HIPAA violation cases are compliance investigations that result from a data breach being reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) or a privacy complaint being submitted to OCR via the complaints portal. When OCR identifies a violation of HIPAA, violation cases can be resolved in multiple ways.
OCR may choose to take no action if the HIPAA-regulated entity has identified and voluntarily corrected the HIPAA violation. If the HIPAA violation is not severe, OCR often chooses to provide technical assistance to help the regulated entity correct the violation. When there has been a serious violation of the HIPAA Rules or evidence is found suggesting widespread noncompliance, OCR may initiate a more extensive review. Serious violations are sometimes resolved with a financial penalty.
OCR will notify the regulated entity about the findings of the investigation and typically gives the regulated entity an opportunity to settle the alleged violations informally. These settlements involve a reduced financial penalty and generally include a corrective action plan (CAP) with specific measures the regulated entity must implement to ensure compliance with the HIPAA Rules. The regulated entity will then be monitored for compliance with the HIPAA Rules by OCR for a set period, typically 1-3 years.
If a regulated entity contests the findings and maintains that there was no wrongdoing, they have the opportunity to submit evidence to support a waiver of the proposed penalty. Should OCR determine that the evidence does not support a waiver, a civil monetary penalty will be imposed, but no CAP. The regulated entity can request a hearing of their HIPAA violation case before an Administrative Law Judge. If the appeal is not successful, a civil monetary penalty will be imposed.
There are many different types of HIPAA violation cases. For example:
- Failure to conduct a risk analysis
- Failure to create and monitor logs of activity in information systems containing ePHI
- Impermissible uses and disclosures of PHI
- Failure to comply with individuals’ rights under HIPAA
- Lack of Notice of Privacy Practices
- Failure to provide HIPAA training to the workforce training and sanctions failures
- Failure to provide security awareness training to the workforce
- Non-compliance with audit control standards
- Failure to develop a contingency plan
- Lack of physical or technical safeguards
- Business Associate Agreement failures
- Failure to comply with the General Provisions for Transactions
Detailed below is a summary of all HIPAA violation cases that have resulted in civil monetary penalties or settlements with OCR, including cases that have been pursued by OCR after potential HIPAA violations were discovered during data breach investigations and investigations of complaints.
You can also use the article in conjunction with our free HIPAA Violations Checklist to understand what is required to ensure full HIPAA compliance. Use the form on this page to arrange to receive your copy of the checklist.
OCR has increased its enforcement activities in recent years. OCR stepped up enforcement of compliance with the HIPAA Rules in 2016, more than doubling the number of financial penalties imposed. In 2016, 12 entities agreed to settle their compliance investigations and pay a financial penalty, with one case seeing a civil monetary penalty imposed. The following three years saw similar numbers of financial penalties; however, there was another major increase in HIPAA fines in 2020 when 19 HIPAA violation cases were settled with OCR. In 2022, OCR resolved 22 HIPAA violation cases with financial penalties, and OCR Director Melanie Fontes Rainer announced that OCR closed 22 investigations with penalties in 2024, although six of those were not announced until January 2025.
The 2020 increase is largely due to OCR’s HIPAA Right of Access enforcement initiative, which was launched in late 2019. Since then, OCR has been cracking down on entities that have failed to provide individuals with timely access to their medical records. As of December 2024, OCR has settled or imposed civil monetary penalties in 51 HIPAA violation cases under this compliance initiative.
In 2024, OCR announced a new enforcement initiative targeting noncompliance with the risk analysis provision of the HIPAA Security Rule. Risk analysis failures are among the most commonly identified HIPAA violations. In OCR’s last round of HIPAA audits in 2016 and 2017, most audited entities were not fully compliant with this important Security Rule provision, as they had either failed to conduct a HIPAA-compliant risk analysis, had not conducted one frequently enough, or their risk analyses were not comprehensive and/or accurate. Since this is the main focus of OCR when investigating hacking-related data breaches, not only will it help to improve compliance with this vital HIPAA Security Rule requirement, but it should also help to accelerate data breach investigations, allowing OCR to clear the backlog of investigations more rapidly.
By increasing its enforcement activity, OCR is sending a message to all covered entities, large and small, that violations of HIPAA Rules will not be tolerated. OCR also announced in 2024 that the HIPAA compliance audit program will be recommencing imminently.
What are the Consequences of Violating HIPAA?
The consequences of violating HIPAA can be significant, and it is important to note that fines for a HIPAA violation can be applied by the HHS’ Office for Civil Rights (OCR) even if no breach of PHI has occurred. The financial consequences of violating HIPAA depend on the level of negligence, the severity of the violation, the number of individuals affected and the risk posed by the violation, the length of time that the violation has persisted, the financial position of the regulated entity, and in the case of a security breach, whether the entity has implemented recommended security practices continuously for the 12 months prior to the security incident.
- A violation of HIPAA attributable to ignorance of the HIPAA Rules can attract a fine of $141 – $35,581.
- A violation that occurred despite reasonable vigilance can attract a fine of $1,424 – $71,162.
- A violation due to willful neglect, which is corrected within thirty days, will attract a fine of between $14,232 and $71,162.
- A violation due to willful neglect, which is not corrected within thirty days, will attract a fine of between $71,162 and $2,134,831.
The maximum financial penalty, for willful neglect of the HIPAA Rules, is $2,134,831 per violation category, per year. The above penalties were implemented as demanded by the HITECH Act of 2009 and are increased annually in line with inflation.
The last update to the HIPAA violation penalty amounts applies to cases assessed on or after August 8, 2024, as detailed in the table below:
| Penalty Tier | Level of Culpability | Minimum Penalty per Violation | Maximum Penalty per Violation | Annual Penalty Limit |
| Tier 1 | Reasonable Efforts | $141 | $71,162 | $2,134,831 |
| Tier 2 | Lack of Oversight | $1,424 | $71,162 | $2,134,831 |
| Tier 3 | Neglect – Rectified within 30 days | $14,232 | $71,162 | $2,134,831 |
| Tier 4 | Neglect – Not rectified within 30 days | $71,162 | $2,134,831 | $2,134,831 |
In April 2019, OCR reexamined the language of the HITECH Act and determined it had been misinterpreted and issued a Notice of Enforcement Discretion stating that the maximum annual penalties in three of the four penalty tiers would be changed. Under the Notice of Enforcement Discretion, the maximum annual penalty for a violation will be capped at $25,000 for Tier 1, $100,000 for Tier 2, and $250,000 for Tier 3 plus annual inflation increases. Taking this into account, the figures OCR is working with are detailed in the table below and will apply indefinitely, until the next inflation increase.
The Notice of Enforcement Discretion only applied a new annual penalty cap in three of the four penalty tiers. It did not change the maximum penalty for a violation, which means that the maximum penalty for a Tier 1 violation is higher than the annual penalty cap, therefore, OCR must use the annual cap as the maximum penalty in that penalty tier.
| Annual Penalty Limit | Annual Penalty Limit | Minimum Penalty per Violation | Maximum Penalty per Violation | Annual Penalty Cap |
| Tier 1 | Lack of Knowledge | $141 | $35,581 | $35,581 |
| Tier 2 | Reasonable Cause | $1,424 | $71,162 | $142,355 |
| Tier 3 | Willful Neglect | $14,232 | $71,162 | $355,808 |
| Tier 4 | Willful neglect (not corrected within 30 days | $71,162 | $2,134,831 | $2,134,831 |
*Table last updated on August 10, 2024.
The inflation multiplier for 2025 was set by the Office of Management and Budget (OMB) as 1.02598. OMB requires all federal agencies to adjust their CMPs by January 15, 2025; however, before the new penalty amounts are applied, each federal agency is required to publish a final rule in the Federal Register applying the multiplier to existing penalties. OCR has been slow to apply the updates in recent years and did not apply the 2024 update until August 8, 2024. Another increase is due to be applied on January 15, 2025, but will likely be applied much later.
State Attorneys General can also impose financial penalties on HIPAA-covered entities and business associates for violations of the HIPAA Rules. Alternatively, financial penalties can be imposed if a breach of ePHI violates state laws. Some states are active enforcers of HIPAA compliance, including California, Connecticut, Indiana, Massachusetts, New Jersey, and New York.
When state laws are violated, the individuals whose ePHI has been compromised may be able to take legal action against the breached entity if it can be proven that they have suffered harm due to the negligence of a covered entity or business associate; however, there is no private cause of action in HIPAA, so it is not possible to sue a HIPAA-regulated entity for a HIPAA violation.
Financial Penalties Imposed on Covered Entities and Business Associates by the HHS’ Office for Civil Rights
Penalties for HIPAA Violations 2008-2025
Listed below are all the OCR HIPAA violation cases that have resulted in a financial penalty. These cases include civil monetary penalties, where it has been established that HIPAA Rules have been violated, and settlements, where HIPAA violations have been alleged to have occurred but the covered entity or business associate has decided not to contest the case and has instead chosen to pay a financial penalty to resolve the potential HIPAA violations with no admission of liability.
HIPAA Violation Cases 2025
BST & Co. CPAs, LLP
BST & Co. CPAs, LLP, a public accounting, business advisory, and management consulting firm in New York, experienced a ransomware attack in December 2019, involving unauthorized access to the protected health information of up to 170,000 individuals. The ransomware group gained access to its network after an employee responded to a phishing email. OCR investigated and determined that a comprehensive and accurate risk analysis had not been conducted to identify all risks and vulnerabilities to ePHI. The case was settled with a $175,000 financial penalty and a corrective action plan. Read More…
Syracuse ASC, doing business as Specialty Surgery Center of Central New York
Syracuse ASC, a single-location ambulatory surgery center in New York (Specialty Surgery Center of Central New York), experienced a ransomware attack in 2021. A threat actor had access to its network for two weeks and used ransomware to encrypt files. The protected health information of 24,891 individuals was potentially stolen. The ransomware attack was detected on March 31, 2021, yet notifications to the affected individuals and the HHS Secretary were not issued until October 14, 2021. OCR investigated and determined that a risk analysis had never been conducted, and timely notifications were not issued, in violation of the HIPAA Security Rule and HIPAA Breach Notification Rule. The case was settled with a $250,000 financial penalty. Read More…
Deer Oaks – The Behavioral Health Solution
Deer Oaks is a long-term care-focused behavioral healthcare provider that offers psychological and psychiatric services to residents of long-term care and assisted living facilities across the United States. OCR launched an investigation after receiving a complaint that patient data had been exposed online. The investigation confirmed that the discharge summaries of 35 patients had been exposed online from at least December 2021 until May 19, 2023. Deer Oaks also fell victim to a ransomware attack involving unauthorized access to the ePHI of 171,871 patients. OCR determined there had been an impermissible disclosure of ePHI and a failure to conduct a risk analysis. Deer Oaks agreed to pay a $225,000 financial penalty. Read More…
Comstar
Comstar LLC is a Massachusetts-based provider of billing, collection, and related services to non-profit and municipal emergency ambulance services. OCR investigated Comstar over a 2022 ransomware attack and data breach that affected 585,621 individuals. A ransomware group gained access to its network on March 19, 2022, and the breach was detected on March 26, when ransomware was deployed. OCR’s investigation determined that Comstar had not conducted a comprehensive risk analysis to identify risks and vulnerabilities to electronic protected health information. The case was settled with a $75,000 financial penalty. Read More..
BayCare Health System
BayCare Health System, a Florida healthcare provider, was investigated over a complaint from an individual who alleged that her printed and electronic medical record was accessed by an unknown third party after a visit to BayCare Health’s St. Joseph Hospital. OCR investigated and determined that BayCare Health failed to implement policies and procedures for authorizing access to electronic protected health information to restrict information per the minimum necessary standard, failed to implement security measures to manage risks to ePHI, and failed to regularly review records of information system activity. The case was settled, and BayCare Health paid an $800,000 financial penalty. Read More…
Vision Upright MRI
Vision Upright MRI is a small Californian medical imaging service provider. In December 2020, OCR initiated an investigation to assess compliance with the HIPAA Rules. OCR determined that Vision Upright MRI had never conducted a HIPAA-compliant risk analysis to identify risks and vulnerabilities to ePHI, and failed to inform the HHS, the media, and the affected individuals about a security breach involving its Picture Archiving and Communication System (PACS) server. The server had been left unsecured and contained the ePHI of 21,778 patients. A settlement was agreed and Vision Upright MRI agreed to pay $5,000 to resolve the alleged violations. Read More…
Comprehensive Neurology
Comprehensive Neurology is a small New York neurology practice. In December 2020, the practice fell victim to a ransomware attack that saw hackers encrypt medical records and gain access to the electronic protected health information of 6,800 individuals. OCR investigated and determined that the practice had not conducted a comprehensive risk analysis to identify risks and vulnerabilities to ePHI. A settlement was reached, and Comprehensive Neurology agreed to pay a $25,000 financial penalty to resolve the alleged HIPAA Security Rule violation. Read more…
PIH Health
The California healthcare network PIH Health was investigated over a phishing attack between June 11 and June 21, 2019, that saw a hacker gain access to 145 employee email accounts that contained the electronic protected health information of 189,763 individuals. The exposed ePHI included names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information. OCR determined there had been an impermissible disclosure of the ePHI of 189,763 individuals, a failure to conduct a HIPAA-compliant risk analysis, and three HIPAA Breach Notification Rule failures – No timely breach notice to OCR and the affected individuals, and a failure to issue a media notice about the data breach. The alleged violations were settled, and PIH Health paid a $600,000 financial penalty. Read more…
Guam Memorial Hospital Authority
Guam Memorial Hospital Authority, the operator of a public hospital in the U.S. territory of Guam, was investigated after a complaint was received about a December 2018 ransomware attack. Another complaint was received while the first complaint was being investigated about unauthorized access to ePHI by employees after their employment had ended. The ransomware attack involved unauthorized access to the ePHI of up to 5,000 individuals, and OCR confirmed the second breach by former employees. OCR determined that a HIPAA-compliant risk analysis had not been conducted to identify risks and vulnerabilities to ePHI. OCR agreed to settle the alleged HIPAA violation, and Guam Memorial Hospital Authority agreed to pay a $25,000 financial penalty. Read more…
Northeast Radiology
Northeast Radiology, the operator of several medical imaging centers in New York and Connecticut, submitted a breach report to OCR in March 2020 involving unauthorized access to the protected health information of up to 298,532 individuals. Hackers had exploited a vulnerability in the Picture Archiving and Communication Systems (PACS) via its vendor Alliance HealthCare. Hackers had access to the system between April 2019 and January 2020. OCR investigated and determined that there had been a failure to conduct a comprehensive and accurate risk analysis. The alleged violation was settled, and Northeast Radiology agreed to pay a $350,000 financial penalty. This was the 6th financial penalty to be imposed under OCR’s risk analysis enforcement initiative. Read more…
Health Fitness Corporation
Health Fitness Corporation, an Illinois business associate that provides wellness plans to clients, submitted multiple breach reports to OCR between October 15, 2018, and January 25, 2019, on behalf of clients affected by a data breach. A misconfigured server had exposed protected health information on the Internet and files had been indexed by search engines. The data was exposed online between August 2015 and July 2018. According to Health Fitness, fewer than 4,304 individuals were affected. OCR investigated and determined that a HIPAA-compliant risk analysis was not completed until January 19, 2024. A settlement was agreed upon that included a $227,816 financial penalty. Read More…
Oregon Health & Science University
Oregon Health & Science University was found to have failed to provide a personal representative with timely access to a patient’s full medical records. While some of the requested records were provided within a few days of the request being received, it took multiple requests, two interventions from OCR, and 16 months from the initial request for all of the requested records to be provided. OCR gave the university the opportunity to settle the case informally, but when a settlement could not be agreed, OCR proceeded to impose a civil monetary penalty of $200,000. Read More…
Warby Parker, Inc.
Warby Parker, Inc., a manufacturer and online retailer of prescription and non-prescription eyewear, was ordered to pay a civil monetary penalty of $1,500,000 to resolve alleged violations of the HIPAA Security Rule that were identified by OCR following an investigation of multiple data breaches. The first breach involved unauthorized access to the ePHI of 197,986 individuals between September 25, 2018, and November 30, 2018. Hackers compromised accounts in a credential stuffing attack on its website. Further data breach reports were filed with OCR in September 2019, January 2020, April 2020, and June 2022, which were also due to credential stuffing attacks, although the subsequent attacks only affected 484 individuals. OCR determined that Warby Parker had failed to conduct a HIPAA-compliant risk analysis, had not sufficiently reduced risks and vulnerabilities to ePHI, and was not conducting regular reviews of logs of activity in information systems containing ePHI. Read More…
Northeast Surgical Group
Northeast Surgical Group, a Michigan-based provider of surgical services, experienced a ransomware attack in 2023 that resulted in unauthorized access to ePHI and the encryption of the ePHI of all 15,298 of its patients. OCR investigated and determined that Northeast Surgical Group has not conducted a comprehensive and accurate risk analysis to identify risks and vulnerabilities to all ePHI. This was OCR’s 4th enforcement action under its new risk analysis enforcement initiative. The HIPAA violation case was settled with a $10,000 penalty. Read More…
South Broward Hospital District (Memorial Health System)
South Broward Hospital District, dba Memorial Health System in Florida, was investigated over a complaint from a patient who had not been provided with a copy of an EEG tracing, despite making one mailed request and three requests via the patient portal. The first request was made on December 30, 2020; however, the EEG tracing was not provided until September 29, 2021, 9 months after the first request was made. OCR determined that this was a violation of the HIPAA Right of Access; however Memorial Health System disagreed with the determination, as a copy of the EEG tracing had been provided to the patient on a previous occasion; however, the case was settled to avoid the time and cost of litigation and Memorial Health System paid a $60,000 penalty. Read More…
Solara Medical Supplies
Solara Medical Supplies, a supplier of continuous glucose monitors, insulin pumps, and other supplies to patients with diabetes, fell victim to a phishing attack that saw a threat actor gain access to the email accounts of 8 employees between April 2019 and June 2019. The email accounts contained the ePHI of 114,007 individuals. When issuing notification letters, 1,531 letters were sent to incorrect addresses, resulting in an impermissible disclosure of patients’ demographic information. OCR identified multiple violations of the HIPAA Security Rule and Breach Notification Rule – The failure to conduct a HIPAA-compliant risk analysis, the failure to manage risks and reduce them to an acceptable level, the impermissible disclosure of the ePHI of 114,007 patients in the first breach and 1,531 in the second breach, and the failure to issue timely notifications to OCR, the media, and the affected individuals. Solara settled the alleged violations and paid a $3,000,000 financial penalty. Read More…
USR Holdings
USR Holdings, a holding company that owns and manages primary mental health and substance abuse treatment facilities in Florida, Maryland, and Kentucky, discovered between December 8, 2018, and January 9, 2019, there had been unauthorized access to a database containing ePHI from August 23, 2018, to December 8, 2018. Unauthorized individuals were able to access the ePHI of 2,903 individuals and delete data.
OCR investigated and determined that USR Holdings failed to conduct a HIPAA-compliant risk analysis, had not implemented procedures for reviewing records of information system activity, had not established and implemented procedures for creating and maintaining retrievable exact copies of ePHI, and impermissible access to ePHI and the deletion of ePHI. USR Holdings settled the alleged violations and paid a $337,750 penalty. Read More…
Virtual Private Network Solutions
Virtual Private Network Solutions, a Virginia-based provider of data hosting and cloud services, experienced a ransomware attack on October 31, 2021, that resulted in unauthorized access to the ePHI of at least 23,868 individuals. OCR investigated and determined that Virtual Private Network Solutions had failed to conduct a comprehensive and accurate risk analysis to identify all risks and vulnerabilities to ePHI. This was the third financial penalty to be imposed under OCR’s risk analysis enforcement initiative. The HIPAA violation case was settled for $90,000. Read More…
Elgon Information Systems
Elgon Information Systems, a Massachusetts-based provider of electronic medical records and billing support services, experienced a ransomware attack on March 31, 2023. The investigation revealed the ransomware group first accessed its systems on March 25, 2023, via open ports on its firewall. The ransomware group was able to access the ePHI of 31,248 individuals. OCR investigated and determined that Elgon Information Systems had failed to conduct a comprehensive and accurate risk analysis to identify all risks and vulnerabilities to ePHI. The HIPAA violation case was settled, and Elgon Information Systems paid an $80,000 penalty. This was the second HIPAA violation case to result in a financial penalty under OCR’s risk analysis enforcement initiative. Read More…
HIPAA Violation Cases 2024
OCR confirmed that 22 HIPAA violation cases were closed in 2024 with civil monetary penalties or settlements; however, OCR only announced 16 of those enforcement actions in 2024, with the remainder announced in January 2025. The enforcement actions announced in 2024 were:
Inmediata Health Group
In 2018, OCR learned that ePHI provided to Inmediata, a healthcare clearinghouse, could be accessed by anyone via the Internet without authentication. Inmediata’s investigation confirmed that the ePHI of 1,565,338 individuals had been exposed online from May 2016 to January 2019, including names, birth dates, Social Security numbers, health information, and claims information. OCR determined that Inmediata had not conducted an accurate and thorough risk analysis, was not monitoring activity in information systems containing ePHI, and there had been an impermissible disclosure of ePHI. The case was settled for $250,000. There was no corrective action plan as Inmediata had already implemented measures per a 2023 multi-state settlement with 32 states and Puerto Rico. The multi-state action included a $1.4 million penalty. Read More…
Children’s Hospital Colorado Health System
On July 11, 2017, and between April 6, 2020, and April 13, 2020, Children’s Hospital Colorado Health System, a not-for-profit provider of healthcare services for children and young individuals, fell victim to phishing attacks that involved unauthorized access to ePHI. OCR investigated and determined that there had been an impermissible disclosure of the ePHI of 10,840 patients. The investigation also revealed that Children’s Hospital Colorado failed to provide HIPAA Privacy Rule training to 6,666 members of the workforce, including 3,495 nursing students, and a HIPAA-compliant risk analysis had not been conducted until February 5, 2021. OCR imposed a civil monetary penalty of $548,265 to resolve the alleged HIPAA Privacy and Security Rule violations. Read More…
Gulf Coast Pain Consultants, dba Clearway Pain Solutions Institute
On February 19, 2019, the Florida-based pain management practice Gulf Coast Pain Consultants discovered a former contractor had accessed the medical records of patients without authorization on three occasions after stopping providing services. The electronic protected health information of 34,310 patients was accessed by the contractor without authorization. OCR investigated and identified a failure to comply with four provisions of the HIPAA Security Rule. A risk analysis had not been conducted, logs of activity in information systems were not being checked, access rights of workforce members were not promptly terminated, and there were no policies and procedures for modifying workforce members’ access rights. OCR imposed a civil monetary penalty of $1,190,000 to resolve the alleged violations. Read More…
Holy Redeemer Family Medicine
OCR received a complaint from a patient of Holy Redeemer Family Medicine, a Pennsylvania healthcare provider, about an impermissible disclosure of her medical records, including her reproductive healthcare records, to a prospective employer. The patient had given authorization to disclose a single test result unrelated to her reproductive health; however, Holy Redeemer sent the prospective employer the patient’s full records, which included her surgical history, obstetric history, gynecological history, and other sensitive reproductive health information. OCR determined the disclosure violated the HIPAA Privacy Rule. The case was settled for $35,581. Read More…
Rio Hondo Community Mental Health Center
OCR received a complaint from a patient of Rio Hondo Community Mental Health Center, a directly operated Outpatient Program of the County of Los Angeles Department of Mental Health, that she had not been provided with a copy of her medical records, 5 months after making a request and after several phone calls and a visit to the center. OCR investigated, and the records were provided to the patient, 7 months after the initial request was made, which included two months under the state governor’s COVID-19 stay-at-home order when the clinic was unstaffed. The clinic failed to respond to an offer to informally settle the alleged HIPAA Right of Access violation, resulting in OCR imposing a $100,000 civil monetary penalty. Read More…
Bryan County Ambulance Authority
Bryan County Ambulance Authority, an Oklahoma emergency medical service provider, suffered a ransomware attack on November 24, 2021, that resulted in the encryption of files on its network. The encrypted files contained the ePHI of 14,273 patients. OCR investigated and determined that Bryan County Ambulance Authority had never conducted a risk analysis to identify potential risks and vulnerabilities to ePHI. This was the first enforcement action under OCR’s risk analysis enforcement initiative. The alleged violation was settled for $90,000. Read More…
Gums Dental Care
Gums Dental Care, a Maryland dental practice, was investigated by OCR after a complaint was received from a patient who was not provided with a copy of her or her children’s medical records. The practice claimed the complainant would not pay a $25 administrative fee for mailing the records (certified mail) and that the request was denied because the practice believed she would use the information to commit insurance fraud. OCR stated that the fee was not appropriate since the patient requested the records be sent via email, and the belief that the information would be used for fraud was not a valid reason for a denial of the Right of Access request under the HIPAA Privacy Rule. A civil monetary penalty of $70,000 was imposed for failing to provide timely access to medical records, in violation of the HIPAA Right of Access. Read More…
Providence Medical Institute
Providence Medical Institute, a California healthcare provider, was investigated by OCR after reporting a data breach that occurred between February and March 2018 as a result of a ransomware attack. The protected health information of 85,000 individuals was involved. OCR determined that servers containing ePHI were encrypted 3 times, and there was a potential violation of two HIPAA Security Rule provisions: The failure to restrict access to ePHI to only authorized individuals/software, and a lack of a business associate agreement. OCR imposed a civil monetary penalty of $240,000 to resolve the alleged violations. Read More…
Cascade Eye and Skin Centers
Cascade Eye and Skin Centers, a healthcare provider in Washington state, was investigated by OCR over a ransomware attack in 2017. The hackers gained access to 291,0000 files containing patient data. The OCR investigation determined there was a failure to conduct a comprehensive and accurate risk analysis, and there were insufficient reviews of activity in information systems that contained ePHI. The investigation was settled, and a penalty of $250,000 was paid to resolve the alleged HIPAA violations. Read More…
American Medical Response
American Medical Response is a Greenwood Village, CO-based private ambulance company. On October 31, 2018, a patient requested a copy of her medical records, which should have been provided by November 30, 2018. Despite sending multiple requests for those records, they were not provided. A complaint was filed with OCR, and the records were finally provided on November 5, 2019, 370 days after the initial request was submitted. OCR determined that there had been a violation of the HIPAA Right of Access and provided American Medical Response with the opportunity to settle; however, American Medical Response chose not to, resulting in a civil monetary penalty being imposed for $115,200 to resolve the HIPAA violation. Read More…
Heritage Valley Health System
Heritage Valley Health System is a 3-hospital health system with more than 50 physician offices and many community satellite facilities in Pennsylvania, eastern Ohio, and West Virginia. In 2017, Heritage Valley fell victim to a NotPetya ransomware attack that prevented access to its Windows devices. OCR investigated to establish whether Heritage Valley was compliant with the HIPAA Security Rule and found three areas of non-compliance. Heritage Valley had not conducted a comprehensive risk analysis to identify risks and vulnerabilities to electronic protected health information, there was a lack of a contingency plan for responding to an emergency and a lack of technical policies and procedures for restricting access to systems containing ePHI. OCR agreed to settle the alleged violations for $950,000. Read More…
Essex Residential Care (Hackensack Meridian Health, West Caldwell Care Center)
Essex Residential Care, LLC, which does business as Hackensack Meridian Health and operates the skilled nursing facility West Caldwell Care Center in New Jersey, was found to have failed to provide a son with timely access to the medical records of his mother when the son was the personal representative of his mother. It took 161 days from the initial request for the records to be provided. OCR investigated and notified West Caldwell Care Center of its intention to impose a financial penalty, but West Caldwell Care Center disagreed with OCR’s determination. West Caldwell Care Center accepted that the records were not provided within 30 days, but submitted evidence of mitigating factors; however, they were rejected by OCR, which imposed a civil monetary penalty of $100,000. Read More…
Phoenix Healthcare
Phoenix Healthcare, an Oklahoma multi-facility organization that provides nursing care, was found to have failed to provide a daughter with timely access to her mother’s medical records when the daughter was the personal representative of her mother. The requested records were provided 323 days after the initial request was made. OCR proposed a $250,000 financial penalty; however, the proposed fine was contested, and a hearing was requested with an Administrative Law Judge (ALJ). The ALJ upheld OCR’s determination but reduced the financial penalty to $70,000. The fine was appealed, but the Departmental Appeals Board did not reduce the fine. OCR then proposed a $35,000 settlement, on the basis that the penalty was not further contested. Read More…
Green Ridge Behavioral Health
Green Ridge Behavioral Health is a Gaithersburg, MD-based provider of psychiatric evaluations, medication management, and psychotherapy that experienced a ransomware attack in which the protected health information of 14,000 individuals was exposed. OCR investigated and identified multiple potential violations of the HIPAA Privacy and Security Rules. Green Ridge Behavioral Health was determined to have failed to conduct an accurate risk analysis, failed to reduce risks to ePHI, did not have policies and procedures for reviewing records of information system activity, and there was an impermissible disclosure of the PHI of more than 14,000 patients. Green Ridge Behavioral Health settled the alleged violations with no admission of wrongdoing and paid a $40,000 penalty. Read More…
Montefiore Medical Center
Montefiore Medical Center is a non-profit hospital system based in New York City. In May 2015, the New York Police Department notified the medical center about the theft of patient data. The medical center’s investigation confirmed that an employee had accessed and stolen the data of 12,517 patients. The employee sold the data to an identity theft ring. OCR determined that Montefiore Medical Center had failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; failed to implement procedures to review records of activity in information systems, and failed to implement hardware, software, or procedural mechanisms to record and examine activity in information systems. Montefiore Medical Center settled the investigation and paid a $4,750,000 penalty. Read More…
HIPAA Violation Cases 2023
Optum Medical Care of New Jersey
Optum Medical Care of New Jersey is a private multi-specialty physician group with approximately 150 locations in New Jersey and Southern Connecticut. In the Fall of 2021, OCR received complaints from 6 individuals who claimed not to have been provided with a copy of their requested records in a timely manner. OCR investigated and discovered the patients had not been provided with their records within the time frame permitted by the HIPAA Privacy Rule. The patients had to wait between 84 days and 231 days to receive their requested records. OCR determined this was a violation of the HIPAA Right of Access. The Case was settled for $160,000. Read More…
Lafourche Medical Group
Lafourche Medical Group, a Louisiana-based medical group specializing in emergency medicine, occupational medicine, and laboratory testing, experienced a phishing attack that exposed the PHI of 34,862 individuals. OCR investigated and found that a security risk analysis had not been conducted prior to the phishing attack in 2021, and there were no procedures to regularly review logs of system activity prior to the attack. OCR settled the alleged HIPAA violations for $480,000. Read More…
St. Joseph’s Medical Center
St. Joseph’s Medical Center is a non-profit academic medical center in New York. OCR launched an investigation after seeing a media article about the medical center’s response to the COVID-19 public health emergency. The article included images and information about three of the medical center’s patients. The medical center had allowed an Associated Press reporter to have access to the patients and their clinical information without first obtaining authorization from the patients. The disclosures were a violation of the HIPAA Privacy Rule. The case was settled for $80,000. Read More…
Doctors’ Management Services
Doctors’ Management Services (DMS) is a Massachusetts-based medical management company whose services include medical billing and payor credentialing. DMS suffered a GandCrab ransomware attack in December 2018. The forensic investigation confirmed that the attackers first gained access to its network on April 1, 2017. OCR investigated and identified multiple violations of the HIPAA Rules, including a failure to conduct an accurate risk analysis, a failure to review records of system activity, a failure to implement reasonable and appropriate policies/procedures to comply with the HIPAA Security Rule, and an impermissible disclosure of the PHI of 206,695 individuals. The case was settled for $100,000. Read more…
L.A. Care Health Plan
Local Initiative Health Authority for Los Angeles County, operating and doing business as L.A. Care Health Plan, is an independent local public agency that provides health coverage to low-income Los Angeles County residents. OCR conducted two investigations, one of a large breach and another of a separate data breach reported by the media, and found multiple violations of the HIPAA Security Rule: The lack of a comprehensive risk analysis, insufficient security measures, insufficient reviews of records of information system activity, insufficient evaluations in response to environmental/operational changes, insufficient recording and examination of activity in information systems, impermissible disclosure of the ePHI of 1,498 individuals. The case was settled for $1,300,000. Read More…
UnitedHealthcare
UnitedHealthcare is a health insurer part of Minnetonka, MN-based UnitedHealthcare Group. OCr received a complaint on March 25, 2021, from a patient who claimed not to have been provided with their requested medical records. OCR notified UnitedHealthcare about the complaint, and the failure to provide the records was attributed to an employee error. OCR determined there had been a HIPAA Right of Access failure, and UnitedHealthcare was fined $80,000. Read More…
iHealth Solutions, dba Advantum Health
iHealth Solutions is a Louisville, Kentucky-based HIPAA business associate that provides management services to healthcare practices. In 2017, a server was left unsecured, allowing an unauthorized individual to steal files that contained the ePHI of 267 individuals. OCR determined there had been a failure to conduct an accurate and thorough risk analysis and an impermissible disclosure of ePHI. The case was settled for $75,000. Read More…
Yakima Valley Memorial Hospital
Yakima Valley Memorial Hospital is a 222-bed non-profit community hospital in Washington State. OCR investigated a report of snooping on 419 medical records by 23 security guards in the emergency department. OCR determined the hospital had failed to implement appropriate policies and procedures to ensure compliance with the HIPAA Rules. The case was settled with OCR for $240,000. Read More…
Manasa Health Center, LLC
Manasa Health Center, LLC, is a New Jersey-based provider of psychiatric services for adults and children. OCR received a complaint in April 2020 about impermissible disclosures of PHI in response to negative Google Reviews. OCR investigated and found there had been impermissible disclosures of the PHI of four patients in response to negative reviews, a lack of policies and procedures related to online disclosures, and a failure to issue breach notification letters to those individuals. The case was settled for $30,000.
MedEvolve Inc.
The Luxottica Group PIVA-owned vision insurance company, EyeMed Vision Care, experienced a data breach in June 2020 involving the protected health information (PHI) of 230,572 individuals. An FTC server had been left exposed on the Internet. OCR’s investigators identified a risk analysis failure, a lack of a business associate agreement with a subcontractor, and an impermissible disclosure of the PHI of 230,572 individuals. The case was settled for $350,000. Read More…
David Mente, MA, LPC
The Pittsburgh, PA-based counselor and therapist, David Mente, was found not to have provided a father with a copy of his minor children’s health records. OCR provided technical assistance, but the records were still not provided as requested. OCR determined that the delay in providing the records constituted a violation of the HIPAA Right of Access. The case was settled for $15,000. Read More…
Banner Health
The Phoenix, Arizona-based non-profit health system, Banner Health, experienced a hacking incident that resulted in the impermissible disclosure of the PHI of 2.81 million individuals in 2016. OCR’s investigators identified a risk analysis failure, a lack of reviews of system activity, a failure to verify identity for access to PHI, and insufficient technical safeguards. The case was settled for $1,250,000. Read More…
Life Hope Labs, LLC
Life Hope Labs, LLC, in Sandy Springs, Georgia, failed to provide an individual with the medical records of her deceased father in a timely manner. It took 225 days from the initial request for the records to be provided. The diagnostic laboratory settled the case with OCR and paid a $16,500 financial penalty. Read More…
HIPAA Violation Cases 2022
Health Specialists of Central Florida Inc.
Orlando, FL-based primary care provider, Health Specialists of Central Florida Inc., was investigated by OCR after receipt of a complaint from a woman who had not been provided with a copy of her deceased father’s medical records. It took multiple requests and almost 5 months for all of the requested medical records to be provided. Health Specialists of Central Florida Inc. settled the case with OCR and paid a $20,000 penalty. Read More…
New Vision Dental
The California general dental practice, New Vision Dental, was investigated by OCR following reports about impermissible disclosures of patients’ protected health information on the review platform Yelp. OCR found that the owner of the practice had responded to several reviews and disclosed ePHI, even disclosing the names of patients in the responses who had chosen to post reviews anonymously. The disclosed information included details of patients’ visits, treatment, and insurance. OCR also found the Notice of Privacy Practices to be inadequate. The case was settled with OCR, and a £23,000 financial penalty was imposed. Read More…
Great Expressions Dental Center of Georgia, P.C.
Great Expressions Dental Center of Georgia, P.C. was investigated by OCR in response to a complaint from a patient that she would be charged a fee of $170 for her medical records. OCR determined this fee to be unreasonable and that there had been a 15-month delay in providing the patient with the requested records. The practice settled the case with OCR for $80,000. Read More…
Family Dental Care, P.C.
Family Dental Care, P.C. in Chicago, Illinois, was investigated in response to a complaint from a patient who had only been provided with a partial copy of her requested medical records. It took 5 months from the initial request for the complete set of medical records to be provided. The case was settled with OCR for $30,000. Read More…
B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental
Paradise Family Dental was investigated in response to a complaint that a parent had not been provided with a copy of her minor child’s medical records, despite submitting multiple requests to the practice. It took 8 months from the date of the first request for the records to be provided. A settlement was agreed upon with OCR that included a $25,000 penalty. Read More…
New England Dermatology and Laser Center
New England Dermatology and Laser Center in Massachusetts disposed of empty specimen containers in regular dumpsters between February 4, 2011, and March 31, 2021. The containers had labels that included the PHI of patients. The PHI of 58,106 patients was improperly disposed of during that timeframe. The case was settled with OCR for $300,640. Read More…
ACPM Podiatry
ACPM Podiatry in Illinois did not provide a former patient with his requested records, and despite the intervention of OCR, the patient was still not provided with the requested records due to the non-payment of a bill by the insurance company. OCR imposed a civil monetary penalty of $100,000. Read More…
Memorial Hermann Health System
Memorial Hermann Health System in Texas received five requests from a patient for complete records to be provided between June 2019 and January 2020. It took 564 days from the initial request for all of the records to be provided to the patient. OCR settled the case for $240,000. Read More…
Southwest Surgical Associates
Southwest Surgical Associates in Texas took 13 months to provide a patient with all of the requested records between February 11, 2020, and March 5, 2021. OCR settled the case for $65,000. Read More…
Hillcrest Nursing and Rehabilitation
Hillcrest Nursing and Rehabilitation in Massachusetts received a request from a parent for her son’s medical records on March 22, 2020, but the records were not provided until October 10, 2020. OCR settled the case for $55,000. Read More…
MelroseWakefield Healthcare
MelroseWakefield Healthcare in Massachusetts received a valid request from a personal representative of a patient on June 12, 2020, but it took until October 20, 2020, for the requested records to be provided due to an error regarding the legality of the durable power of attorney. OCR settled the case for $55,000. Read More…
Erie County Medical Center Corporation
Erie County Medical Center Corporation in Buffalo, NY, failed to provide a patient with timely access to his medical records. OCR settled the case for $50,000. Read More…
Fallbrook Family Health Center
Fallbrook Family Health Center in Nebraska failed to provide a patient with timely access to the requested medical records. OCR settled the case for $30,000. Read More…
Associated Retina Specialists
Associated Retina Specialists in New York took 5 months to provide a patient with the requested medical records. The records were provided within days of OCR intervening. OCR settled the case for $22,500. Read More…
Coastal Ear, Nose, and Throat
Coastal Ear, Nose, and Throat in Florida received a request from a patient for a copy of medical records on December 15, 2020, and again on January 8, 2021, but the records were not provided until May 20, 2021. OCR settled the case for $20,000. Read More…
Lawrence Bell, Jr., D.D.S
Lawrence Bell, Jr. D.D.S in Maryland failed to provide a patient with timely access to the requested medical records. OCR settled the case for $5,000. Read More…
Danbury Psychiatric Consultants
Danbury Psychiatric Consultants in Massachusetts received a request for medical records on March 24, 2020, but access to the records was refused due to an outstanding bill. The records were provided on September 14, 2020. OCR settled the case for $3,500. Read More…
Oklahoma State University – Center for Health Sciences
Oklahoma State University – Center for Health Sciences experienced a hacking incident that was reported to OCR in January 2018. The investigation revealed a failure to conduct an accurate risk analysis, noncompliance with the security incident response and reporting requirements of the HIPAA Security Rule, the failure to conduct an evaluation following changes that affected the security of ePHI, a lack of audit controls, breach notification delays, and the impermissible disclosure of the PHI of 279,865 individuals. The case was settled for $850,000. Read More…
Dr. Brockley
The solo dental practitioner in Butler, PA, failed to provide a patient with a copy of their medical record in a timely manner. After being notified by OCR about a proposed fine of $105,000, Dr. Brockley requested a hearing with an Administrative Law Judge, but settled out of court and agreed to a fine of $30,000. Read more…
Jacob & Associates
The California-based psychiatric medical services provider failed to provide a patient with timely access to the requested medical records and charged an unreasonable fee when the records were eventually provided. OCR also identified issues with the notice of privacy practices, and a HIPAA privacy officer had not been appointed. The case was settled, and a financial penalty of $28,000 was paid. Read more…
Northcutt Dental-Fairhope
The owner of the Fairhope, AL, dental practice impermissibly disclosed patients’ PHI to a campaign manager and a third-party marketing company in relation to a state senate election campaign. OCR also identified issues with the notice of privacy practices, and there was no HIPAA privacy officer. The case was settled for $62,500. Read more…
Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A
The dental practice with offices in Charlotte and Monroe, NC, impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review. The failure to cooperate with the investigation and respond to an administrative subpoena resulted in a civil monetary penalty of $50,000. Read more…
HIPAA Violation Cases 2021
Advanced Spine & Pain Management
Advanced Spine & Pain Management, a provider of chronic pain-related medical services in Cincinnati and Springboro, OH, failed to provide a patient with timely access to the requested medical records. The HIPAA Right of Access violation was settled with OCR for $32,150. Read more…
Denver Retina Center
Denver Retina Center, a Denver, CO-based provider of ophthalmological services, failed to provide a patient with timely access to the requested medical records. The HIPAA Right of Access violation was settled with OCR for $30,000. Read more…
Dr. Robert Glaser
Dr. Robert Glaser, a New Hyde Park, NY-based cardiovascular disease and internal medicine doctor, failed to provide a patient with timely access to the requested medical records after repeated requests. Dr. Glazer did not cooperate with OCR during the investigation, resulting in OCR imposing a civil monetary penalty of $100,000 for the HIPAA Right of Access violation. Read more…
Rainrock Treatment Center LLC (dba monte Nido Rainrock)
Rainrock Treatment Center LLC (dba Monte Nido Rainrock), a Eugene, OR-based provider of residential eating disorder treatment services, failed to provide a patient with timely access to the requested medical records after repeated requests. The HIPAA Right of Access violation was settled with OCR for $160,000. Read more…
Wake Health Medical Group
Wake Health Medical Group, a Raleigh, NC-based provider of primary care and other health care services, failed to provide a patient with timely access to the requested medical records. The HIPAA Right of Access violation was settled with OCR for $10,000. Read more…
Children’s Hospital & Medical Center
Children’s Hospital & Medical Center (CHMC), a pediatric care provider in Omaha, Nebraska, received a request from a parent for access to her daughter’s medical records but only provided part of the requested information, despite repeated requests. CHMC settled the HIPAA Right of Access case with OCR and paid an $80,000 penalty. Read more…
The Diabetes, Endocrinology & Lipidology Center, Inc.
The Diabetes, Endocrinology & Lipidology Center, Inc., a West Virginia-based healthcare provider specializing in treating endocrine disorders, failed to provide a parent with a copy of her minor child’s protected health information within 30 days. The HIPAA Right of Access violation was settled with OCR for $5,000. Read more…
AEON Clinical Laboratories (Peachstate)
OCR investigated a breach reported by the Department of Veterans Affairs involving a business associate, Authentidate Holding Corporation. During the investigation, OCR discovered the business associate had acquired Peachstate, a CLIA-certified laboratory that provides clinical and genetic testing services. OCR investigated Peachstate and uncovered multiple potential violations of the HIPAA Security Rule. The case was settled with OCR for $25,000. Read more…
Village Plastic Surgery
Ridgewood, NJ-based Village Plastic Surgery failed to provide a patient with timely access to the requested medical records. The HIPAA Right of Access violation was settled with OCR for $30,000. Read more…
Arbour Hospital
Arbour Hospital, a mental health clinic in Boston, MA, failed to provide a patient with the requested medical records within 30 days. OCR provided technical assistance, but received another complaint from the same patient that the records had still not been provided. The HIPAA Right of Access violation was settled with OCR for $65,000. Read more…
Sharp Healthcare
San Diego-based Sharp Healthcare, dba Sharp Rees-Stealy Medical Centers, failed to provide a patient’s medical records to a patient-specified third party for more than 2 months. OCR provided technical assistance and closed the case, but the records were still not provided. The HIPAA Right of Access violation was settled with OCR for $70,000. Read more…
Renown Health
Renown Health, a not-for-profit healthcare network in Northern Nevada, failed to provide a patient’s attorney with a copy of her medical and billing records within 30 days. The patient filed a complaint with OCR, and the records were eventually provided more than 10 months later. The HIPAA Right of Access violation was settled with OR for $75,000. Read more…
Excellus Health Plan
In 2015, Excellus Health Plan reported a breach of the ePHI of 9,358,891 individuals. OCR investigated and uncovered multiple potential violations of the HIPAA Rules: A risk analysis failure, a risk management failure, a lack of information system activity reviews, and insufficient technical policies to prevent unauthorized ePHI access. The case was settled for $5,100,000. Read More…
Banner Health
Phoenix, AZ-based Banner Health is one of the largest healthcare systems in the United States. OCR received two complaints from patients in 2019 alleging they had to wait several months to receive a copy of their medical records. OCR determined this breached the HIPAA Right of Access provision of the HIPAA Privacy Rule. The case was settled for $200,000. Read More…
HIPAA Violation Cases 2020
Premera Blue Cross
Mountlake Terrace, WA-based Premera Blue Cross is the largest health plan in the Pacific Northwest. In 2015, Premera discovered there had been a breach of the ePHI of 10,466,692 individuals. OCR investigated and found multiple potential HIPAA violations, such as the failure to conduct a thorough risk analysis, risk management failures, and insufficient mechanisms to identify suspicious network activity. The case was settled for $6,850,000. Read More…
CHSPSC LLC
CHSPSC LLC is a Tennessee-based management company that provides services to affiliates of Community Health Systems. In 2014, hackers accessed its systems and stole the ePHI of 6,121,158 individuals. OCR investigated and found multiple violations of the HIPAA Rules, including a delayed response to a known security breach, risk analysis and risk management failures, and a lack of procedures to monitor information system activity logs. The case was settled for $2,300,000. Read More…
Athens Orthopedic Clinic PA
Athens Orthopedic Clinic PA in Georgia had its systems hacked in 2016. The hacker stole data, attempted to extort money, and leaked the ePHI of 208,557 patients online when payment was not received. OCR investigated the incident and discovered risk analysis and risk management failures, insufficient information system activity logging and monitoring, missing business associate agreements, and employees had not been provided with HIPAA Privacy Rule training. The case was settled for $1,500,000. Read More…
Peter Wrobel, M.D., P.C., dba Elite Primary Care
Elite Primary Care is a provider of primary health services in Georgia. OCR received a complaint from a patient who alleged he had been denied access to his medical records. OCR intervened and provided technical assistance on the HIPAA Right of Access, but received a second complaint when the practice continued to deny him access. The case was settled for $36,000. Read More…
University of Cincinnati Medical Center
A patient of the University of Cincinnati Medical Center filed a complaint with OCR after not being provided with her requested records more than 13 weeks after submitting a request. OCR intervened and provided technical assistance on the HIPAA Right of Access, but received a second complaint when the records had still not been provided. The case was settled for $65,000. Read More…
Dr. Rajendra Bhayani
OCR received a complaint from a patient of Dr. Rajendra Bhayani, a Regal Park, NY-based private practitioner specializing in otolaryngology, alleging he had not provided a patient with a copy of her medical records. OCR intervened and closed the case, but received a second complaint a year later, alleging the records had still not been provided. The case was settled for $15,000. Read More…
Riverside Psychiatric Medical Group
OCR received a complaint from a patient of California-based Riverside Psychiatric Medical Group in March 2019, alleging he had not been provided with a copy of his medical records. OCR intervened but received a second complaint a month later when the records had still not been provided. OCR determined this breached the HIPAA Right of Access provision of the HIPAA Privacy Rule. The case was settled for $25,000. Read More…
City of New Haven, CT
The city of New Haven in Connecticut was investigated over an incident where a former employee accessed its systems after termination and copied a file containing the ePHI of 498 individuals. OCR determined that the failure to terminate access rights when employment had ended was in violation of the HIPAA Security Rule. OCR also determined there had been a risk analysis failure, a failure to implement Privacy Rule policies, and unique IDs had not been provided to all employees to track information system activity. The case was settled for $202,400. Read More…
Aetna
Aetna Life Insurance Company and the affiliated covered entity (Aetna) were investigated over three data breaches that exposed the ePHI of 18,489 individuals. OCR’s investigation revealed periodic technical and non-technical evaluations of operational changes affecting the security of their electronic PHI had not been performed, procedures had not been implemented to verify the identity of individuals accessing their ePHI, there was a lack of ePHI safeguards, and Aetna had violated the minimum necessary standard. The case was settled for $1,000,000. Read More…
NY Spine
OCR received a complaint from a patient of NY Spine, a private New York medical practice, who alleged she had not been provided with a copy of the diagnostic films she requested. OCR intervened and provided technical assistance, but it took 16 months for the records to be provided. The case was settled for $100,000. Read More…
Dignity Health, dba St. Joseph’s Hospital and Medical Center
OCR investigated a complaint from a mother who requested a copy of her son’s medical records from St. Joseph’s Hospital and Medical Center, but had not been provided with a complete set of the records. After OCR intervened, the records were provided, but it took 22 months from the initial date of the request. The case was settled for $160,000. Read More…
Housing Works, Inc.
Housing Works, Inc. is a New York City-based non-profit healthcare organization that provides healthcare, homeless services, and legal aid support for people affected by HIV/AIDS. OCR received a complaint from a patient who had not been provided with a copy of his medical records. OCR intervened and closed the case, but received a second complaint a month later when the records had still not been provided. The case was settled for $38,000. Read More…
All Inclusive Medical Services, Inc.
All Inclusive Medical Services, Inc. (AIMS) is a Carmichael, CA-based multi-specialty family medicine clinic. OCR received a complaint from a patient who alleged AIMS refused to give her a copy of her medical records. OCR determined this violated the HIPAA Right of Access provision of the HIPAA Privacy Rule. The case was settled for $15,000. Read More…
Beth Israel Lahey Health Behavioral Services
Beth Israel Lahey Health Behavioral Services (BILHBS) is the largest provider of mental health and substance use disorder services in eastern Massachusetts. OCR received a complaint from a patient alleging BILHBS had not provided a copy of her father’s medical records. OCR intervened, and the records were provided 8 months after the initial request. The case was settled for $70,000. Read More…
King MD
King MD is a small provider of psychiatric services in Virginia. OCR received a complaint from a patient who had not been provided with her medical records after a 2-month wait. OCR intervened and closed the case but received a second complaint two months later when the records had still not been provided. The case was settled for $3,500. Read More…
Wise Psychiatry, PC
Wise Psychiatry is a small provider of psychiatric services in Colorado. A mother requested a copy of her son’s medical records, but the records had not been provided three months after she submitted the request. OCR intervened and closed the case, but received a second complaint 6 months after the first, stating the records had still not been provided. The case was settled for $10,000. Read More…
Lifespan Health System Affiliated Covered Entity
Lifespan Health System Affiliated Covered Entity is a Rhode Island healthcare provider. OCR conducted an investigation into an incident involving a stolen laptop that contained the ePHI of 20,431 patients. OCR determined that the lack of encryption was in violation of the HIPAA Security Rule, there were insufficient device and media controls, and a business associate agreement had not been entered into with its parent company. The case was settled for $1,040,000. Read More…
Metropolitan Community Health Services dba Agape Health Services
Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center. Operating as Agape Health Services, the company experienced a breach of the ePHI of 1,263 patients. OCR investigated and identified longstanding, systemic noncompliance with the HIPAA Security Rule, including risk analysis and risk management failures, and the failure to provide security awareness training to employees. The case was settled for $25,000. Read More…
Steven A. Porter, M.D
Steven A. Porter, M.D.’s gastroenterological practice in Ogden, UT reported a breach to OCR involving a medical record company that was blocking access to patients’ ePHI until a bill was paid. OCR investigated and found the EHR company had been allowed access to ePHI without signing a business associate agreement, and risk analysis and risk management failures. The case was settled for $100,000. Read More…
HIPAA Violation Cases 2019
West Georgia Ambulance
OCR launched an investigation into the Carroll County, GA ambulance company, West Georgia Ambulance, after being notified about the loss of an unencrypted laptop computer that contained the PHI of 500 patients. OCR discovered a risk analysis failure, the lack of a security awareness training program, and a failure to implement HIPAA Security Rule policies and procedures. The case was settled for $65,000. Read More…
Bayfront Health St. Petersburg
Bayfront Health St. Petersburg was investigated following the receipt of a complaint from a patient on August 14, 2018. The patient had requested a copy of her child’s fetal heart monitor records, but 9 months after the request had been submitted, the records still had not been provided. A settlement of $85,000 was agreed upon with OCR to resolve the HIPAA violation. This was OCR’s first settlement under the 2019 HIPAA Right of Access enforcement initiative. Read More…
Korunda Medical, LLC
In March 2019, OCR received a complaint from a patient who alleged she had not been provided with a copy of her medical records in the requested electronic format despite making repeated requests. The investigation confirmed there had been a HIPAA Right of Access failure. A settlement of $85,000 was agreed upon to resolve the violation. Read More…
University of Rochester Medical Center
OCR launched an investigation of the University of Rochester Medical Center following receipt of two breach reports concerning lost/stolen portable devices containing ePHI – a flash drive and a laptop computer. Technical assistance had previously been provided by OCR, but devices had still not been encrypted. In addition, OCR determined there had been risk analysis failures, a risk management failure, and a lack of device media controls. The case was settled for $3 million. Read More…
Sentara Hospitals
A patient submitted a complaint to OCR about an impermissible disclosure of PHI in a mailing. Sentara Hospitals reported the breach to OCR as having impacted 8 individuals. The OCR investigation determined that 577 patients had been affected, but Sentara Hospitals refused to update its breach notice to reflect the correct number of patients affected. OCR also discovered a business associate failure. The case was settled for $2.175 million. Read More…
Elite Dental Associates
A patient of Elite Dental Associates submitted a complaint to OCR stating her PHI had been disclosed by Elite Dental Associates in response to a review on Yelp. OCR investigated and discovered similar privacy violations had occurred when responding to patient reviews. The impermissible disclosures of PHI resulted in a $10,000 settlement. Read More…
Medical Informatics Engineering
Medical Informatics Engineering, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. OCR determined there had been a risk analysis failure, and the case was settled for $100,000. MIE also settled a multi-state action with state attorneys general and paid a penalty of $900,000. Read More…
Touchstone Medical Imaging
On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was accessible over the Internet and allowed anonymous connections to a shared directory. The directory contained files that included the protected health information (PHI) of 307,839 individuals. The OCR investigation revealed a lack of business associate agreements, insufficient access rights, a risk analysis failure, a failure to respond to a security incident, a breach notification failure, and a media notification failure. The case was settled for $3 million. Read More…
Texas Department of Aging and Disability Services
The Department of Health and Human Services’ Office for Civil Rights (OCR) imposed a $1.6 million civil monetary penalty (CMP) on the Texas Health and Human Services Commission (TX HHSC) for multiple violations of HIPAA Rules discovered during the investigation of an exposed internal application containing ePHI. OCR determined there had been a risk analysis failure, access control failure, information system activity monitoring failure, and an impermissible disclosure of 6,617 patients’ ePHI. Read More…
Jackson Health System
OCR imposed a $2.154 million civil monetary penalty against the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS), for a slew of violations of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. OCR determined its compliance program had been in disarray for several years. Read More…
HIPAA Violation Cases 2018
Cottage Health – Exposure of ePHI Over the Internet
OCR agreed to settle multiple alleged HIPAA violations with Cottage Health for $3,000,000. In 2013 and 2015, protections on servers were accidentally removed, and files containing ePHI could be accessed over the internet without the need for a username or password. The ePHI of 62,500 patients was exposed. OCR discovered risk analysis failures, risk management failures, a failure to conduct technical and non-technical evaluations following environmental or operational changes, and the disclosure of ePHI to a contractor without first entering into a business associate agreement. Read More…
Pagosa Springs Medical Center – Failure to Terminate Employee Access
OCR fined Pagosa Springs Medical Center $111,400 for the failure to terminate a former employee’s access to a web-based scheduling calendar, which resulted in an impermissible disclosure of 557 patients’ ePHI. The medical center had also failed to enter into a BAA with a business associate. Read More…
Advanced Care Hospitalists – Multiple Compliance Failures Resulting in Impermissible PHI Disclosure
An OCR investigation into an impermissible disclosure of 9,255 individuals’ PHI by Advanced Care Hospitalists, a business associate of a HIPAA-covered entity, revealed serious HIPAA compliance failures including a lack of a BAA, insufficient security measures to protect ePHI, and no documentation showing there had been any HIPAA compliance efforts prior to April 1, 2014. A settlement of $500,000 was agreed upon to resolve the alleged HIPAA violations. Read More…
Allergy Associates of Hartford – PHI Disclosure to Reporter
OCR investigated a complaint about an impermissible disclosure of a patient’s PHI to a reporter. OCR confirmed that PHI had been disclosed without authorization from the patient and that there had been no sanctions against the physician responsible, despite being warned in advance not to disclose any PHI. Allergy Associates of Hartford paid OCR $125,000 to settle the alleged HIPAA violations. Read More…
Anthem Inc. – Multiple Compliance Failures Contributing to 78.8 Million Record Breach
An investigation into Anthem Inc.’s massive 78.8 million-record data breach of 2015 revealed multiple HIPAA violations. OCR determined there had been risk analysis failures, insufficient reviews of system activity, a failure to respond adequately to a detected breach, and insufficient technical controls to prevent unauthorized ePHI access. Anthem agreed to a record-breaking settlement of $16,000,000 to resolve the case. Read More…
Boston Medical Center – Filming Patients Without Consent
Boston Medical Center was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. Boston Medical Center agreed to settle the alleged HIPAA violations with OCR for $100,000. Read More…
Brigham and Women’s Hospital – Filming Patients Without Consent
Brigham and Women’s Hospital was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. Brigham and Women’s Hospital agreed to settle the alleged HIPAA violations with OCR for $384,000. Read More…
Massachusetts General Hospital – Filming Patients Without Consent
Massachusetts General Hospital was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. Massachusetts General Hospital agreed to settle the alleged HIPAA violations with OCR for $515,000. Read More…
Filefax, Inc. – Failure to Protect Physical PHI
After the permanent closure of the company, paperwork containing former patients’ PHI was discarded by FileFax. The paperwork was taken by a member of the public who sold the material to a recycling facility. OCR determined there had been a failure to protect patient information, which resulted in an impermissible disclosure of 2,150 patient records. FileFax agreed to settle the alleged HIPAA violations for $100,000. Read More…
Fresenius Medical Care North America – Multiple Compliance Failures Contributing to 5 PHI Breaches
An investigation of five separate breaches at HIPAA-covered entities owned by Fresenius Medical Care North America revealed that multiple HIPAA violations had contributed to the breaches. OCR discovered risk analysis failures, a lack of policies covering electronic devices, a lack of encryption or alternative safeguards, insufficient security policies, and insufficient physical safeguards, resulting in an impermissible disclosure of 521 individuals’ PHI. Fresenius Medical Care North America settled the case for $3,500,000. Read More…
University of Texas MD Anderson Cancer Center –Impermissible Disclosures of PHI
OCR investigated three breaches involving the loss of a laptop computer and two unencrypted thumb drives containing patients’ PHI. OCR determined that there had been an impermissible disclosure of 34,883 patients’ ePHI due to a lack of encryption. The case was contested, but an administrative law judge ruled in favor of OCR. University of Texas MD Anderson Cancer Center was ordered to pay a civil monetary penalty of $4,348,000. Read More…
HIPAA Violation Cases 2017
Memorial Hermann Health System – Careless Handling of PHI
Memorial Hermann Health System agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights for $2.4 million. The settlement stems from an impermissible disclosure in a press release issued by MHHS in September 2015. Memorial Hermann Health System has agreed to pay OCR $2,400,000. Read More…
St. Luke’s-Roosevelt Hospital Center Inc. – Unauthorized Disclosure of PHI
The Department of Health and Human Services’ Office for Civil Rights announced a new HIPAA settlement to resolve violations of the HIPAA Privacy Rule. St. Luke’s-Roosevelt Hospital Center Inc. has paid OCR $387,200 to resolve potential HIPAA violations discovered during an OCR investigation of a complaint about an impermissible disclosure of PHI. Read More…
The Center for Children’s Digestive Health – Lack of a Business Associate Agreement
The Department of Health and Human Services’ Office for Civil Rights has sent another warning to HIPAA-covered entities about the need to obtain signed, HIPAA-compliant business associate agreements with all vendors prior to disclosing any protected health information. The Center for Children’s Digestive Health (CCDH); a small 7-center pediatric subspecialty practice based in Park Ridge, Illinois, has agreed to pay OCR $31,000 to resolve potential HIPAA violations. Read More…
CardioNet – Impermissible Disclosure of PHI
A $2.5 million settlement has been agreed upon with CardioNet to resolve potential HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias. Settlements have previously been agreed upon with healthcare providers, health plans, and business associates of covered entities, but this is the first time OCR has settled potential HIPAA violations with a wireless health services provider. Read More…
Metro Community Provider Network – Lack of Security Management Process
The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation. Read More…
Memorial Healthcare System – Insufficient ePHI Access Controls
OCR has announced that a $5.5 million settlement has been reached with Florida-based Memorial Healthcare Systems to resolve potential Privacy Rule and Security Rule violations. Memorial Healthcare Systems has paid the penalty for non-compliance with HIPAA Rules, and in addition to the $5.5 million settlement, a robust corrective action plan must be adopted to address all areas of non-compliance. Read More…
Children’s Medical Center of Dallas – Impermissible Disclosure of ePHI
The Department of Health and Human Services’ Office for Civil Rights has announced that Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. OCR attempted to resolve the matter via informal means between November 6, 2015, to August 30, 2016, before issuing a Notice of Proposed Determination on September 30, 2016. Read More…
MAPFRE Life Insurance Company of Puerto Rico – Impermissible Disclosure of ePHI
The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. On September 29, 2011, a portable USB storage device (pen drive) was left overnight in the IT Department, from where it was stolen. The device contained a range of patients’ ePHI, including full names, Social Security numbers, and dates of birth. The device was not protected by a password, and data on the device was not encrypted. MAPFRE has agreed to a $2,200,000 settlement with OCR. Read More…
Presense Health – Delayed Breach Notifications
Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA Breach Notification Rule violations. Presence Health took three months to issue breach notifications when the Breach Notification Rule requires notifications to be sent within 60 days of the discovery of a breach. Read More…
HIPAA Violation Cases 2016
University of Massachusetts Amherst – Failure to Manage Security Risks
The Department of Health and Human Services’ Office for Civil Rights has agreed to a $650,000 settlement with the University of Massachusetts Amherst (UMass). The settlement resolves HIPAA violations that contributed to the university experiencing a malware infection in 2013. The infection resulted in the impermissible disclosure of the electronic protected health information of 1,670 individuals. Read More…
St. Joseph Health – Failure to Conduct Risk Analysis
Exposure of ePHI as a direct result of the failure to conduct a comprehensive risk analysis and a security assessment on a server prior to using it to share files containing ePHI. The server had been purchased, and a file-sharing application was installed, yet no changes were made to the application. The default security settings were left in place, which allowed any individual with an Internet connection to gain access to the ePHI in the files. St. Joseph Health has agreed to pay OCR $2,140,500. Read More…
Care New England Health System – Lack of a Business Associate Agreement
The Department of Health and Human Services’ Office for Civil Rights has announced it has arrived at a settlement with Care New England Health System (CNE) to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). CNE is required to pay a financial penalty of $400,000 and must adopt a comprehensive Corrective Action Plan (CAP) to address various areas of HIPAA non-compliance. Read More…
Advocate Health Care Network – Multiple HIPAA Violations
OCR has just announced it has agreed to the largest ever HIPAA settlement with a single covered entity. Advocate Health Care Network will pay a record $5.55 million to settle multiple potential violations of the Health Insurance Portability and Accountability Act. The previous record was the $3.5 million settlement with Triple S Management Corporation, agreed in November 2015. Read More…
University of Mississippi Medical Center – Multiple HIPAA Violations
The Department of Health and Human Services’ Office for Civil Rights announced yesterday that the University of Mississippi Medical Center (UMMC) has agreed to settle alleged HIPAA violations and will pay a financial penalty of $2.75 million. UMMC has also agreed to adopt a corrective action plan (CAP) to bring privacy and security standards up to the level required by HIPAA. Read More…
Oregon Health & Science University – Lack of a Business Associate Agreement
Oregon Health & Science University (OHSU) has agreed to settle a case with the Department of Health and Human Services’ Office for Civil Rights stemming from two data breaches experienced in 2013. A penalty of $2.7 million will be paid by OHSU to settle alleged HIPAA violations without admission of liability. The privacy breaches occurred shortly after each other in 2013. Within the space of three months, the protected health information of over 7,000 patients was exposed. Read More…
Catholic Health Care Services of the Archdiocese of Philadelphia – Failure to Safeguard ePHI
Catholic Health Care Services of the Archdiocese of Philadelphia has agreed to settle alleged HIPAA violations with the OCR and implement a Corrective Action Plan (CAP). CHCS will also pay a financial penalty of $650,000. CHCS failed to perform a comprehensive risk analysis since September 23, 2013. CHCS also failed to implement appropriate security measures to address risks to ePHI in accordance with 45 C.F.R. § 164.308(a)(1)(ii)(B). Read More…
New York Presbyterian Hospital – Filming Patients without Authorization
The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined New York Presbyterian Hospital (NYP) $2.2 million for allowing patients to be filmed for a TV show without obtaining prior permission from patients. An ABC crew was permitted to film inside NYP facilities for the show “NY Med” featuring Dr. Mehmet Oz. A number of patients were filmed, but consent had not been obtained. Read More…
Raleigh Orthopaedic Clinic, P.A. of North Carolina – Lack of Business Associate Agreement
Raleigh Orthopaedic Clinic, P.A., of North Carolina, over alleged violations of HIPAA Rules. Raleigh Orthopaedic has agreed to pay OCR $750,000 for failing to enter into a business associate agreement (BAA) with a vendor before handing over the protected health information (PHI) of 17,300 patients in 2013. Read More…
Feinstein Institute for Medical Research – Impermissible Disclosure of PHI
The Department of Health and Human Services’ Office for Civil Rights has announced it has settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. This is the second-largest settlement amount agreed with OCR. The data breach investigation revealed a substandard security management process and a catalog of HIPAA Security Rule violations. Read More…
North Memorial Health Care of Minnesota – Lack of a Business Associate Agreement
The Department of Health and Human Services’ Office for Civil Rights has announced it has reached a settlement with North Memorial Health Care of Minnesota over alleged HIPAA violations from a 2011 data breach. North Memorial has agreed to pay $1,550,000 to OCR to settle the HIPAA violation charges. Read More…
Complete P.T., Pool & Land Physical Therapy, Inc. – Impermissible Disclosure of PHI
Complete P.T., Pool & Land Physical Therapy, Inc., (CPT) has agreed to pay a fine of $25,000 to the Department of Health and Human Services after the company posted photographs and names of patients on the client testimonial section of its website without first having obtained HIPAA-compliant authorizations from the patients in question. Read More…
Lincare, Inc. – Failure to Safeguard PHI
For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. Lincare Inc. is required to pay $239,800 for violations of the HIPAA Privacy Rule, which were discovered during the investigation of a complaint about a breach of 278 patient records. Read More…
HIPAA Violation Cases 2015
University of Washington Medicine – Failure to Conduct Risk Analysis
The University of Washington Medicine has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights and will pay a HIPAA fine of $750,000 for potential HIPAA violations stemming from a 90,000-record data breach suffered in 2013. Read More…
Triple S Management Corporation – Multiple HIPAA Violations
Puerto Rico Blue Cross Blue Shield licensee Triple S Management Corporation has agreed to pay a HIPAA violation fine of $3.5 million to the Department of Health and Human Services’ Office for Civil Rights. Triple S was also required to pay a HIPAA violation penalty of $6.8 million to the Puerto Rico Health Insurance Administration for a failure to comply with the Health Insurance Portability and Accountability Act’s Privacy Rule last year, although the HIPAA violation fine was reduced to $1.5 million on appeal. Read More…
Lahey Hospital and Medical Center – Multiple HIPAA Violations
The HHS has announced that Lahey Hospital and Medical Center has agreed to settle a case with the Office for Civil Rights over alleged HIPAA violations following a data breach that occurred in October 2011. Lahey Hospital and Medical Center agreed to pay $850,000 to settle the case without admission of liability. The nonprofit teaching hospital has also agreed to adopt the OCR’s corrective action plan to address HIPAA-compliance issues discovered by OCR investigators. Read More…
Cancer Care Group, P.C. – Failure to Conduct Risk Analysis
Cancer Care Group, an Indiana-based radiation oncology private physician practice, has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights for $750,000 for potential HIPAA violations relating to a 2012 data breach. In August 2012, Cancer Care Group discovered a laptop computer and an unencrypted backup drive had been stolen from the vehicle of an employee. The data breach exposed the Protected Health Information of 55,000 patients. Read More…
St. Elizabeth’s Medical Center – Multiple HIPAA Violations
A HIPAA settlement of $218,400 has been reached with St. Elizabeth Medical Center (SEMC) for violations of HIPAA Privacy, Security, and Breach Notification Rules. The settlement for HIPAA violations was reached with SEMC for violations that led to a document sharing system data breach that exposed 498 records, and a data breach involving the theft of a flash drive containing unencrypted data of 595 patients. Read More…
Cornell Prescription Pharmacy – Improper Disposal of PHI
OCR announced that it has reached a settlement for $125,000 with a Denver-based healthcare provider, Cornell Pharmacy, following the improper disposal of patient health records. Cornell Pharmacy is a single-location healthcare provider that mostly serves hospice care organizations in Denver and provides compound medications. Read More…
HIPAA Violation Cases 2014
Anchorage Community Mental Health Services – Failure to Manage Risks to ePHI
Anchorage Community Mental Health Services (ACMHS) runs five mental health facilities in Alaska and is a non-profit organization. In 2012, it suffered a security breach that exposed the data of 2,700 individuals as a result of a malware infection. Had software patches been installed on the computers, the malware would not have been able to infect the PCs. ACMHS has agreed to settle the case with OCR for $150,000.
Parkview Health System, Inc. – Failure to Safeguard PHI
Parkview Healthcare System has agreed to pay an $800,000 settlement for a violation of the HIPAA Privacy Rule. The incident for which the fine has been issued dates back to 2009 when a data security complaint was filed by a patient of one of its doctors. The doctor was retiring and received a delivery of 71 boxes of medical files containing up to 8,000 patient records; however, the delivery was made, and the boxes were left on the doctor’s driveway while he was out of the house. Read More…
New York and Presbyterian Hospital and Columbia University – Failure to Conduct Risk Analysis
Office for Civil Rights has agreed to its largest-ever financial penalty for a violation of the Health Insurance Portability and Accountability Act’s Privacy and Security Rules. The data breach was caused when a computer server firewall was deactivated by a physician at Columbia University, leaving electronic PHI exposed and accessible via search engines. New York and Presbyterian Hospital (NYP) and Columbia University (CU) will jointly pay a penalty of $4,800,000. Read More…
QCA Health Plan, Inc., of Arkansas – Failure to Safeguard ePHI
QCA Health Plan, Inc. of Arkansas reported the theft of a laptop from a car that contained unencrypted data on 148 patients. OCR investigated the breach and discovered multiple violations of the HIPAA Privacy and Security Rules. QCA Health Plan has agreed to settle the HIPAA violations with OCR for $250,000. Read More…
Concentra Health Services – Failure to Safeguard ePHI
Following the report of the theft of a laptop from the Springfield, Missouri, Physical Therapy Center, Concentra Health Services was subjected to an investigation by the OCR. Documentation was uncovered that clearly showed that mobile devices were believed to represent a critical security risk, yet action was not taken to address this issue in time to prevent the data breach. Concentra has agreed to pay OCR $1,725,220 to resolve the case. Read More…
Skagit County, Washington – Failure to Safeguard ePHI
Skagit County, Washington, is paying the price for failing to implement the appropriate controls and safeguards to protect the data it held. Skagit County agreed to pay OCR $215,000 following the exposure of the data of seven individuals. Data were accessed by unknown third parties after ePHI data was unwittingly transferred to a server accessible to the public. Read More…
HIPAA Violation Cases 2013
Adult & Pediatric Dermatology, P.C. – Failure to Safeguard ePHI
Office for Civil Rights has issued a statement confirming that an agreement has been reached with Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts, following the accidental disclosure of approximately 2,200 patients after a memory stick was stolen from the car of one of the center’s employees. A settlement of $150,000 has been reached with OCR. Read More…
Affinity Health Plan, Inc. – Failure to Permanently Erase ePHI
The Office for Civil Rights has announced that a settlement of $1,215,780 has been reached with Affinity Health Plan, Inc., to resolve potential HIPAA violations discovered during a breach investigation. A digital photocopier was returned to a leasing company, but the PHI stored on its hard drive had not been erased before the device was returned. Read More…
WellPoint – Failure to Safeguard ePHI
WellPoint is one of the largest providers of Affiliated Health Plans, with almost 36 million policyholders across the United States. Between October 23, 2009, and March 7, 2010, part of its database of policyholders was accessible to unauthorized individuals. A settlement of $1,700,000 has been agreed upon with OCR to resolve the HIPAA violations that contributed to the cause of the breach. Read More…
Shasta Regional Medical Center – Disclosure of PHI Without Patient Consent
An article published in the LA Times started a sequence of events that has now resulted in Shasta Regional Medical Center (SRMC) agreeing to a settlement of $275,000 for its violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. PHI had been intentionally provided to the media on three separate occasions. Read More…
Idaho State University – Failure to Safeguard ePHI
Idaho State University’s Pocatello Family Medicine Clinic disabled the firewall that was protecting a server containing the medical records of 17,500 patients. The firewall was inactive for a period of 10 months, leaving the data exposed and potentially accessible to unauthorized third parties for an unacceptable period of time. A settlement of $400,000 was agreed upon with OCR to resolve the HIPAA violations. Read More…
FAQs
How many HIPAA violation cases are there each year?
The number of alleged HIPAA violation cases received each year by HHS’ Office for Civil Rights varies. The most recent data available shows that in 2021, the agency received 34,077 complaints relating to privacy violations and 64,180 breach notifications. In the majority of cases, the agency resolves complaints without the need for an investigation or finds no HIPAA violation exists. However, up to 500 cases per year result in a fine and/or corrective action being required.
It is important to note that these figures only represent the complaints and notifications received by HHS’ Office for Civil Rights. Complaints can also be made to individual Covered Entities and State Attorneys General, but there is no public record of these.
How are the penalties for HIPAA violations calculated?
The penalties for HIPAA violations are calculated on the “factors considered in determining a civil monetary penalty” plus the “such other matters as justice may require” clause in 45 CFR §160.408. Generally, there are four HIPAA violation classifications that rank the level of an organization’s culpability, the organization’s attempts to mitigate the consequences of the violation, and the organization´s willingness to assist with an investigation.
Can you be fined more than once for the same violation?
You can be fined more than once for the same violation if an organization fails to take corrective action after having been issued an initial fine. An organization´s prior history with regard to HIPAA non-compliance can also be a contributory factor in the calculation of penalties for HIPAA violations, and a second or subsequent fine will likely be much larger than the first.
How do you know how much training to provide in order to avoid being in violation of HIPAA?
It can be difficult to know how much training to provide in order to avoid violating HIPAA because other than stipulating training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule) and that CEs and BAs should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule), there are no specific HIPAA training requirements.
Your graphs indicate the penalties for HIPAA violations are increasing. Is this the case?
Although our graphs indicate the penalties for HIPAA violations are increasing, it is important to put the raw data into context. There are two key events to consider when looking at the timeline of penalties for HIPAA violations – the passage of the HITECH Act in 2009 which reversed the burden of proof for HIPAA violations, and the HIPAA Omnibus Rule in 2013 which enacted the passage of the HITECH Act making business associates liable for HIPAA violations that were their fault.
Are all the above cases real-life HIPAA violation cases?
All the above cases are real-life HIPAA violation cases that have been reported to and investigated by HHS’ Office for Civil Rights. As mentioned previously, there are many, many more real-life HIPAA violation cases that do not get published in the public domain because either they affect fewer than 500 individuals or they are resolved internally by the Covered Entity they are reported to.
Where can I find recent HIPAA violation cases?
Recent HIPAA violation cases that result in a civil monetary penalty are added to this page as soon as details are publicly available. For details of recent HIPAA violation cases that have not resulted in a civil monetary penalty, visit the HHS’ Breach Portal and click on the link to the Archive. This database contains thousands of HIPAA violation cases that have not resulted in a civil monetary penalty.
Have there been any HIPAA lawsuit cases?
HIPAA lawsuit cases are not recorded as such because HIPAA has no private right of action. However, there have been cases in which a HIPAA data breach is subsequently pursued in court in a civil lawsuit – the best example being the Anthem breach of 2014. More than 100 private class action lawsuits were filed against Anthem, the ultimately consolidated case being settled for $115 million.
Why are there not more HIPAA violations in the news?
The reason there are not more HIPAA violations in the news is that only a few violations each year justify column inches because of their nature or the size of the penalty imposed by the HHS’ Office for Civil Rights. Many HIPAA violations are not deliberate acts of theft, but rather mistakes that are resolved by the tightening up of security measures and further employee training.
Who investigates cases of HIPAA violations other than HHS’ Office for Civil Rights?
Cases of HIPAA violations are investigated most often by the Covered Entity to whom they are reported. Indeed, many Covered Entities don´t provide the contact details for HHS’ Office for Civil Rights on their Notices of Privacy Practices, so most complaints about HIPAA violations are reported directly to them rather than the HHS’ Office for Civil Rights or State Attorneys General.
Cases of HIPAA violations can also be reported internally by members of a Covered Entity’s workforce, and HIPAA requires Business Associates to report all security incidents to the Covered Entity – including those that do not constitute a HIPAA violation – so again, the Covered Entity gets to hear about violations first before deciding whether the events are notifiable.
HIPAA violations that are not violations of the Privacy, Security, and Breach Notification Rules are investigated by other federal agencies. For example, the Centers for Medicare and Medicaid Services investigates cases of Part 162 HIPAA violations, the Department of Labor investigates violations of HIPAA’s portability provisions, and the Federal Trade Commission investigates violations of the Breach Notification Rule by companies that are not Covered Entities or Business Associates.
What are the worst HIPAA violation cases?
The worst HIPAA violation cases are the ones that continue for long periods of time without being identified and corrected. This is especially true when individually identifiable health information is disclosed knowingly and wrongfully to commit identity theft and fraud, as this type of HIPAA violation case can impact individuals’ lives for many years.
Why have patients’ rights violation cases been prioritized?
Patients’ rights violation cases appear to have been prioritized in recent years because in 2019, HHS’ Office for Civil Rights announced a Right of Access enforcement initiative. The initiative aims to address issues related to patients being able to access a copy of their PHI and an Accounting of Disclosures to see who their PHI has been disclosed to up to six years previously.
Why are most HIPAA violation cases medical HIPAA violation cases?
Most HIPAA violation cases are medical HIPAA violation cases because there are many more medical facilities that qualify as Covered Entities, as there are health plans or healthcare clearinghouses that qualify as Covered Entities. There are more than 6,000 hospitals, 9,000 urgent care centers, and 27,000 pharmacies that qualify as Covered Entities in the U.S. compared to fewer than 1,000 covered health plans and healthcare clearinghouses combined.
What can Covered Entities learn from HIPAA violation stories?
What Covered Entities can learn from HIPAA violation stories about other Covered Entities is what measures they may need to implement to mitigate the risk of a violation or data breach. Some HIPAA violation stories are quite unique in how they happened or how their consequences could have been prevented, and hearing about these stories helps Covered Entities conduct better-informed risk analyses and implement reasonable and appropriate measures where necessary.
Is a breach of patient confidentiality a HIPAA violation?
A breach of patient confidentiality is not necessarily a HIPAA violation because some disclosures of PHI permitted by the Privacy Rule may be considered a breach of patient confidentiality by the patient, even though they are not. For example, under §164.512 of the Privacy Rule, there are a number of scenarios in which healthcare providers can disclose individually identifiable health information to public health agencies, law enforcement officers, and employers.
In addition to the above example, there may be times when a healthcare provider breaches patient confidentiality – but does not violate HIPAA – because the information being disclosed is not protected by the Privacy Rule. For example, if a healthcare provider maintains a database of names and telephone numbers – and there is no health information maintained in the same database – the names and telephone numbers are not Protected Health Information and not protected by the Privacy Rule.
The post HIPAA Violation Cases: Types & Consequences appeared first on The HIPAA Journal.
This page is regularly updated to reflect the latest healthcare data breach statistics. These statistics and graphs were last updated on August 27, 2025, and are based on data obtained from OCR up to and including July 31, 2025. Check back regularly to get the latest healthcare data breach statistics and healthcare data breach trends. You can view our 
