Comstar to Pay State AGs $515,000 to Settle Alleged HIPAA Violations

Posted by Steve Alder

Comstar, a Massachusetts-based ambulance billing and collections company, has been investigated by the Massachusetts Attorney General and found to have violated the Health Insurance Portability and Accountability Act (HIPAA) and the Massachusetts Data Security Regulations. Comstar will pay a $515,000 penalty to resolve the alleged violations.

Comstar was investigated over a March 2022 cyberattack and data breach. A cyber threat actor breached its network, exfiltrated files, and used ransomware to encrypt data on its network. While the attack was detected on March 26, 2022, the ransomware group gained access to its network on March 19, 2026. The forensic investigation confirmed that protected health information (PHI) had been stolen, including names, Social Security numbers, driver’s license numbers, financial information, and medical assessment information. The PHI of 585,621 individuals was compromised in the ransomware attack, including 326,426 Massachusetts residents and 22,829 Connecticut residents.

The Rowley, Massachusetts-based company faced an investigation by the Department of Health and Human Services Office for Civil Rights (OCR), which determined that Comstar failed to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) stored within its systems. The alleged HIPAA violation was resolved with a $75,000 financial penalty and a corrective action plan.

An investigation was also launched by the Massachusetts Attorney General to assess whether Comstar had complied with HIPAA, the Massachusetts Consumer Protection Act, the Massachusetts Data Security Regulations, and the Massachusetts Data Security Law. The Connecticut Attorney General partnered with the Massachusetts Attorney General in the investigation. Massachusetts Attorney General Andrea Campbell alleged that Comstar had violated HIPAA and the Massachusetts Data Security Regulations by failing to maintain an adequate Written Information Security Program (WISP), which should have allowed the company to identify and correct vulnerabilities and inadequacies in its data security program.

The consent judgment was filed in Suffolk Superior Court on January 28, 2026, and awaits approval from the court. If approved, Massachusetts will receive $415,000, and Connecticut will received $100,000. In addition to the financial penalty, Comstar is required to implement additional security measures. An effective WISP must be established and maintained, as well as anti-phishing software, multifactor authentication, an intrusion detection/prevention system, and a security incident and event management platform.

Comstar must also implement and maintain a comprehensive and accurate IT asset inventory, appropriate access controls, password policies requiring strong unique passwords for all accounts, encryption for ePHI at rest and in transit, data loss protection software, a penetration testing program, and security software on all laptop and desktop computers. Comstar must also arrange for third-party annual security assessments to be conducted for the next three years. The Massachusetts and Connecticut Attorneys General require reports to be submitted by the third-party assessor on the findings of each annual security risk assessment.

The post Comstar to Pay State AGs $515,000 to Settle Alleged HIPAA Violations appeared first on The HIPAA Journal.

HIPAA Violation Fines

Posted by Steve Alder

HIPAA violation fines can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general for failing to comply with HIPAA regulations. Ten Most Common HIPAA ViolationsIn this article, we provide a detailed explanation of HIPAA violation fines that have been imposed on HIPAA-regulated entities found to have violated the HIPAA Rules.

You can also use the article in conjunction with our free HIPAA Violations Checklist to understand what is required to ensure full compliance. Please use the form on this page to arrange for your copy.

The Majority Of HIPAA Violation Fines are from Settlements

In the majority of cases, covered entities and business associates accept that there have been potential failures to comply with certain elements of HIPAA Rules, a settlement amount is agreed, and the case is resolved with no admission of liability. In addition to the settlement, a corrective action plan is issued to address the HIPAA failures. HIPAA-covered entities and business associates may disagree with the findings of the investigation and challenge the decision to impose a penalty. In such cases, they are given the opportunity to provide evidence to support a waiver of the penalty. If they are unsuccessful, a civil monetary penalty will be imposed. The civil monetary penalty will be more than the penalty they would pay if they settled the alleged violations. OCR cannot impose a corrective action plan when a civil monetary penalty is imposed.

While OCR issues fines for HIPAA violations, attorneys general often choose to pursue financial penalties against HIPAA-regulated entities under state laws rather than HIPAA. Actions for violations of state laws tend to be easier to win, and the penalty structure at the state level may even allow higher financial penalties to be issued. Only a handful of states have exercised their right under HIPAA/HITECH to file lawsuits to pursue financial penalties for violations of HIPAA Rules against HIPAA-covered entities and their business associates, although all states have participated in at least one multi-state action.

Penalty Structure for HIPAA Violations

The penalty amounts are adjusted annually to account for the cost-of-living increases. The last update, published in the Federal Register on January 28, 2026, applies to all financial penalties imposed after November 2, 2015.  The inflation multiplier for 2025 set by the Office of Management and Budget (OMB) was 1.02598. While OMB states that the multiplier should be applied no later than January 15, 2025, the HHS determines that an exception applies, and typically applies the annual increases much later. For instance, the 2025 inflation multiplier was not applied for more than a year.  The current penalties for HIPAA violations in 2026 are detailed in the table below:

Penalty Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit 
Tier 1 Reasonable Efforts $145 $73,011 $2,190,294
Tier 2 Lack of Oversight $1,461 $73,011 $2,190,294
Tier 3 Neglect – Rectified within 30 days $14,602 $73,011 $2,190,294
Tier 4 Neglect – Not Rectified within 30 days $73,011 $2,190,294 $2,190,294

*Table last updated on January 28, 2026, and includes the cost-of-living adjustment multiplier for 2025 (1.02598). 

While the above table shows the official penalty amounts for HIPAA violations, OCR issued a Notice of Enforcement Discretion in April 2019 stating the annual penalty limits in three of the penalty tiers would be reduced following a reexamination of the language of the HITECH Act. The cap on the annual penalty limit was changed to $25,000 for tier 1, $100,000 for tier 2, and $250,000 for tier 3. The maximum annual penalty for Tier 4 remains unchanged at $1,500,000. These caps are also subject to inflation increases. The table below was calculated by the HIPAA Journal, factoring in the annual inflation increases and applying OCR’s Notice of Enforcement Discretion.

The maximum penalty per violation in tier 1 is higher than the annual cap for that tier, as the notice of enforcement discretion only reduced the annual penalty cap, not the maximum penalty for a HIPAA violation. This discrepancy could be addressed when the new reinterpreted penalty structure is formally adopted through future rulemaking; however, the Notice of Enforcement Discretion will remain in effect indefinitely, although it is not legally binding and OCR can choose to rescind that Notice of Enforcement Discretion at any point. Further rulemaking to officially adopt the reinterpreted requirements of the HITECH Act is unlikely, as OCR is pushing to have Congress increase the penalties for HIPAA violations to make them a more effective deterrent.

Annual Penalty Limit  Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Cap
Tier 1 Lack of Knowledge $145 $36,505.50 $36,505.50
Tier 2 Reasonable Cause  $1,461 $73,011 $146,053
Tier 3 Willful Neglect $14,602 $73,011 $365,052
Tier 4 Willful neglect (not corrected within 30 days $73,011 $2,190,294 $2,190,294

*Table last updated on January 28, 2026. 

State attorneys general can issue fines for HIPAA violations up to a maximum of $25,000 per violation category, per year. These penalties are also subject to annual adjustments for inflation.

Listed below are the HIPAA violation fines and settlements imposed by the HHS’ Office for Civil Rights since the HIPAA Enforcement Rule was signed into law, and enforcement actions by State Attorneys General for violations of the HIPAA Rules and equivalent state laws.

OCR penalties for HIPAA violations 2009-2025

Funds raised by OCR enforcement actions (2008-2025)

2026 HIPAA Violation Fines and Settlements

The HHS’ Office for Civil Rights has yet to announce any HIPAA violation penalties in 2026.

2025 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement/CMP Reason
2025 Concentra Inc. $112,500 Settlement HIPAA Right of Access violation
2025 Cadia Healthcare Facilities $182,000 Settlement Social media disclosure without authorization and Breach Notification Rule failure
2025 Syracuse ASC, dba Specialty Surgery Center of Central New York $250,000 Settlement Risk analysis failure; untimely data breach notifications to the HHS Secretary & individuals
2025 Deer Oaks – The Behavioral Health Solution $225,000 Settlement Risk analysis failure; impermissible disclosure of ePHI
2025 Comstar LLC $75,000 Settlement Risk analysis failure
2025 BayCare Health System $800,000 Settlement Information access management (minimum necessary standard), risk management, information system activity review
2025 Vision Upright MRI $5,000 Settlement HIPAA Risk Analysis violation, HIPAA breach notification violation
2025 Comprehensive Neurology $25,000 Settlement HIPAA Risk Analysis violation
2025 PIH Health $600,000 Settlement HIPAA Risk Analysis violation, impermissible disclosure of the ePHI of 189,763 individuals, failure to issue a media breach notice, failure to issue timely breach notifications to the HHS, and the affected patients
2025 Guam Memorial Hospital Authority $25,000 Settlement HIPAA Risk Analysis violation
2025 Northeast Radiology $350,000 Settlement HIPAA Risk Analysis violation
2025 Health Fitness Corporation $227,816 Settlement HIPAA Risk Analysis violation
2025 Oregon Health & Science University $200,000 Civil Monetary Penalty Violation of the HIPAA Right of Access
2025 Warby Parker, Inc. $1,500,000 Civil Monetary Penalty Violation of the HIPAA Security Rule: Risk analysis, risk management, and monitoring activity in information systems containing ePHI
2024 Northeast Surgical Group $10,000 Settlement Failure to conduct a HIPAA-compliant risk analysis
2024 Memorial Health System $60,000 Settlement Violation of the HIPAA Right of Access
2024 Solara Medical Supplies $3,000,000 Settlement Risk analysis failure, risk management failure, breach notification failure, and the impermissible disclosure of the ePHI of 114,007 and 1,531 patients.
2024 USR Holdings $337,750 Settlement Risk analysis failure, failure to record activity in information systems, lack of procedures for creating and maintaining retrievable exact copies of ePHI, and the impermissible disclosure of the ePHI of 2,903 individuals
2024 Virtual Private Network Solutions $90,000 Settlement Risk analysis failure
2024 Elgon Information Systems $80,000 Settlement Risk analysis failure

2024 HIPAA Violation Fines and Settlements

The OCR Director provided an end-of-year update on December 31, 2024, and confirmed that 22 investigations of data breaches and complaints resulted in civil monetary penalties or settlements in 2024, making it one of the busiest years for HIPAA enforcement; however, only 16 of those enforcement actions were announced in 2024. The remaining six were announced by OCR in early January 2025, before the administration change.

Year Entity Amount Settlement/CMP Reason
2024 Inmediata Health Group $250,000 Settlement Risk analysis failure, failure to monitor activity in information systems, impermissible disclosure of the ePHI of 1,565,338 individuals
2024 Children’s Hospital Colorado Health System $548,265 Civil Monetary Penalty Failure to provide HIPAA Privacy Rule training to 6,666 workforce members; failure to conduct a thorough and accurate risk analysis; impermissible disclosure of ePHI of 10,840 individuals
2024 Holy Redeemer Family Medicine $35,581 Settlement Impermissible disclosure of a patient’s medical records
2024 Rio Hondo Community Mental Health Center $100,000 Civil Monetary Penalty Failure to provide timely access to medical records (7 months)
2024 Bryan County Ambulance Authority $90,000 Settlement Never conducted a risk analysis
2024 Plastic Surgery Associates of South Dakota $500,000 Settlement Risk analysis failure; risk management failure; no analysis of logs of system activity; no policies for dealing with a security incident
2024 Gums Dental Care $70,000 Civil Monetary Penalty Failure to provide timely access to medical records
2024 Providence Medical Institute $240,000 Civil Monetary Penalty Failure to only allow authorized persons or software programs access to ePHI; lack of a business associate agreement
2024 Cascade Eye and Skin Centers $250,000 Settlement Risk analysis failure; failure to review records of system activity
2024 American Medical Response $115,200 Civil Monetary Penalty Failure to provide timely access to medical records (370 days)
2024 Heritage Valley Health System $950,000 Settlement Failure to conduct a risk analysis, lack of policies/procedures for responding to an emergency, and a lack of technical policies and procedures for restricting access to systems containing ePHI.
2024 Essex Residential Care (Hackensack Meridian Health, West Caldwell Care Center) $100,000 Civil Monetary Penalty Failure to provide timely access to medical records.
2024 Phoenix Healthcare $35,000 Settlement Failure to provide timely access to medical records.
2024 Green Ridge Behavioral Health $40,000 Settlement Failure to conduct a comprehensive risk analysis, failure to reduce risks to ePHI, lack of policies and procedures for monitoring activity in information systems containing ePHI, and an impermissible disclosure of the ePHI of 14,000 individuals.
2024 Montefiore Medical Center $4,750,000 Settlement Failure to conduct a comprehensive risk analysis, failure to implement procedures to regularly review records of information system activity, and the failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in all information systems that contain or use ePHI.

2023 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement/CMP Reason
2023 Optum Medical Care of New Jersey $160,000 Settlement Failure to provide 6 patients with timely access to their medical records.
2023 Lafourche Medical Group $480,000 Settlement No risk analysis prior to a  2021 security breach, and no procedures to regularly review logs of system activity prior to the breach.
2023 St. Joseph’s Medical Center $80,000 Settlement A reporter was allowed access to 3 patients and their clinical information without first obtaining authorizations from the patients.
2023 Doctors’ Management Services $100,000 Settlement Risk analysis, review records of system activity, reasonable and appropriate policies/procedures to comply with the HIPAA Security Rule, and an impermissible disclosure of the PHI of 206,695 individuals
2023 L.A. Care Health Plan $1,300,000 Settlement Risk analysis, insufficient security measures, insufficient reviews of records of information system activity, insufficient evaluations in response to environmental/operational changes, insufficient recording and examination of activity in information systems, impermissible disclosure of the ePHI of 1,498 individuals.
2023 UnitedHealthcare $80,000 Settlement HIPAA Right of Access Failure
2023 iHealth Solutions, dba Advantum Health $75,000 Settlement Failure to secure a server, resulting in the theft of ePHI. Risk analysis failure and the impermissible disclosure of the ePHI of 267 individuals.
2023 Yakima Valley Memorial Hospital $240,000 Settlement 23 security guards in the emergency department snooped on the medical records of 419 patients. OCR determined there was a lack of HIPAA policies and procedures.
2023 Manasa Health Center, LLC $30,000 Settlement Impermissible disclosure of the PHI of 4 individuals in response to negative Google Reviews. Failure to implement HIPAA Privacy and Breach Notification Rule policies and procedures
2023 MedEvolve Inc. $350,000 Settlement Impermissible disclosure of the PHI of 230,572 individuals. No BAA with a subcontractor, incomplete risk analysis
2023 David Mente, MA, LPC $15,000 Settlement HIPAA Right of Access failure
2023 Banner Health $1,250,000 Settlement Risk analysis, reviews of system activity, verification of identity for access to PHI, and lack of technical safeguards
2023 Life Hope Labs, LLC $16,500 Settlement HIPAA Right of Access failure

2022 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement/CMP Reason
2022 Health Specialists of Central Florida Inc $20,000 Settlement HIPAA Right of Access failure
2022 New Vision Dental $23,000 Settlement Impermissible PHI disclosure, notice of privacy practices, and releasing PHI on social media
2022 Great Expressions Dental Center of Georgia, P.C. $80,000 Settlement HIPAA Right of Access failure (delay/fee)
2022 Family Dental Care, P.C. $30,000 Settlement HIPAA Right of Access failure
2022 B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental $25,000 Settlement HIPAA Right of Access failure
2022 New England Dermatology and Laser Center $300,640 Settlement Improper disposal of PHI, failure to maintain appropriate safeguards
2022 ACPM Podiatry $100,000 Civil Monetary Penalty HIPAA Right of Access failure
2022 Memorial Hermann Health System $240,000 Settlement HIPAA Right of Access failure
2022 Southwest Surgical Associates $65,000 Settlement HIPAA Right of Access failure
2022 Hillcrest Nursing and Rehabilitation $55,000 Settlement HIPAA Right of Access failure
2022 MelroseWakefield Healthcare $55,000 Settlement HIPAA Right of Access failure
2022 Erie County Medical Center Corporation $50,000 Settlement HIPAA Right of Access failure
2022 Fallbrook Family Health Center $30,000 Settlement HIPAA Right of Access failure
2022 Associated Retina Specialists $22,500 Settlement HIPAA Right of Access failure
2022 Coastal Ear, Nose, and Throat $20,000 Settlement HIPAA Right of Access failure
2022 Lawrence Bell, Jr. D.D.S $5,000 Settlement HIPAA Right of Access failure
2022 Danbury Psychiatric Consultants $3,500 Settlement HIPAA Right of Access failure
2022 Oklahoma State University – Center for Health Sciences $875,000 Settlement Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications, & the impermissible disclosure of the PHI of 279,865 individuals
2022 Dr. Brockley $30,000 Settlement HIPAA Right of Access
2022 Jacob & Associates $28,000 Settlement HIPAA Right of Access, notice of privacy practices, HIPAA Privacy Officer
2022 Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., $50,000 Civil Monetary Penalty Impermissible disclosure on social media
2022 Northcutt Dental-Fairhope $62,500 Settlement Impermissible disclosure for marketing, notice of privacy practices, HIPAA Privacy Officer

2021 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement/CMP Reason
2021 Advanced Spine & Pain Management $32,150 Settlement HIPAA Right of Access failure
2021 Denver Retina Center $30,000 Settlement HIPAA Right of Access failure
2021 Dr. Robert Glaser $100,000 Civil Monetary Penalty HIPAA Right of Access failure
2021 Rainrock Treatment Center LLC (dba monte Nido Rainrock) $160,000 Settlement HIPAA Right of Access failure
2021 Wake Health Medical Group $10,000 Settlement HIPAA Right of Access failure
2021 Children’s Hospital & Medical Center $80,000 Settlement HIPAA Right of Access failure
2021 The Diabetes, Endocrinology & Lipidology Center, Inc. $5,000 Settlement HIPAA Right of Access failure
2021 AEON Clinical Laboratories (Peachstate) $25,000 Settlement HIPAA Security Rule failures (risk assessment, risk management, audit controls, and lack of documentation of HIPAA Security Rule policies and procedures)
2021 Village Plastic Surgery $30,000 Settlement HIPAA Right of Access failure
2021 Arbour Hospital $65,000 Settlement HIPAA Right of Access failure
2021 Sharpe Healthcare $70,000 Settlement HIPAA Right of Access failure
2021 Renown Health $75,000 Settlement HIPAA Right of Access failure
2021 Excellus Health Plan $5,100,000 Settlement Multiple violations: Risk analysis failure, risk management failure, lack of information system activity reviews, lack of technical policies to prevent unauthorized ePHI access, and a breach of 9,358,891 records.
2021 Banner Health $200,000 Settlement HIPAA Right of Access failure

2020 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement/CMP Reason
2020 Peter Wrobel, M.D., P.C., dba Elite Primary Care $36,000 Settlement HIPAA Right of Access failure
2020 University of Cincinnati Medical Center $65,000 Settlement HIPAA Right of Access failure
2020 Dr. Rajendra Bhayani $15,000 Settlement HIPAA Right of Access failure
2020 Riverside Psychiatric Medical Group $25,000 Settlement HIPAA Right of Access failure
2020 City of New Haven, CT $202,400 Settlement Failure to terminate access rights, risk analysis failure, failure to implement Privacy Rule policies, failure to issue unique IDs, impermissible disclosure of the PHI of 498 individuals
2020 Aetna $1,000,000 Settlement Failure to conduct an evaluation in response to environmental or operational changes affecting ePHI security, identity check failure, minimum necessary information failure, lack of admin, technical, and physical safeguards
2020 NY Spine $100,000 Settlement HIPAA Right of Access failure
2020 Dignity Health, dba St. Joseph’s Hospital and Medical Center $160,000 Settlement HIPAA Right of Access failure
2020 Premera Blue Cross $6,850,000 Settlement Risk assessment failure, risk management failure, insufficient hardware, and software controls,
2020 CHSPSC LLC $2,300,000 Settlement Risk analysis failure, failure to implement information system activity reviews, security incident procedure failure, and insufficient access controls.
2020 Athens Orthopedic Clinic PA $1,500,000 Settlement Failures to conduct a risk analysis, risk management failure, lack of audit controls, no HIPAA policies and procedures, lack of business associate agreements, and no HIPAA Privacy Rule training to the workforce.
2020 Housing Works, Inc. $38,000 Settlement HIPAA Right of Access failure
2020 All Inclusive Medical Services, Inc. $15,000 Settlement HIPAA Right of Access failure
2020 Beth Israel Lahey Health Behavioral Services $70,000 Settlement HIPAA Right of Access failure
2020 King MD $3,500 Settlement HIPAA Right of Access failure
2020 Wise Psychiatry, PC $10,000 Settlement HIPAA Right of Access failure
2020 Lifespan Health System Affiliated Covered Entity $1,040,000 Settlement Lack of encryption, device and media controls, and business associate agreement failures.
2020 Metropolitan Community Health Services dba Agape Health Services $25,000 Settlement Systemic noncompliance with the HIPAA Security Rule
2020 Steven A. Porter, M.D $100,000 Settlement Risk analysis and risk management failures

2019 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2019 West Georgia Ambulance $65,000 Settlement Risk analysis failure, no security awareness training program, and a failure to implement HIPAA Security Rule policies and procedures.
2019 Korunda Medical, LLC $85,000 Settlement HIPAA Right of Access failure.
2019 Sentara Hospitals $2,175,000 Settlement Breach notification failure; business associate agreement failure
2019 University of Rochester Medical Center $3,000,000 Settlement Loss of flash drive/laptop; no encryption; risk analysis failure; risk management failure; lack of device media controls.
2019 Elite Dental Associates $10,000 Settlement Social media disclosure, notice of privacy practices. and impermissible PHI disclosure.
2019 Bayfront Health St Petersburg $85,000 Settlement HIPAA Right of Access failure
2019 Medical Informatics Engineering $100,000 Settlement Risk analysis failure; impermissible disclosure of 3.5 million records
2019 Touchstone Medical Imaging $3,000,000 Settlement No BAAs; insufficient access rights; risk analysis failure; failure to respond to a security incident; breach notification failure; media notification failure; impermissible disclosure of 307,839 individuals’ PHI.
2019 Texas Department of Aging and Disability Services $1,600,000 Civil Monetary Penalty Risk analysis failure; access control failure; information system activity monitoring failure; impermissible disclosure of 6,617 patients’ ePHI
2019 Jackson Health System $2,154,000 Civil Monetary Penalty Multiple Privacy Rule, Security Rule, and Breach Notification Rule violations

2018 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2018 Fresenius Medical Care North America $3,500,000 Settlement Risk analysis failures, impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards
2018 Filefax, Inc. $100,000 Settlement Impermissible disclosure of PHI
2018 University of Texas MD Anderson Cancer Center $4,348,000 Civil Monetary Penalty Impermissible disclosure of ePHI; No Encryption
2018 Massachusetts General Hospital $515,000 Settlement Filming patients without consent
2018 Brigham and Women’s Hospital $384,000 Settlement Filming patients without consent
2018 Boston Medical Center $100,000 Settlement Filming patients without consent
2018 Anthem Inc $16,000,000 Settlement Risk Analysis failures; Insufficient reviews of system activity; Failure related to response to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access
2018 Allergy Associates of Hartford $125,000 Settlement PHI disclosure to a reporter; No sanctions against employees
2018 Advanced Care Hospitalists $500,000 Settlement Impermissible PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014
2018 Pagosa Springs Medical Center $111,400 Settlement Failure to terminate employee access; No BAA
2018 Cottage Health $3,000,000 Settlement Risk analysis failure; Risk management failure; No BAA

2017 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2017 21st Century Oncology $2,300,000 Settlement Multiple HIPAA Violations
2017 Memorial Hermann Health System $2,400,000 Settlement Careless Handling of PHI
2017 St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement Unauthorized Disclosure of PHI
2017 The Center for Children’s Digestive Health $31,000 Settlement Lack of a Business Associate Agreement
2017 Cardionet $2,500,000 Settlement Impermissible Disclosure of PHI
2017 Metro Community Provider Network $400,000 Settlement Lack of Security Management Process
2017 Memorial Healthcare System $5,500,000 Settlement Insufficient ePHI Access Controls
2017 Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty Impermissible Disclosure of ePHI
2017 MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement Impermissible Disclosure of ePHI
2017 Presense Health $475,000 Settlement Delayed Breach Notifications

2016 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2016 University of Massachusetts Amherst (UMass) $650,000 Settlement Failure to Manage Security Risks
2016 St. Joseph Health $2,140,500 Settlement Failure to Conduct Risk Analysis
2016 Care New England Health System $400,000 Settlement Lack of a Business Associate Agreement
2016 Advocate Health Care Network $5,550,000 Settlement Multiple HIPAA Violations
2016 University of Mississippi Medical Center $2,750,000 Settlement Multiple HIPAA Violations
2016 Oregon Health & Science University $2,700,000 Settlement Lack of a Business Associate Agreement
2016 Catholic Health Care Services of the Archdiocese of Philadelphia $650,000 Settlement Failure to Safeguard ePHI
2016 New York Presbyterian Hospital $2,200,000 Settlement Filming Patients without Authorization
2016 Raleigh Orthopaedic Clinic, P.A. of North Carolina $750,000 Settlement Lack of Business Associate Agreement
2016 Feinstein Institute for Medical Research $3,900,000 Settlement Impermissible Disclosure of PHI
2016 North Memorial Health Care of Minnesota $1,550,000 Settlement Lack of a Business Associate Agreement
2016 Complete P.T., Pool & Land Physical Therapy, Inc. $25,000 Settlement Impermissible Disclosure of PHI
2016 Lincare, Inc. $239,800 Civil Monetary Penalty Failure to Safeguard PHI

2015 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2015 University of Washington Medicine $750,000 Settlement Failure to Conduct Risk Analysis
2015 Triple S Management Corporation $3,500,000 Settlement Multiple HIPAA Violations
2015 Lahey Hospital and Medical Center $850,000 Settlement Multiple HIPAA Violations
2015 Cancer Care Group, P.C. $750,000 Settlement Failure to Conduct Risk Analysis
2015 St. Elizabeth’s Medical Center $218,400 Settlement Multiple HIPAA Violations
2015 Cornell Prescription Pharmacy $125,000 Settlement Improper Disposal of PHI

2014 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2014 Anchorage Community Mental Health Services $150,000 Settlement Failure to Manage Risks to ePHI
2014 Parkview Health System, Inc. $800,000 Settlement Failure to Safeguard PHI
2014 New York and Presbyterian Hospital and Columbia University $4,800,000 Settlement Failure to Conduct Risk Analysis
2014 QCA Health Plan, Inc., of Arkansas $250,000 Settlement Failure to Safeguard ePHI
2014 Concentra Health Services $1,725,220 Settlement Failure to Safeguard ePHI
2014 Skagit County, Washington $215,000 Settlement Failure to Safeguard ePHI

2013 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2013 Adult & Pediatric Dermatology, P.C. $150,000 Settlement Failure to Safeguard ePHI
2013 Affinity Health Plan, Inc. $1,215,780 Settlement Failure to Permanently Erase ePHI
2013 WellPoint $1,700,000 Settlement Failure to Safeguard ePHI
2013 Shasta Regional Medical Center $275,000 Settlement Disclosure of PHI Without Patient Consent
2013 Idaho State University $400,000 Settlement Failure to Safeguard ePHI

2012 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2012 The Hospice of Northern Idaho $50,000 Settlement Theft of an Unencrypted Laptop
2012 Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. $1,500,000 Settlement Multiple HIPAA Violations
2012 Alaska DHSS $1,700,000 Settlement Failure to Perform Risk Analysis/Risk Management Failures
2012 Phoenix Cardiac Surgery $100,000 Settlement Lack of HIPAA Safeguards
2012 Blue Cross Blue Shield of Tennessee $1,500,000 Settlement Failure to Implement Appropriate Administrative Safeguards

2011 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2011 University of California at Los Angeles Health System $865,500 Settlement Failure to Restrict Access to Medical Records
2011 General Hospital Corp. & Massachusetts General Physicians Organization Inc. $1,000,000 Settlement Failure to Safeguard PHI
2011 Cignet Health of Prince George’s County $4,300,000 Civil Monetary Penalty Denying Patients Access to Medical Records

2010 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2010 Management Services Organization Washington Inc. $35,000 Settlement Risk Analysis Failures / Insufficient Security Measures
2010 Rite Aid Corporation $1,000,000 Settlement Multiple HIPAA Violations

2009 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2009 CVS Pharmacy Inc. $2,250,000 Settlement Multiple HIPAA Violations

2008 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2008 Providence Health & Services $100,000 Settlement Failure to Implement Appropriate Administrative Safeguards

State Attorneys General HIPAA Fines and Settlements

State attorneys general have the authority to impose financial penalties for HIPAA violations, but oftentimes, while HIPAA has been violated, fines are imposed for violations of state laws. The list below includes civil monetary penalties and settlements that have been imposed for HIPAA violations and/or violations of equivalent state laws.

Cases have been included if there have been potential violations of HIPAA Rules, even if the financial penalty was issued for violations of state laws.

Year State Entity Amount Individuals affected Reason
2026 Massachusetts & Connecticut Comstar LLC $515,000 585,621 individuals (326,426 Massachusetts residents & 22,829 Connecticut residents) Violations of the HIPAA Security Rule and the Massachusetts Data Security Regulations
2025 New York Orthopedics NY LLP $500,000 656,086 Violations of the HIPAA Security Rule and state healthcare privacy and security laws
2024 Indiana Westend Dental $350,000 Unknown Violations of the HIPAA Privacy, Security & Breach Notification Rules; Indiana Disclosure of Security Breach Act; Indiana Deceptive Consumer Sales Act
2024 New York HealthAlliance $1,400,000 ($850,000 suspended) 242,641 Violations of New York Business and Executive Law
2024 New York Albany ENT & Allergy Services $1,000,000 ($500,000 suspended); $2.24M investment in cybersecurity 213,935 Violations of New York Business and Executive Law
2024 New York, New Jersey, Connecticut Enzo Biochem/Enzo Clinical Labs $4,500,000 2,400,000 Violations of 12 provisions of the HIPAA Security Rule and a violation of New York General Business Law
2024 Washington Allure Esthetic $5,000,000 21,000 Falsification of online reviews, illegal non-disclosure agreements, and forcing patients to give up HIPAA rights
2024 California Adventist Health Hanford $10,000 2 Alleged unlawful disclosures of patient information to law enforcement
2024 California Blackbaud $6,750,000 5,500,000 Failure to implement appropriate safeguards to ensure data security and breach response failures – Violations of the HIPAA Security Rule, Breach Notification Rule, and state consumer protection laws
2024 California Quest Diagnostics $5,000,000 and an investment of $1.2 million in cybersecurity Unconfirmed Illegal disposal of hazardous waste, medical waste, and patients’ personal health information
2024 New York Refuah Health Center Inc. $450,000 and an investment of $1.2 million in cybersecurity 260,740 Multiple violations of the  HIPAA Security Rule, violation of the HIPAA Breach Notification Rule, and violations of New York Business Law
2023 New York New York Presbyterian Hospital $300,000 54,396 Violation of the HIPAA Privacy Rule and New York Executive Law due to the use of pixels and other website tracking tools that disclosed PHI to third parties.
2023 New York Healthplex $400,000 89,955 (62,922 New York residents) Violation of New York’s data security and consumer protection laws (data retention/logging, MFA, data security assessments)
2023 Indiana CarePointe ENT $120,000 48,742 Failure to address known vulnerabilities and a business associate agreement failure.
2023 New York U.S. Radiology Specialists $450,000 198,260 (92,540 New York residents) A failure to upgrade hardware to address a known vulnerability in a reasonable time frame.
2023 New York Personal Touch Holding Corp $350,000 753,107 (316,845 New York residents) Only had an informal information security program, insufficient access controls, no continuous monitoring system, lack of encryption, and inadequate staff training.
2023 Multistate (32 states and PR) Inmediata $1.4 million 1,565,338 Failure to implement appropriate safeguards to ensure data security and breach response failures, which violated the HIPAA Security Rule, Breach Notification Rule, and state breach notification laws
2023 Multistate (49 states and DC) Blackbaud $49.5 million 5,500,000 Violations of HIPAA and state consumer protection laws: Lack of adequate safeguards for protecting sensitive information, and breach response/ notification failures.
2023 Colorado Broomfield Skilled Nursing and Rehabilitation Center $60,000 ($25,000 suspended) 677 Violations of HIPAA data encryption requirements, state data protection laws, and deceptive trading practices.
2023 Indiana Schneck Medical Center $250,000 89,707 Violations of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule; Indiana Disclosure of Security Breach Act; Indiana Deceptive Consumer Sales Act.
2023 California Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals $49,000,000 7,700 Violations of the HIPAA Rules, California Hazardous Waste Control Law, Medical Waste Management Act, California Confidentiality of Medical Information Act, California Customer Records Law, and California Unfair Competition Law
2023 California Kaiser Permanente $450,000 167,095 Impermissible disclosure of PHI and negligent maintenance or disposal of  PHI in violation of the California Confidentiality of Medical Information Act (CMIA)
2023 New York Professional Business Systems Inc (dba Practicefirst Medical Management Solutions and PBS Medcode Corp $550,000 1,200,000 Data security failures: Patch management, data encryption, vulnerability scans, and penetration tests
2023 Oregon, New Jersey, Florida, Pennsylvania EyeMed Vision Care $2,500,000 2,100,000 Data security failures, including access controls
2023 New York Heidell, Pittoni, Murphy & Bach LLP $200,000 61,438 Violation of 17 HIPAA Privacy and Security Rule provisions
2023 Pennsylvania/Ohio DNA Diagnostics Center $400,000 2,100,000 Lack of safeguards, failure to update asset inventory, and failure to disable/remove assets not used for business purposes.
2022 Oregon/Utah Avalon Healthcare $200,000 14,500 Breach notification delay and information security program failures
2022 Massachusetts Aveanna Healthcare $425,000 166,000 Lack of security safeguards to combat phishing, including no multifactor authentication
2022 New York EyeMed Vision Care $600,000 2,100,000 Multiple violations of HIPAA and New York General Business Law.
2021 New Jersey Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC) $425,000 105,000 Failure to ensure the confidentiality, integrity, and availability of PHI, failure to protect against reasonably anticipated threats, failure to implement security measures to reduce risks, failure to conduct an accurate risk assessment, lack of a security awareness and training program.
2021 New Jersey Command Marketing Innovations, LLC and Strategic Content Imaging LLC $130,000 (Plus $65,000 suspended) 55,715 Failure to ensure the confidentiality of PHI, lack of PHI safeguards, and a failure to review security measures following changes to procedures.
2021 New Jersey Diamond Institute for Infertility and Menopause $495,000 14,663 Multiple Privacy Rule and Security Rule failures, and violations of the Consumer Fraud Act.
2021 Multistate American Medical Collection Agency $21 million (suspended) 21,000,000 Security failures, including the failure to detect a data breach.
2020 Multistate CHSPSC LLC $5,000,000 6,100,000 Failure to implement and maintain reasonable security practices
2020 Multistate Anthem Inc $48.2 million 78,000,000 Multiple violations of HIPAA and state laws
2019 Multistate Premera Blue Cross $10,000,000 10,400,000 Multiple HIPAA violations
2019 Multistate Medical Informatics Engineering $900,000 3,500,000 Multiple HIPAA violations
2019 CA Aetna $935,000 1,991 2 mailings exposed PHI (Afib, HIV)
2018 MA McLean Hospital $75,000 1,500 Loss of backup tapes
2018 NJ EmblemHealth $100,000 81,000 Mailing error exposed SSNs
2018 NJ Best Transcription Medical $200,000 1,650 Exposure of ePHi via search engines
2018 CT Aetna $99,959 13,160 2 mailings exposed PHI (Afib, HIV data)
2018 NJ Aetna $365,211.59 13,160 2 mailings exposed PHI (Afib, HIV data)
2018 DC Aetna $175,000 13,160 2 mailings exposed PHI (Afib, HIV data)
2018 MA UMass Memorial Medical Group / UMass Memorial Medical Center $230,000 15,000 Failure to secure ePHI  and multiple breaches
2018 NY Arc of Erie County $200,000 3,751 Failure to secure ePHI
2018 NJ Virtua Medical Group $417,816 1,654 Multiple violations of HIPAA Rules
2018 NY EmblemHealth $575,000 81,122 Impermissible disclosure of ePHI
2018 NY Aetna $1,150,000 12,000 2 mailings exposed PHI (Afib, HIV data)
2017 CA Cottage Health System $2,000,000 >54,000 Failure to adequately protect medical records
2017 MA Multi-State Billing Services $100,000 2,600 Theft of an unencrypted laptop containing PHI
2017 NJ Horizon Healthcare Services Inc., $1,100,000 3,700,000 Loss of unencrypted laptop computers
2017 VT SAManage USA, Inc. $264,000 660 Spreadsheet indexed by search engines and PHI viewable
2017 NY CoPilot Provider Support Services, Inc $130,000 221,178 Delayed breach notification
2015 NY University of Rochester Medical Center $15,000 3,403 A list of patients was provided to a nurse who took it to a new employer
2015 CT Hartford Hospital/ EMC Corporation $90,000 8,883 Theft of an unencrypted laptop containing PHI
2014 MA Women & Infants Hospital of Rhode Island $150,000 12,000 Loss of backup tapes containing PHI
2014 MA Boston Children’s Hospital $40,000 2,159 Loss of a laptop containing PHI
2014 MA Beth Israel Deaconess Medical Center $100,000 3,796 Loss of a laptop containing PHI
2013 MA Goldthwait Associates $140,000 67,000 Improper disposal
2012 MN Accretive Health $2,500,000 24,000 Mishandling of PHI
2012 MA South Shore Hospital $750,000 800,000 Loss of backup tapes containing PHI
2011 VT Health Net Inc. $55,000 1,500,000 Loss of unencrypted hard drive/delayed breach notifications
2011 IN WellPoint Inc. $100,000 32,000 Failure to report a breach in a reasonable timeframe
2010 CT Health Net Inc. $250,000 1,500,000 Loss of unencrypted hard drive/delayed breach notifications

FAQs About HIPAA Violation Fines

Does the above list represent all the HIPAA violation fines issued by OCR?

As of June 2022, despite receiving more than 300,00 complaints and reports of data breaches, the HHS´ Office for Civil Rights has only issued fines or agreed settlements in 110 cases. Most of the other cases – in which a violation of HIPAA is considered to have occurred – have been resolved by technical assistance and/or corrective action plans.

Can OCR also pursue criminal charges for violations of HIPAA?

If the Office for Civil Rights reviews a case and believes there are grounds for a possible criminal conviction, the case is referred to the Department of Justice. The Department of Justice has the authority to pursue criminal charges for violations of HIPAA, and several individuals responsible for violating HIPAA have received jail sentences. These include:

Why are so many of the latest settlements for HIPAA Right of Access failures?

Since 2019, the Office for Civil Rights has been running a Right of Access enforcement initiative to address the increasing number of complaints from patients who have experienced obstacles or delays in accessing copies of PHI. This does not mean OCR is turning a blind eye to other types of HIPAA violations, and the agency continues to investigate other violations and data breaches.

Why are some HIPAA violation fines more than the annual penalty limit?

The annual penalty limit applies per violation type. Therefore, if a covered entity is found non-compliant in (for example) four areas, the non-compliant covered entity could receive four fines, each up to the maximum penalty per violation or annual penalty limit (per violation), depending on their level of culpability.

What do the four penalty/level of culpability tiers represent?

Tier 1: A violation that a Covered Entity or Business Associate was unaware of and could not have realistically avoided had a reasonable amount of care been taken to comply with HIPAA.

Tier 2: A violation that a Covered Entity or Business Associate should have been aware of but could not have avoided even with a reasonable amount of care to comply with HIPAA.

Tier 3: A violation suffered as a direct result of “willful neglect” in cases where a Covered Entity or Business Associate has made an attempt to correct the violation.

Tier 4: A violation of HIPAA attributable to willful neglect, where no attempt has been made to correct the violation by a Covered Entity or Business Associate.

The post HIPAA Violation Fines appeared first on The HIPAA Journal.

HHS Applies Inflation Increase to Penalties for HIPAA Violations

Posted by Steve Alder

The HHS’ Office for Civil Rights has increased the penalties for HIPAA violations with immediate effect. As of January 28, 2026, the penalties have been increased in line with inflation, as mandated by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. Annual adjustments to the penalty amounts are necessary to maintain the deterrent effect of financial penalties.

When the HITECH Act was introduced, the penalties for HIPAA violations were set as follows:

  • Tier 1: Minimum fine of $100 per violation up to $50,000
  • Tier 2: Minimum fine of $1,000 per violation up to $50,000
  • Tier 3: Minimum fine of $10,000 per violation up to $50,000
  • Tier 4: Minimum fine of $50,000 per violation up to $1,500,000

The penalties were capped at $1,500,000 for violations of an identical provision in a calendar year, and all penalties are subject to annual increases in line with inflation. OCR, like all other Executive Departments and Agencies, is required to apply annual increases to its penalty amounts. Each year, the Office of Management and Budget (OMB) issues a Memorandum that includes a multiplier for the annual adjustment.

All Executive Departments and Agencies are required to apply the multiplier by the specified date, which for the 2025 increase was January 17 last year. The HHS is often late in applying the annual adjustment to its penalties. The previous adjustment to the penalty amounts was applied on August 8, 2024. While the 2025 adjustment was due to be applied by January 17, 2025, it was not applied until January 28, 2026, more than a year late. OMB has yet to announce the inflation multiplier for 2026.

The new penalty amounts are effective from the date of publication in the Federal Register. If the violation occurred before November 2, 2015, or a penalty was assessed before September 6, 2016, the pre-adjustment civil penalty amounts in effect before September 6, 2016, will apply.

2025 Penalties for HIPAA Violations

Penalty Tier Minimum Penalty Maximum Penalty Annual Penalty Cap
Did Not Know $145 $73,011 $2,190,294
Reasonable Cause $1,461 $73,011 $2,190,294
Willful Neglect (Corrected within 30 days) $14,602 $73,011 $2,190,294
Willful Neglect (Not corrected) $73,011 $2,190,294 $2,190,294

While these are the official penalty amounts, OCR has not rescinded its 2019 Notice of Enforcement Discretion. In 2019, OCR reviewed the text of the HITECH Act and determined there had been a misinterpretation. OCR issued a Notice of Enforcement Discretion, lowering the maximum penalties and annual caps in three of the four penalty tiers. The effective penalties for HIPAA violations, per the Notice of Enforcement Discretion, are detailed in the table below. OCR can rescind the Notice of Enforcement Discretion at any point, but cannot change the penalties detailed in the table above without further rulemaking.

Penalty Tier Minimum Penalty Maximum Penalty Annual Penalty Cap
Did Not Know $145 $36,505.50 $36,505.50
Reasonable Cause $1,461 $73,011 $146,053
Willful Neglect (Corrected within 30 days) $14,602 $73,011 $365,052
Willful Neglect (Not corrected) $73,011 $2,190,294 $2,190,294

Penalties for Violations of the Part 2 Regulations

Violations of the Part 2 regulations are now enforced by OCR, following the update to the Part 2 regulations to align them more closely with HIPAA. While violations are penalized with the same penalty structure as HIPAA, the penalties are not the same. OCR has taken the starting point to be the penalty amounts stipulated by the HITECH Act of 2009, rather than the current penalty amounts for HIPAA violations, which have increased annually in line with inflation since 2009. As such, violations of the Part 2 regulations are penalized less severely than violations of the HIPAA Rules, despite Part 2-covered data being considered more sensitive. Per the recent publication in the Federal Register, the penalties for violations of the Part 2 regulations are as follows.

Penalty Tier Minimum Penalty Maximum Penalty Annual Penalty Cap
Did Not Know $103 $51,299 $1,538,970
Reasonable Cause $1,026 $1,538,970 $1,538,970
Willful Neglect (Corrected within 30 days) $10,260 $1,538,970 $1,538,970
Willful Neglect (Not corrected) $51,299 $1,538,970 $1,538,970

The post HHS Applies Inflation Increase to Penalties for HIPAA Violations appeared first on The HIPAA Journal.