civil monetary penalties ranging from $141 to $2,134,831 per violation, depending on the level of culpability. Criminal penalties can also be imposed for intentional HIPAA violations, leading to fines and potential imprisonment.

In addition to financial penalties, corrective action plans may be required to address compliance deficiencies. State attorneys general can also bring civil actions, resulting in monetary damages.  Plus, covered entities may be required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA.

Ten Most Common HIPAA ViolationsIn this article, we provide a detailed explanation of penalties for HIPAA violations.

You can also use the article in conjunction with our free HIPAA Violations Checklist to understand what is required to ensure full compliance. Please use the form on this page to arrange for your copy.

HIPAA, PHI & HITECH

The Health Insurance Portability and Accountability Act of 1996 placed a number of requirements on HIPAA-covered entities to safeguard the Protected Health Information (PHI) of patients, and to strictly control when PHI can be divulged, and to whom.

Since the Enforcement Final Rule of 2006, OCR has had the power to issue financial penalties (and/or corrective action plans) to HIPAA-covered entities that fail to comply with HIPAA Rules.

Financial penalties for HIPAA violations were updated by the HIPAA Omnibus Rule, which introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule took effect on March 26, 2013.

Since the introduction of the Omnibus Rule, the new penalties for HIPAA violations apply to healthcare providers, health plans, healthcare clearinghouses, and all other covered entities, as well as to business associates (BAs) of covered entities that are found to have violated HIPAA Rules.

Financial penalties are intended to act as a deterrent to prevent the violation of HIPAA laws, while also ensuring covered entities are held accountable for their actions – or lack of them – when it comes to protecting the privacy of patients and the confidentiality of health data and providing patients with access to their health records on request.

The penalty structure for a violation of HIPAA laws is tiered, based on the knowledge a covered entity had of the violation. The OCR sets the penalty based on a number of “general factors” and the seriousness of the HIPAA violation.

Ignorance of HIPAA Rules is no excuse for failing to comply with HIPAA Rules. It is the responsibility of each covered entity to ensure that HIPAA Rules are understood and followed. In cases when a covered entity is discovered to have committed a willful violation of HIPAA laws, the maximum fines may apply.

What Constitutes a HIPAA Violation?

There is much talk of HIPAA violations in the media, but what constitutes a HIPAA violation? A HIPAA violation is when a HIPAA-covered entity or a business associate fails to comply with one or more of the provisions of the HIPAA Rules, most commonly, the HIPAA Privacy, Security, or Breach Notification Rules.

A violation may be deliberate or unintentional. An example of an unintentional HIPAA violation is when too much PHI is disclosed and the minimum necessary information standard is violated. When PHI is disclosed, it must be limited to the minimum necessary information to achieve the purpose for which it is disclosed. Financial penalties for HIPAA violations can be issued for unintentional HIPAA violations, although the penalties will be at a lower rate for willful violations of HIPAA Rules.

An example of a deliberate violation is unnecessarily delaying the issuing of breach notification letters to patients and exceeding the maximum timeframe of 60 days following the discovery of a breach to issue notifications – A violation of the HIPAA Breach Notification Rule.

Many HIPAA violations are the result of negligence, such as the failure to perform an organization-wide risk analysis. Financial penalties for HIPAA violations have frequently been issued for risk analysis failures as it is one of the most commonly identified HIPAA violations. The HHS’ Office for Civil Rights has launched an enforcement initiative targeting noncompliance with the risk analysis requirement of the HIPAA Security Rule.

Penalties for HIPAA violations can potentially be issued for all HIPAA violations, although OCR typically resolves most cases through voluntary HIPAA compliance, issuing technical guidance, or accepting a covered entity or business associate’s plan to address the violations and change policies and procedures to prevent future violations from occurring. Financial penalties for HIPAA violations are reserved for the most serious violations of HIPAA Rules, when OCR targets a specific violation such as the HIPAA Right of Access, or wants to “send a message” to the industry about specific violation types.

What Happens if You Violate HIPAA? – HIPAA Violation Classifications

What happens if you violate HIPAA? That depends on the severity of the violation. OCR prefers to resolve HIPAA violations using non-punitive measures, such as voluntary compliance or issuing technical guidance to help covered entities address areas of non-compliance. However, if the violations are serious, have been allowed to persist for a long time, or if there are multiple areas of noncompliance, financial penalties may be appropriate.

The four categories used for the penalty structure are as follows:

  • Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA Rules
  • Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
  • Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
  • Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation within 30 days

In the case of unknown violations, where the covered entity could not have been expected to avoid a data breach, it may seem unreasonable for a covered entity to be issued with a fine. OCR appreciates this and has the discretion to waive a financial penalty. The penalty cannot be waived if the violation involves willful neglect of the Privacy, Security, and Breach Notification Rules.

HIPAA Violation Penalty Structure

Each category of violation carries a separate HIPAA penalty. It is up to OCR to determine a financial penalty within the appropriate range. OCR considers a number of factors when determining penalties, such as the length of time a violation was allowed to persist, the number of people affected, and the nature of the data exposed. An organization’s willingness to assist with an OCR investigation is also taken into account. The general factors that can affect the amount of the financial penalty also include prior history, the organization’s financial condition, and the level of harm caused by the violation.

  • Tier 1: Minimum fine of $100 per violation up to $50,000
  • Tier 2: Minimum fine of $1,000 per violation up to $50,000
  • Tier 3: Minimum fine of $10,000 per violation up to $50,000
  • Tier 4: Minimum fine of $50,000 per violation up to $1,500,000

The above fines for HIPAA violations are those stipulated by the HITECH Act, and those figures are adjusted annually to factor in cost-of-living increases to ensure that the civil monetary penalties continue to serve as an effective deterrent. Under the Federal Civil Penalties Inflation Adjustment Act of 1990, later amended by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, cost-of-living increases are stipulated by the Office of Management and Budget (OMB). On January 15 each year,  the multiplier set by OMB should be applied by all federal agencies to their CMPs. In 2024, the HHS published its annual increases in the Federal Register on August 8, which is also the effective date for the updated civil monetary penalties. The inflation multiplier for 2025 has been set by OMB as 1.02598.

All civil monetary penalties assessed by OCR on or after August 8, 2024, will use the 2024 rates for HIPAA violations as detailed in the table below. These will be applied to all violations that occurred on or after November 2, 2015. These penalty amounts will be used until the HHS publishes a final rule in the Federal Register that applies the 2025 inflation adjustment.

Current HIPAA Penalty Structure 

Penalty Tier Culpability Minimum Penalty per Violation – Inflation

Adjusted

Max Penalty per Violation – Inflation Adjusted Maximum Penalty Per Year (cap) – Inflation Adjusted
Tier 1 Lack of Knowledge $141 $71,162 $2,134,831
Tier 2 Reasonable Cause $1,424 $71,162 $2,134,831
Tier 3 Willful Neglect $14,232 $71,162 $2,134,831
Tier 4 Willful Neglect (not corrected within 30 days) $71,162 $2,134,831 $2,134,831

Penalties for pre-February 18, 2009, violations of the HIPAA administrative simplification provisions will be applied at a rate of $193 per violation with a calendar year cap of $48,586 for violations of an identical provision.

OCR 2019 Notice of Enforcement Discretion Applies New Maximum Annual Penalties for HIPAA Violations

The above table of penalties is still officially in force; however, in 2019, the HHS reviewed the language of the HITECH Act with respect to the required increases for HIPAA violations and determined that the language of the HITECH Act had been misinterpreted and that it did not call for the same maximum annual penalty cap to be applied equally across all four penalty tiers. Instead, the HHS determined that the maximum annual penalty of $1.5 million ($2,134,831 in 2024) should only apply to the most serious Tier 4 violation category.

Rather than issue further rulemaking, which would see the new penalty structure changed in the Federal Register, the HHS announced that OCR would be exercising enforcement discretion and would be applying a different penalty structure where each tier had a separate annual penalty cap. A Notice of Enforcement Discretion (NED) was issued in April 2019 which states that OCR will apply penalties according to the table below. These have been adjusted by The HIPAA Journal based on the annual inflation multipliers set by OMB.

The penalty structure OCR is using is not legally binding, and further rulemaking is required before its new interpretation is set in stone. The NED is still in effect and will remain so indefinitely. Since the NED only applied caps to the annual penalties, this creates an anomaly, as the maximum penalty per violation in Tier 1 is still technically $71,162 which is higher than the annual penalty cap. Due to this anomaly, the annual penalty cap is shown as the maximum penalty per violation in the table below for tier 1.

Penalty Tier Culpability  Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Cap
Tier 1 Lack of Knowledge $141 $35,581 $35,581
Tier 2 Reasonable Cause $1,424 $71,162 $142,355
Tier 3 Willful Neglect $14,232 $71,162 $355,808
Tier 4 Willful neglect (not corrected within 30 days $71,162 $2,134,831 $2,134,831

*This table was last updated on August 10, 2024, and includes the inflationary updates for 2024. 

Attorneys General Can Also Issue HIPAA Violation Fines

Since the introduction of the HITECH Act (Section 13410(e) (1)) in February 2009, state attorneys general have the authority to hold HIPAA-covered entities accountable for the unauthorized use or disclosure of PHI of state residents and can file civil actions with the federal district courts. HIPAA violation fines can be issued up to a maximum level of $25,000 per violation category, per calendar year. The minimum fine applicable is $100 per violation. As with OCR penalties, these too are adjusted annually for inflation.

A covered entity suffering a data breach affecting residents in multiple states may be ordered to pay HIPAA violation fines to several different attorneys general. Attorneys General HIPAA penalties are independent of those issued by OCR. Relatively few states have taken action against HIPAA-regulated entities for violations of the HIPAA Rules – California, Connecticut, Indiana, Massachusetts, Minnesota, New Jersey, New York, Oregon, Utah, Pennsylvania, Vermont, and the District of Columbia – although all have participated in at least one multi-state action.

Multi-state actions are now common, where Attorneys General in multiple states pool their resources and share any settlements or civil monetary penalties. These are common in large-scale data breaches that have affected individuals across the entire United States, such as the data breach suffered by Blackbaud and the healthcare clearinghouse Inmediata. While only a small number of states have exercised their authority to issue fines for HIPAA violations, that does not mean HIPAA violations are going unpunished. Many states have pursued financial penalties for equivalent violations of state laws.

Can HIPAA Violations be Criminal?

When a HIPAA-covered entity or business associate violates HIPAA Rules, civil penalties can be imposed. When healthcare professionals violate HIPAA, it is usually their employer that receives the penalty, but not always. If healthcare professionals knowingly obtain or use protected health information for reasons that are not permitted by the HIPAA Privacy Rule, they may be found to be criminally liable for the HIPAA violation under the criminal enforcement provision of the Social Security Act.

Criminal HIPAA violations are prosecuted by the Department of Justice, which is increasingly taking action against individuals who have knowingly violated HIPAA Rules. There have been several cases that have resulted in substantial fines and prison sentences. Criminal HIPAA violations include theft of patient information for financial gain and wrongful disclosures with intent to cause harm. A lack of understanding of HIPAA requirements may not be a valid defense. When an individual “knowingly” violates HIPAA, knowingly means that they have some knowledge of the facts that constitute the offense, not that they definitely know that they are violating HIPAA Rules.

Criminal Penalties for HIPAA Violations

Criminal penalties for HIPAA violations are divided into three separate tiers, with the term – and an accompanying fine – decided by a judge based on the facts of each individual case. As with OCR, a number of general factors are considered that will affect the penalty issued. If an individual has profited from the theft, access, or disclosure of PHI, it may be necessary for all money received to be refunded, in addition to the payment of a fine.

The tiers of criminal penalties for HIPAA violations are:

Tier 1:   Reasonable cause or no knowledge of violation – Up to 1 year in jail

Tier 2:   Obtaining PHI under false pretenses – Up to 5 years in jail

Tier 3:   Obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail

In recent years, the number of employees discovered to be accessing or stealing PHI – for various reasons – has increased. The value of PHI on the black market is considerable, and this can be a big temptation for some individuals. It is essential that controls are put in place to limit the opportunity for individuals to steal patient data, and for systems and policies to be put in place to ensure improper access and theft of PHI is identified promptly.

All staff likely to come into contact with PHI as part of their work duties should be informed of the HIPAA criminal penalties and that violations will not only result in loss of employment but also potentially a lengthy jail term and a heavy fine. State attorneys general are cracking down on data theft and are keen to make examples out of individuals found to have violated HIPAA Privacy Rules. A jail term for the theft of HIPAA data is now highly likely, especially if the data is stolen for financial gain.

Convictions and Jail Time for HIPAA Violations

Organ Transplant Coordinator Gets 2-Year Jail Term for Illegally Accessing Health Records of Supreme Court Judge

Arizona Man Sentenced to 54 Months in Criminal HIPAA Violation Case

Former Methodist Hospital Employees Plead Guilty to Criminal HIPAA Violations

Pharma Sales Rep Pleads Guilty to Healthcare Fraud and Criminal HIPAA Violations

Florida Medical Clinic Worker Sentenced to 48 Months in Jail over Theft of PHI

3-Year Jail Term for VA Employee Who Stole Patient Data

Former New York Dental Practice Receptionist Sentenced to 2-6 years for HIPAA Violation

UPMC Patient Care Coordinator Gets 1 Year Jail Term for HIPAA Violation

Employee Sanctions for HIPAA Violations

Not all HIPAA violations are a result of insider theft, and many Covered Entities and Business Associates apply a scale of employee sanctions for HIPAA violations depending on factors such as whether the violation was intentional or accidental, whether it was reported by the employee as soon as the violation was realized,  and the magnitude of the breach. Some Covered Entities also apply employee sanctions for HIPAA violations on employees who were aware that a violation (by another employee) had occurred but failed to report it.

Employee sanctions for HIPAA violations vary in severity from further training to dismissal. The decision should be taken in consultation with HIPAA Privacy and Security Officers, who may have to conduct interviews with the employee, investigate audit trails, and review telephone logs, including the telephone logs of the employee´s mobile phone. Because of the expense and disruption attributable to applying employee sanctions for HIPAA violations, it is worthwhile dedicating more resources to initial employee HIPAA training in order to prevent HIPAA violations, whether intentional or accidental, from occurring.

Receiving a Civil Penalty for Unknowingly Violating HIPAA

Although it was mentioned above that OCR has the discretion to waive a civil penalty for unknowingly violating HIPAA, ignorance of HIPAA regulations is not regarded as a justifiable excuse for failing to implement the appropriate safeguards. In April 2017, the remote cardiac monitoring service CardioNet was fined $2.5 million for failing to fully understand the HIPAA requirements and subsequently failing to conduct a complete risk assessment.

As a result of the incomplete risk assessment, the PHI of 1,391 individuals was potentially disclosed without authorization when a laptop containing the data was stolen from a car parked outside an employee´s home. Speaking after details of the fine had been announced, OCR Director Roger Severino described the civil penalty for unknowingly violating HIPAA as a penalty for disregarding security.

It may also be possible for a CE or BA to receive a civil penalty for unknowingly violating HIPAA if the state in which the violation occurs allows individuals to bring legal action against the person(s) responsible for the violation. Although HIPAA lacks a private right of action, individuals can still use state regulations to establish a standard of care under common law. Several cases of this nature are currently in progress.

Penalties for Non-Compliance with HIPAA

As the graph below shows, OCR has increased its HIPAA enforcement activities in recent years and is now imposing more financial penalties for HIPAA violations. OCR has launched two enforcement initiatives in recent years – the enforcement initiative targeting noncompliance with the HIPAA Right of Access (launched in 2019) that has resulted in more than 50 financial penalties, and the more recent initiative targeting noncompliance with the risk analysis provision of the HIPAA Security Rule. OCR Director Melanie Fontes Rainer confirmed that 22 enforcement actions were closed by OCR in 2024 with either settlements or civil monetary penalties, although there was a delay in announcing some of those enforcement actions, which rolled over into 2025. This year has also started with a large number of financial penalties, with a further 10 announced by the end of May 2025, largely due to OCR’s new HIPAA risk analysis enforcement initiative.

OCR penalties for HIPAA violations 2009-2025

When deciding on an appropriate settlement, OCR considers the severity of the violation, the extent of non-compliance with HIPAA Rules, the number of individuals impacted, and the impact a breach has had on those individuals. OCR also considers the financial position of the covered entity. Punitive measures may be necessary, but penalties for HIPAA violations should not result in a covered entity being forced out of business.

The purpose of these penalties for HIPAA violations is, in part, to punish covered entities for serious violations of HIPAA Rules, but also to send a message to other healthcare organizations that noncompliance with HIPAA Rules is not acceptable.

Funds raised by OCR enforcement actions (2008-2025)

2025 HIPAA Fines and Settlements

2025 HIPAA Civil Monetary Penalties

HIPAA-Regulated Entity Reason Individuals Impacted Amount
Oregon Health & Science University Failure to provide a patient with timely access to their medical records. 1 $200,000
Warby Parker, Inc. Multiple HIPAA Security Rule failures: Failure to conduct a HIPAA-compliant risk analysis, failure to reduce risks to ePHI, failure to monitor activity in information systems containing ePHI 198,470 $1,500,000

2025 HIPAA Settlements

HIPAA-Regulated Entity Reason Individuals Impacted Amount
BST & Co. CPAs, LLP Risk analysis failure 170,000 $175,000
Syracuse ASC (Specialty Surgery Center of Central New York) Risk analysis failure, breach notification failures (HHS, individuals) 24,891 $250,000
Deer Oaks – The Behavioral Health Solution Risk analysis failure, impermissible disclosure of ePHI 171,871 $225,000
Comstar LLC Risk analysis failure 585,621 $75,000
BayCare Health System Information access management (minimum necessary standard), risk management, information system activity review 1 $800,000
Vision Upright MRI Failure to conduct a HIPAA-compliant risk analysis, failure to issue breach notifications 21,788 $5,000
Comprehensive Neurology Failure to conduct a HIPAA-compliant risk analysis 6,800 $25,000
PIH Health, Inc. Failure to conduct a HIPAA-compliant risk analysis, impermissible disclosure of ePHI, failure to issue prompt breach notices to OCR and the affected individuals, and failure to issue a media breach notice 189,763 $600,000
Guam Memorial Hospital Authority Failure to conduct a HIPAA-compliant risk analysis 5,000 $25,000
Northeast Radiology Failure to conduct a HIPAA-compliant risk analysis 298,532 $350,000
Health Fitness Corporation Failure to conduct a HIPAA-compliant risk analysis 4,304 $227,816
Northeast Surgical Group Risk analysis failure 10,840 $10,000
Memorial Health System HIPAA Right of Access failure 1 $60,000
Solara Medical Supplies Risk analysis and risk management failure, failure to issue timely notifications, and an impermissible disclosure of ePHI on two occasions 114,007 and 1,531 $3,000,000
USR Holdings Risk analysis failure, failure to record activity in information systems, lack of procedures for creating and maintaining retrievable exact copies of ePHI, and an impermissible disclosure of 2,903 individuals’ PHI 2,903 $337,750
Virtual Private Network Solutions Risk analysis failure At least 23,868 $90,000
Elgon Information Systems Risk analysis failure 31,248 $80,000

2024 HIPAA Fines and Settlements

OCR was expected to step up HIPAA enforcement in 2024 after a year of relatively few financial penalties, and on December 31, 2024, confirmed that 22 enforcement actions resulted in settlements or civil monetary penalties. One of the problems OCR has faced is a lack of funding, which has hampered its ability to enforce HIPAA compliance. OCR’s budget has remained flat for years, but its workload has increased, and Congress has failed to provide additional funds, despite funding increases being requested annually. For instance, OCR investigates all large data breaches; however, the number of breaches has increased substantially. In 2018, 369 data breaches of 500 or more records were reported. More than twice that number were reported in 2023 (747), and similar numbers of breaches have been reported in 2024. OCR is also having to investigate record numbers of complaints from individuals about potential HIPAA violations.

In 2023, OCR underwent restructuring to improve efficiency and make better use of its resources, which has helped the department start to clear the backlog of investigations of data breaches and complaints. In December 2023, OCR confirmed that steps were being taken to improve cybersecurity in healthcare and reduce the number of data breaches, and in January 2024, OCR published voluntary cybersecurity performance goals and has been encouraging healthcare organizations to work toward achieving those goals. OCR intends to make funds available to help healthcare organizations achieve those goals and provide incentives for maturing their cybersecurity programs.

In December 2024, OCR proposed an update to the HIPAA Security Rule to add new cybersecurity requirements, including several of the measures recommended in its essential cybersecurity goals. If signed into law, these new requirements should help reduce the number of data breaches. It will take months before the Security Rule updates are finalized, and there will be a grace period before OCR enforces the new requirements. How long that will take will depend on the incoming Trump administration.

The proposed HIPAA Security Rule update also includes changes to address legal issues the HHS has had with enforcing HIPAA compliance. For instance, in 2018, OCR announced an enforcement action against the University of Texas MD Anderson Cancer Center for a data breach and lack of encryption, but the penalty was overturned on appeal. On January 14, 2021, a three-member panel for the Fifth Circuit Court of Appeals unanimously vacated the $4,348,000 penalty, and since that date, most penalties have been imposed for HIPAA Right of Access failures.

The decision by the Court of Appeals was widely thought to have affected OCR’s willingness to pursue financial penalties for certain HIPAA violations, but in 2022, multiple financial penalties were imposed for other HIPAA violations, and these continued to increase in 2023. In 2024, many of the financial penalties have been imposed for HIPAA Security Rule violations, and OCR has recently launched a HIPAA Security Rule risk analysis enforcement initiative that has already resulted in multiple financial penalties.

While OCR has stated that 22 settlements and civil monetary penalties were agreed in 2024, 6 of those enforcement actions were not announced until January 2025.

2024 HIPAA Civil Monetary Penalties

HIPAA-Regulated Entity Reason Individuals Impacted Amount
Children’s Hospital Colorado Health System Failure to provide HIPAA Privacy Rule training to 6,666 workforce members; failure to conduct a thorough and accurate risk analysis; impermissible disclosure of ePHI of 10,840 individuals 10,840 $548,265
Gulf Coast Pain Consultants, dba Clearway Pain Solutions Institute HIPAA Security Rule failures: Risk analysis; review logs of information systems; termination of access rights of former workforce members; policies and procedures for modifying access rights 34,310 $1,190,000
Rio Hondo Community Mental Health Center HIPAA Right of Access failure 1 $100,000
Gums Dental Care HIPAA Right of Access failure 1 $70,000
Providence Medical Institute HIPAA Security Rule Failures – Restrict access to PHI; Business associate agreement 85,000 $240,000
American Medical Response HIPAA Right of Access failure 1 $115,200
Essex Residential Care (Hackensack Meridian Health, West Caldwell Care Center) HIPAA Right of Access failure 1 $100,000

2024 HIPAA Settlements

HIPAA-Regulated Entity Reason Individuals Impacted Amount
Inmediata Health Group Risk analysis failure, failure to monitor activity in information systems, impermissible disclosure of the ePHI of 1,565,338 individuals 1,565,338 $250,000
Holy Redeemer Family Medicine Impermissible disclosure of a patient’s medical records 1 $35,581
Bryan County Ambulance Authority Has never conducted a risk analysis 14,273 $90,000
Plastic Surgery Associates of South Dakota Multiple HIPAA Security Rule Failures 10,229 $500,000
Cascade Eye and Skin Centers Risk analysis failure; failure to monitor logs of activity in information systems. unknown $250,000
Heritage Valley Health System Multiple HIPAA Security Rule Failures unknown $950,000
Phoenix Healthcare HIPAA Right of Access failure 1 $35,000
Green Ridge Behavioral Health Multiple HIPAA Privacy and Security Rule Failures 14,000 $40,000
Montefiore Medical Center Multiple HIPAA Security Rule Failures 12,517 $4,750,000

2023 HIPAA Fines and Settlements

HIPAA-Regulated Entity Reason Individuals Impacted Amount
Optum Medical Care HIPAA Right of Access failure 6 $160,000
St. Joseph’s Medical Center Disclosure of PHI to a reporter 3 $80,000
Doctors’ Management Services Multiple HIPAA Security Rule failures 206,695 $100,000
LA Care Health Plan Multiple HIPAA Security Rule failures 1,498 $1,300,000
UnitedHealthcare HIPAA Right of Access failure 1 $80,000
iHealth Solutions (dba Advantum Health) Unsecured server – Impermissible disclosure of ePHI; risk analysis failure. 267 $75,000
Yakima Valley Memorial Hospital Snooping by security guards – Lack of policies and procedures identified. 419 $240,000
Manasa Health Center, LLC Impermissible disclosure of PHI on an Internet platform, Privacy Rule and Breach Notification Rule policies and procedures 4 $30,000
MedEvolve Inc. Impermissible disclosure, business associate agreement failure, risk analysis incomplete 230,572 $350,000
David Mente, MA, LPC HIPAA Right of Access failure 1 $15,000
Banner Health HIPAA Security Rule Violations 2.81 million $1,250,000
Life Hope Labs, LLC HIPAA Right of Access failure 1 $16,500

2022 HIPAA Fines and Settlements

22 HIPAA enforcement actions in 2022 resulted in financial penalties being imposed. OCR has continued with its 2019 HIPAA enforcement initiative targeting noncompliance with the HIPAA Right of Access, with the 2022 total bringing the number of enforcement actions under this initiative up to 42. Financial penalties were also imposed for impermissible disclosures of patient information on social media websites, inadequate security safeguards to ensure the confidentiality, integrity, and availability of ePHI, inadequate notices of privacy practices, and risk analysis failures.

In January 2021, the HITECH Act was amended to incentivize HIPAA-regulated entities to adopt ‘recognized security practices’ to better protect patient data. While it is not mandatory for recognized security practices to be implemented and maintained, HIPAA-regulated entities that demonstrate that they have implemented recognized security practices that have been in place continuously for the 12 months preceding a data breach will benefit from lower financial penalties, and shorter HIPAA audits and investigations.

2022 HIPAA Settlements

HIPAA-Regulated Entity Reason Individuals Impacted Amount
Health Specialists of Central Florida Inc HIPAA Right of Access failure 1 $20,000
New Vision Dental Impermissible disclosure of ePHI on Yelp, and notice of privacy practices failure <20 $23,000
Great Expressions Dental Center of Georgia, P.C. HIPAA Right of Access failure (delay + fee) 1 $80,000
Family Dental Care, P.C. HIPAA Right of Access failure 1 $30,000
B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental HIPAA Right of Access failure 1 $25,000
New England Dermatology and Laser Center Improper disposal of PHI, failure to maintain appropriate safeguards 58,106 $300,640
Memorial Hermann Health System HIPAA Right of Access failure 1 $240,000
Southwest Surgical Associates HIPAA Right of Access failure 1 $65,000
Hillcrest Nursing and Rehabilitation HIPAA Right of Access failure 1 $55,000
MelroseWakefield Healthcare HIPAA Right of Access failure 1 $55,000
Erie County Medical Center Corporation HIPAA Right of Access failure 1 $50,000
Fallbrook Family Health Center HIPAA Right of Access failure 1 $30,000
Associated Retina Specialists HIPAA Right of Access failure 1 $22,500
Coastal Ear, Nose, and Throat HIPAA Right of Access failure 1 $20,000
Lawrence Bell, Jr. D.D.S HIPAA Right of Access failure 1 $5,000
Danbury Psychiatric Consultants HIPAA Right of Access failure 1 $3,500
Oklahoma State University – Center for Health Sciences Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications & an unauthorized disclosure 279,865 $875,000
Dr. Brockley HIPAA Right of Access 1 $30,000
Jacob & Associates HIPAA Right of Access, notice of privacy practices, HIPAA Privacy Officer 1 $28,000
Northcutt Dental-Fairhope Impermissible disclosure for marketing, notice of privacy practices, HIPAA Privacy Officer 5,385 $62,500

2022 Civil Monetary Penalties for HIPAA Violations

HIPAA-Regulated Entity Reason Individuals Impacted Amount
ACPM Podiatry HIPAA Right of Access failure 1 $100,000
Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A Impermissible disclosure on social media 1 $50,000

OCR HIPAA Fines 2021

There was a reduction in the number of financial penalties for HIPAA violations in 2021 from the record number of penalties in 2020, with OCR’s decision to finalize penalties potentially being affected by the COVID-19 pandemic. That said, penalties have continued to be imposed at relatively high levels, with most of the recent HIPAA violation cases in 2021 imposed for violations of the HIPAA Right of Access. Out of the 14 HIPAA violation cases in 2021 that have resulted in financial penalties, 12 have been for HIPAA Right of Access violations.

In January 2021, one of the largest ever HIPAA fines was imposed on Excellus Health Plan. The settlement resolved a HIPAA case that stemmed from an investigation of a breach of the PHI of 9,358,891 individuals that was reported to OCR in 2015. Aside from that penalty, most of the settlements and civil monetary penalties have been for relatively small amounts and have resulted from investigations of complaints from patients rather than reports of data breaches. As well as the 2021 HIPAA fines being lower, there was a much higher percentage of financial penalties imposed on small healthcare providers than in previous years. That trend is likely to continue in 2023.

2021 HIPAA Settlements

HIPAA Regulated Entity Reason Individuals Impacted Amount
Advanced Spine & Pain Management HIPAA Right of Access failure 1 $32,150
Denver Retina Center HIPAA Right of Access failure 1 $30,000
Rainrock Treatment Center LLC (dba monte Nido Rainrock) HIPAA Right of Access failure 1 $160,000
Wake Health Medical Group HIPAA Right of Access failure 1 $10,000
Children’s Hospital & Medical Center HIPAA Right of Access failure 1 $80,000
The Diabetes, Endocrinology & Lipidology Center, Inc. HIPAA Right of Access failure 1 $5,000
AEON Clinical Laboratories (Peachstate) HIPAA Security Rule failures (risk assessment, risk management, audit controls, and documentation of HIPAA Security Rule policies and procedures) Unknown $25,000
Village Plastic Surgery HIPAA Right of Access failure 1 $30,000
Arbour Hospital HIPAA Right of Access failure 1 $65,000
Sharpe Healthcare HIPAA Right of Access failure 1 $70,000
Renown Health HIPAA Right of Access failure 1 $75,000
Excellus Health Plan Multiple HIPAA Violations: Risk analysis, risk management, information system activity reviews, technical policies to prevent unauthorized ePHI access, breach of 9,358,891 records. 9,358,891 $5,100,000
Banner Health HIPAA Right of Access failure 2 $200,000

2021 Civil Monetary Penalties for HIPAA Violations

HIPAA-Regulated Entity Reason Individuals Impacted Amount
Dr. Robert Glaser HIPAA Right of Access failure 1 $100,000

OCR HIPAA Fines 2020

2020 saw more financial penalties imposed on HIPAA-covered entities and business associates than in any other year since OCR started enforcing HIPAA compliance. 19 settlements were reached to resolve potential violations of the HIPAA Rules. OCR continued with its HIPAA Right of Access enforcement initiative that commenced in late 2019 and by year-end had settled 11 cases where patients had not been provided with timely access to their medical records for a reasonable cost-based fee.

2020 saw the second-largest settlement to resolve HIPAA violations. The health insurer Premera Blue Cross paid OCR $6,850,000 to resolve potential HIPAA violations discovered during the investigation of its 2015 breach of the ePHI of 10,466,692 individuals.

2020 OCR HIPAA Settlements

HIPAA-Regulated Entity Reason Individuals Impacted Amount
Peter Wrobel, M.D., P.C., dba Elite Primary Care HIPAA Right of Access failure 2 $36,000
University of Cincinnati Medical Center HIPAA Right of Access failure 1 $65,000
Dr. Rajendra Bhayani HIPAA Right of Access failure 1 $15,000
Riverside Psychiatric Medical Group HIPAA Right of Access failure 1 $25,000
City of New Haven, CT Failure to terminate access rights; risk analysis failure; failure to implement Privacy Rule policies; failure to issue unique IDs to allow system activity to be tracked; impermissible disclosure of the PHI of 498 individuals 498 $202,400
Aetna Lack of technical and nontechnical evaluation in response to environmental or operational changes; identity check failure; minimum necessary information failure; impermissible disclosure of 18,849 records; lack of administrative, technical, and physical safeguards 18,849 $1,000,000
NY Spine HIPAA Right of Access failure 1 $100,000
Dignity Health, dba St. Joseph’s Hospital and Medical Center HIPAA Right of Access failure 1 $160,000
Premera Blue Cross Risk assessment failure; risk management failure; insufficient hardware and software controls; unauthorized access to the PHI of 10,466,692 individuals 10,466,692 $6,850,000
CHSPSC LLC Failure to conduct a risk analysis; failures to implement information system activity reviews, security incident procedures, and access controls, and a breach of the ePHI of more than 6 million individuals 6,121,158 $2,300,000
Athens Orthopedic Clinic PA Failure to conduct a risk analysis; lack of risk management and audit controls; failure to maintain HIPAA policies and procedures; business associate agreement failure; and the failure to provide HIPAA Privacy Rule training to the workforce. 208,557 $1,500,000
Housing Works, Inc. HIPAA Right of Access failure 1 $38,000
All Inclusive Medical Services, Inc. HIPAA Right of Access failure 1 $15,000
Beth Israel Lahey Health Behavioral Services HIPAA Right of Access failure 1 $70,000
King MD HIPAA Right of Access failure 1 $3,500
Wise Psychiatry, PC HIPAA Right of Access failure 1 $10,000
Lifespan Health System Affiliated Covered Entity Lack of encryption; insufficient device and media controls; lack of business associate agreements; impermissible disclosure of 20,431 patients’ ePHI 20,431 $1,040,000
Metropolitan Community Health Services dba Agape Health Services Longstanding, systemic noncompliance with the HIPAA Security Rule 1,263 $25,000

OCR HIPAA Fines 2019

HIPAA enforcement continued at a high level in 2019. Eight settlements were reached with HIPAA-covered entities and business associates to resolve HIPAA violations and two civil monetary penalties were issued. The financial penalties were imposed to resolve similar violations of HIPAA Rules as in previous years, but 2019 also saw the first financial penalties issued under OCR’s new HIPAA Right of Access initiative. Two covered entities settled cases over the failure to provide patients with a copy of their medical records, in the requested format, in a reasonable time frame.

2019 OCR HIPAA Settlements

HIPAA-Regulated Entity Reason Individuals Impacted Amount
West Georgia Ambulance Risk analysis failure; no security awareness training program; failure to implement HIPAA Security Rule policies and procedures. 500 $65,000
Korunda Medical, LLC HIPAA Right of Access failure. 1 or more $85,000
Sentara Hospitals Breach notification failure; business associate agreement failure 577 $2,175,000
University of Rochester Medical Center Loss of flash drive/laptop; no encryption; risk analysis failure; risk management failure; lack of device media controls. 43 $3,000,000
Elite Dental Associates Social media disclosure; notice of privacy practices; impermissible PHI disclosure. Unconfirmed $10,000
Bayfront Health St Petersburg HIPAA Right of Access failure 1 $85,000
Medical Informatics Engineering Risk analysis failure; impermissible disclosure of 3.5 million records 3,500,000 $100,000
Touchstone Medical imaging No BAAs; insufficient access rights; risk analysis failure; failure to respond to a security incident; breach notification failure; media notification failure; impermissible disclosure of 307,839 individuals’ PHI. 307,839 $3,000,000

2019 OCR Civil Monetary Penalties

HIPAA-Regulated Entity Reason Individuals Impacted Amount
Texas Department of Aging and Disability Services Risk analysis failure; access control failure; information system activity monitoring failure; impermissible disclosure of 6,617 patients ePHI 6,617 $1,600,000
Jackson Health System Multiple Privacy Rule, Security Rule, and Breach Notification Rule violations 25,661 $2,154,000

OCR HIPAA Fines 2018

There was a year-over-year increase in HIPAA violation penalties in 2018. 11 financial penalties were agreed in 2018: 10 settlements and one civil monetary penalty. Two records were broken in 2018. 2018 saw the largest ever HIPAA settlement agreed – A $16 million financial penalty for Anthem Inc., to resolve HIPAA violations discovered during the investigation of its 78.8 million record breach in 2015. HIPAA-covered entities also paid more in fines than in any other year since OCR started enforcing compliance with HIPAA Rules: $28,683,400.

2018 OCR HIPAA Settlements

HIPAA-Regulated Entity Reason Individuals Impacted Amount
Cottage Health Risk analysis and risk management failures; No BAA 62,500 $3,000,000
Pagosa Springs Medical Center Failure to terminate employee access; No BAA 557+ $111,400
Advanced Care Hospitalists Impermissible PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014 9,255 $500,000
Allergy Associates of Hartford PHI disclosure to a reporter; No sanctions against employees 1 $125,000
Anthem Inc Risk analysis failure; Insufficient reviews of system activity; Failure to respond to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access 78,800,000 $16,000,000
Boston Medical Center Filming patients without consent Unspecified $100,000
Brigham and Women’s Hospital Filming patients without consent Unspecified $384,000
Massachusetts General Hospital Filming patients without consent Unspecified $515,000
Filefax, Inc. Impermissible disclosure of physical PHI – Left unprotected in truck 2,150 $100,000
Fresenius Medical Care North America 5 breaches: Investigation revealed risk analysis failures; Impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards 521 $3,500,000

2018 Civil Monetary Penalties for HIPAA Violations

HIPAA-Regulated Entity Reason Individuals Impacted Amount
University of Texas MD Anderson Cancer Center 3 breaches resulting in an impermissible disclosure of ePHI; No Encryption 34,883 $4,348,000

OCR HIPAA Fines 2017

A summary of the 2017 OCR penalties for HIPAA violations.

2017 OCR HIPAA Settlements

HIPAA-Regulated Entity Breach Summary Individuals Impacted Settlement Amount
Memorial Healthcare System Impermissible access of PHI by employees; Impermissible disclosure of PHI to affiliated physicians’ offices 115,143 $5,500,000
Cardionet Theft of an unencrypted laptop computer 1,391 $2,500,000
Memorial Hermann Health System Disclosure of patient’s PHI to the media 1 $2,400,000
21st Century Oncology Multiple HIPAA violations 2,213,597 $2,300,000
MAPFRE Life Insurance Company of Puerto Rico Theft of an unencrypted USB storage device 2,209 $2,200,000
Presense Health Delayed breach notifications 836 $475,000
Metro Community Provider Network Lack of a security management process to safeguard ePHI 3,200 $400,000
Luke’s-Roosevelt Hospital Center Inc. Impermissible disclosure of PHI to the patient’s employer 1 $387,000
The Center for Children’s Digestive Health Lack of a business associate agreement N/A $31,000

2017 Civil Monetary Penalties for HIPAA Violations

HIPAA-Regulated Entity Breach Summary Individuals Impacted Penalty Amount
Children’s Medical Center of Dallas Theft of unencrypted devices 6,262 $3,200,000

OCR HIPAA Fines 2016

2016 was a record year for financial penalties to resolve violations of HIPAA Rules. 2016 saw 12 settlements agreed and one civil monetary penalty issued by OCR.

2016 OCR HIPAA Settlements

HIPAA-Regulated Entity Breach Summary Individuals Impacted Settlement Amount
Feinstein Institute for Medical Research Improper disclosure of research participants’ PHI 13,000 $3,900,000
Advocate Health Care Network Theft of desktop computers; Loss of laptop; Improper accessing of data at a business associate 3,994,175 $5,550,000
University of Mississippi Medical Center Unprotected network drive 10,000 $2,750,000
Oregon Health & Science University Loss of unencrypted laptop; Storage on a cloud server without BAA 4,361 $2,700,000
New York Presbyterian Hospital Filming of patients by a TV crew Unconfirmed $2,200,000
North Memorial Health Care of Minnesota Theft of laptop computer; Improper disclosure to a business associate 299,401 $1,550,000
St. Joseph Health PHI made available through search engines 31,800 $2,140,500
Raleigh Orthopaedic Clinic, P.A. of North Carolina Improper disclosure to a business associate 17,300 $750,000
University of Massachusetts Amherst (UMass) Malware infection 1,670 $650,000
Catholic Health Care Services of the Archdiocese of Philadelphia Theft of mobile device 412 $650,000
Care New England Health System Loss of two unencrypted backup tapes 14,000 $400,000
Complete P.T., Pool & Land Physical Therapy, Inc. Improper disclosure of PHI (website testimonials) Unconfirmed $25,000

 2016 Civil Monetary Penalties for HIPAA Violations

HIPAA-Regulated Entity Breach Summary Individuals Impacted Penalty Amount
Lincare, Inc. Improper disclosure (unprotected documents) 278 $239,800

What are the Penalties for HIPAA Violations? FAQs

What is the maximum penalty for violating HIPAA?

The maximum penalty for violating HIPAA per violation is currently $71,162. However, it is rare that an event that results in the maximum penalty being issued is attributable to a single violation. For example, a data breach could be attributable to the failure to conduct a risk analysis, the failure to provide a security awareness training program, and a failure to prevent password sharing.

What are the consequences of a HIPAA violation?

The consequences of a HIPAA violation depend on the nature of the violation, the reason(s) behind it, the amount of harm it causes, and the organization´s previous history of compliance. In most cases, HIPAA violations are not attributable to willful neglect and HHS´ Office for Civil Rights will try to resolve first-time HIPAA violations via technical assistance or a corrective action plan.

What is the civil penalty for unknowingly violating HIPAA?

The civil penalty for unknowingly violating HIPAA is no different from knowingly violating HIPAA. The Privacy and Security Rules have been in existence for more than twenty years; and, to quote OCR Director Roger Severino “the civil penalty for unknowingly violating HIPAA is a penalty for disregarding security”. There is no excuse for unknowingly violating HIPAA.

What are the categories for punishing violations of federal health care laws?

The categories for punishing violations of federal health care laws vary considerably depending on which law is being violated or which section of which law is being violated. For example, with regard to the penalties for HIPAA violations, there are four civil categories for punishing violations and three criminal categories. However, in other federal healthcare laws (for example, the Social Security Act), there can be dozens of categories for punishing violations of federal healthcare laws.

What criminal consequences are possible with a Tier 3 violation?

The criminal consequences possible with a Tier 3 violation – wrongfully and knowingly obtaining PHI for personal gain, commercial advantage, or with malicious intent – are up to ten years in jail and/or a fine of up to $250,000. These penalties are pursued by the Department of Justice rather than HHS´ Office for Civil Rights.

What are the fines for HIPAA violations?

The fines for HIPAA violations (per violation – as of August 2024) are:

Tier 1 – from $141 to $35,581

Tier 2 – from $1,424 to $71,162

Tier 3 – from $14,232 to $71,162

Tier 4 – $71,162 to $2,134,831

It is important to be aware that, in addition to the fines for HIPAA violations issued by HHS’ Office for Civil Rights, State Attorneys General can issue additional fines for HIPAA violations. Depending on the nature of the violation(s) and state laws, it may be possible for affected individuals to bring a class action lawsuit against an organization guilty of a HIPAA violation.

What does a corrective action plan consist of?

A corrective action plan consists of measures to address the underlying issue(s) that led to a HIPAA violation(s). What the action plan will consist of will be relevant to the nature of the violation(s). Typically, Covered Entities and Business Associates will be required to develop or revise policies to fill gaps in their compliance; and, when new or revised policies affect the functions of the workforce, provide training on the new or revised policies.

Are penalties for HIPAA violations always related to data breaches?

Penalties for HIPAA violations are not always related to data breaches. As you will see from the tables above, several Covered Entities have been fined or reached settlement resolutions for failing to provide patients with access to healthcare records within the permitted 30 days. One Covered Entity was fined for failing to have a Business Associate Agreement in place before disclosing ePHI to a Business Associate. None of these penalties for HIPAA violations involved a breach of unsecured PHI.

How does the Office for Civil Rights find out about HIPAA violations?

The Office for Civil Rights finds out about HIPAA violations in a number of ways. For example, Covered Entities are required to report breaches of unsecured PHI within 60 days (or annually if the breach involves fewer than 500 patients), patients can use the OCR complaints portal to report a delay or refusal to access health information, and members of Covered Entities’ workforces are granted whistleblower protection for reporting non-compliance.

What if a violation occurs due to a common non-compliant practice?

If a HIPAA violation occurs due to a common non-compliant practice, the penalty will depend on the nature of the violation, the consequences of the violation, and the perpetrator’s previous compliance history. Most often, a penalty will consist of refresher training and a compliance monitoring program – potentially by a third-party organization at the organization´s own cost.

Are HIPAA violations criminal?

HIPAA violations are criminal when an individual knowingly and wrongfully discloses individually identifiable health information. In such cases, a violation can be referred to the Department of Justice for criminal investigation. If the individual is found guilty of a criminal offense under § 1320d-6 of the Social Security Act, they can be fined up to $250,000 and sentenced to up to ten years in jail.

Has anybody ever received a custodial sentence for violating HIPAA?

A custodial sentence for violating HIPAA is rare, but it has happened – for example, when an employee has been found guilty of stealing PHI to commit identity theft or to sell for personal gain. Even when a violation does not result in a custodial sentence, the offending employee will likely be fined, lose their job, and have their license to practice withdrawn. Depending on how the employee accessed the data, Covered Entities, and Business Associates can also be fined for the same violation.

Who issues HIPAA violation fines?

HIPAA violation fines are most often issued by the Department of Health and Human Services’ Office for Civil Rights. However, fines for HIPAA violations can also be issued by State Attorneys General and the Federal Trade Commission; and – when the violation is criminal in nature – the Department of Justice can pursue criminal prosecutions against the perpetrators, which can also result in fines.

The Centers for Medicare and Medicaid Services (CMS) also have the authority to issue fines for violations of the HIPAA Administrative Requirements (45 CFR Part 162). To date, CMS has not exercised this option – preferring instead to resolve violations of Part 162 with technical assistance and corrective action plans.

Are HIPAA breach penalties always financial?

HIPAA breach penalties are not always financial. In fact, HHS’ Office for Civil Rights has only issued financial penalties in around 2% of cases it has investigated for HIPAA breaches – and penalties issued by State Attorneys General and the FTC are even rarer. The majority of HIPAA breaches are resolved via voluntary compliance, technical assistance, or a corrective action plan.

What HIPAA penalties are imposed by the State Attorneys General?

HIPAA penalties can be imposed by state Attorneys General when there is reason to believe residents of the state have been adversely affected by a violation of HIPAA. In such cases, state Attorneys General can bring a civil action on behalf of residents of the state, with penalties ranging from $100 per violation (per affected resident) to $25,000 per violation type (per affected resident).

Can CMS issue fines for HIPAA violations?

CMS can issue fines for HIPAA violations when the violation relates to the HIPAA Administrative Requirements (45 CFR Part 162). As yet, CMS has not exercised its authority to issue fines for HIPAA violations – instead resolving Part 162 complaints via voluntary compliance, technical assistance, and corrective action plans.

When can the FTC issue HIPAA violation penalties?

The FTC can issue HIPAA violation penalties when an individual or organization not covered by HIPAA experiences a data breach of unsecured PHI or fails to notify individuals following a data breach. Typically, organizations that create or maintain health data that is not covered by HIPAA include vendors of personal health appliances and wearables that transmit data to/from the vendor’s servers.

What is the penalty for a HIPAA violation by a hospital volunteer?

The penalty for a HIPAA violation by a hospital volunteer is the same as if the violation was committed by a paid member of the workforce. Similarly, if a patient complains to HHS’ Office for Civil Rights – and the complaint is investigated – the investigation will not consider the employed status of the violator because Covered Entities are required to train all members of the workforce on HIPAA policies and procedures regardless of whether they are volunteers, students, or employees.

How much is a HIPAA violation penalty?

How much a HIPAA violation penalty is depends on the nature of the violation, the consequences of the violation, the perpetrator’s prior compliance history, their willingness to assist any investigation into the violation, and the speed at which measures are put in place to prevent the violation from happening again. It can also be the case that HHS’ Office for Civil Rights uses a HIPAA violation penalty to “send a message” to other Covered Entities.

What are the HIPAA violation consequences for a medical student?

The HIPAA violation consequences for a medical student will depend on the sanctions policy at the healthcare facility where they are working. Usually – unless the HIPAA violation has serious consequences – the medical student will receive a verbal warning. However, the verbal warning will be recorded in their HR file and may affect future employment opportunities.

Who sets HIPAA fines and penalties?

HIPAA fines and penalties actually existed before HIPAA and were originally related to fraudulent claims for treatment made by healthcare providers to federal agencies (i.e., Medicare). The fines and penalties were increased in the text of HIPAA and applied to violations of the Privacy and Security Rules in 2005 when the Department for Health and Human Services (HHS) published the Enforcement Rule.

The HIPAA fines and penalties were subsequently increased by Congress via the HITECH Act 2009, since 2015, the fines and penalties issued by HHS’ Office for Civil Rights have been adjusted annually to account for inflation. There have been no increases in the HIPAA fines and penalties that can be imposed by State Attorneys General since the passage of HITECH nor in the fines and penalties for criminal violations of HIPAA.

Are HIPAA breach fines always the same for each type of violation?

HIPAA breach fines can be the same for each type of violation but – under §160.408 of the Administrative Simplification provisions – the Secretary for Health and Human Services is required to take a number of factors into account when determining the amount of a HIPAA breach fine.

What is the cost of a HIPAA violation?

The cost of a HIPAA violation varies according to the nature of the violation, who is responsible for it, and what the consequences are. For example, a disclosure of more than the minimum necessary PHI by a member of a Covered Entity’s workforce who with no previous record of non-compliance will likely receive a verbal warning and may have to undergo further training.

Conversely, a healthcare organization that willfully and knowingly neglects to implement the Security Rule safeguards, and experiences a data breach affecting thousands of patients as a result of its negligence, will likely receive a multi-million dollar fine. Between the two extremes, most violations incur some degree of cost – whether it is reported internally or notified to HHS’ Office for Civil Rights.  It is in the interest of Covered Entities to protect their reputation by avoiding HIPAA breaches and subsequent HIPAA fines.  Covered entities can promote their HIPAA compliance to patients using a HIPAA logo.

Can patients claim monetary damages for a HIPAA violation?

Patients cannot claim monetary damages for a HIPAA violation under HIPAA law, but many states have privacy, security, and/or breach notification laws that do have a private right of action depending on the nature of the violation and the degree of harm suffered. If individuals feel they have suffered harm due to the negligence of a HIPAA Covered Entity or Business Associate, they should seek independent legal advice from an attorney.

What are HIPAA penalties for non-compliance?

HIPAA penalties for non-compliance vary according to the nature of the violation, which section of HIPAA has been violated, and the consequences of the violation. The HIPAA penalties for non-compliance also vary according to who the non-compliant party is. For example, the penalties for non-compliance by a member of the workforce will likely be a verbal or written warning, while the penalties for non-compliance by a Covered Entity will range from technical assistance to a fine.

What is the fine described by HIPAA/HITECH for companies that accidentally release PHI but perform due diligence?

The fine described by HIPAA/HITECH for companies that accidentally release PHI but perform due diligence is a Tier 1 fine for the “Lack of Knowledge” level of culpability. At present (December 2023), the amount of the fine is between $137 per violation to $34,464 per violation – but these amounts will be adjusted for inflation during 2024.

What is the maximum fine per HIPAA violation according to the Final Omnibus Rule?

The maximum fine per HIPAA violation according to the Final Omnibus Rule is $1.5 million. However, it is important to be aware that the tiered HIPAA penalty structure with the $1.5 million penalty cap was introduced by the HITECH Act in 2009 and adopted by the Final Omnibus Rule in 2013. Since 2015, the maximum fine per HIPAA violation has been increased each year to account for inflation.

What are the criminal penalties for HIPAA violations?

The criminal penalties for HIPAA violations vary according to the motive for the offense. According to §1177 of the Social Security Act, a person who obtains, discloses, uses – or causes to be used – individually identifiable health information maintained by a Covered Entity can be fined up to $50,000 and/or imprisoned for up to a year.

However, if the offense is committed under false pretenses, the fine increases up to $100,000 and the prison term up to five years; and, if the offense is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, the fine increases up to $250,000 and the jail term up to ten years.

What are the consequences of violating HIPAA for a nurse?

The consequences of violating HIPAA for a nurse most often depend on the nature of the violation, the impact of the violation, the nurse’s previous compliance record, and the content of the Covered Entity’s sanctions policy. Typically, a first offense with a minor impact will result in a verbal warning and/or refresher training. However, the consequences of violating HIPAA for a nurse could escalate for a serious or repeated offense to a written warning, a suspension, or termination of employment.

Are there HIPAA violation fines for individuals?

There are no HIPAA violation fines for individuals unless an individual qualifies as a HIPAA Covered Entity or Business Associate (i.e., a freelance counselor) and they violate HIPAA in their role as such. Individuals employed by Covered Entities or Business Associates cannot be fined for civil violations but could be fined if a violation is considered criminal and referred to the Department of Justice.

What is the minimum fine for intentional and uncorrected release of PHI?

The minimum fine for intentional and uncorrected release of PHI is currently $68,928 if the offender is a Covered Entity or Business Associate. If the offender is a member of a Covered Entity’s or Business Associate’s workforce, and they violate HIPAA intentionally with criminal intent, there is no set minimum fine. The Courts can decide on a fine of up to $250,000.

What are HIPAA civil monetary penalties?

HIPAA civil monetary penalties are fines sometimes imposed on HIPAA Covered Entities and Business Associates for violations of HIPAA. The term can sometimes be shortened to HIPAA penalties, or HIPAA settlements when the perpetrator negotiates a settlement with HHS’ Office for Civil Rights to avoid a lengthy – and potentially costly – dispute over how the civil monetary penalties should be.

Are HIPAA violations sanctioned differently in different states?

HIPAA violations are not sanctioned differently in different states; although, in some areas, State Attorneys General are more willing to pursue HIPAA violation sanctions against a Covered Entity than in other states. This may be because the state has more stringent privacy or data security regulations than HIPAA, or because a significant number of state residents are impacted by HIPAA violations.

The post What are the Penalties for HIPAA Violations? appeared first on The HIPAA Journal.