Free Consultation
- How long does it take to become compliant?
- How much does it cost to become compliant?
- What are the benefits of compliance?
In most instances, covered entities and business associates acknowledge potential non-compliance with specific aspects of HIPAA Rules. This leads to the agreement on a settlement amount and the resolution of the case without admitting liability. Furthermore, a corrective action plan is created to rectify the HIPAA violations.
However if HIPAA-covered entities contest the investigation's findings, it can result in the imposition of a civil monetary penalty.
While the Department of Health and Human Services Office for Civil Rights (OCR) administers fines for HIPAA breaches, state attorneys general often opt for pursuing monetary penalties against HIPAA-covered entities based on state laws, that is, if equivalent provisions exist at the state level. Legal actions for state law violations are typically more straightforward to succeed, and the state-level penalty framework may allow for the imposition of more substantial financial sanctions. Only a limited number of states have chosen to utilize their authority granted by HIPAA/HITECH to impose financial penalties on HIPAA-covered entities and their business associates for violations of HIPAA Rules.
HIPAA violations penalties are made up of 4 tiers. Each tier is defined by the level of culpability, additionally each tier has both a minimum and maximum base fine (please note the fines are subject to a cost-of-living adjustment multiplier, for example for 2023 the multiplier is 1.07745). Tier 1 HIPAA Violation applies to entities that were unaware of the HIPAA violation and exercised responsible due deligance, this carries a minimum fine of $100 and a max fine of $50,000 per violation with an annual penalty limit of $25,000. Tier 2 HIPAA Violation applies to entities that knew or should have known about the HIPAA violation if they had exercised responsible due diligence, this carries a minimum fine of $1000 and a max fine of $50,000 per violation with an annual max penalty limit of $100,000. Tier 3 HIPAA Violation applies to entities that were in wilful neglect of HIPAA rules but corrected the violation within 30 days of discovery, this carries a minimum fine of $10,000 and a max fine of $50,000 per violation with an annual max penalty limit of $250,000. Tier 4 HIPAA Violation applies to entities that were in wilful neglect of HIPAA rules and with no effort to correct the violation within 30 days of discovery, this carries a minimum fine of $50,000 per violation with an annual penalty limit of $1,500,000
As of June 2022, although the Health and Human Services Office for Civil Rights received over 300,000 complaints and data breach reports, it has sanctioned fines or reached settlements in just 110 cases. The majority of the remaining cases, where HIPAA violations were identified, were resolved through technical assistance and the implementation of corrective action plans.
When the Office for Civil Rights examines a case and identifies potential grounds for criminal prosecution, it refers the case to the Department of Justice. The Department of Justice holds the power to pursue criminal charges for HIPAA violations, this has resulted in jail sentences for several individuals found responsible for breaching HIPAA regulations.
Starting in 2019, the Office for Civil Rights initiated an enforcement effort known as the Right of Access initiative. This initiative aims to tackle the growing volume of patient complaints concerning difficulties or delays in obtaining copies of their Protected Health Information (PHI). It's important to note that this focus on the Right of Access issue does not imply that the Health and Human Services Office for Civil Rights is neglecting other categories of HIPAA violations; the agency remains actively engaged in investigating various types of violations and data breaches.
| Year | Entity | Amount | Settlement or Civil Monetary Penalty | Violation |
|---|---|---|---|---|
| 2022 | Health Specialists of Central Florida Inc | $20,000 | Settlement | HIPAA Right of Access failure |
| 2022 | New Vision Dental | $23,000 | Settlement | PHI disclosure, notice of privacy practices, releasing PHI on social media |
| 2022 | Great Expressions Dental Center of Georgia, P.C. | $80,000 | Settlement | HIPAA Right of Access failure |
| 2022 | Family Dental Care, P.C. | $30,000 | Settlement | HIPAA Right of Access failure |
| 2022 | B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental | $25,000 | Settlement | HIPAA Right of Access failure |
| 2022 | New England Dermatology and Laser Center | $300,640 | Settlement | Improper disposal of PHI, and failure to maintain safeguards |
| 2022 | ACPM Podiatry | $100,000 | Civil Monetary Penalty | HIPAA Right of Access failure |
| 2022 | Memorial Hermann Health System | $240,000 | Settlement | HIPAA Right of Access failure |
| 2022 | Southwest Surgical Associates | $65,000 | Settlement | HIPAA Right of Access failure |
| 2022 | Hillcrest Nursing and Rehabilitation | $55,000 | Settlement | HIPAA Right of Access failure |
| 2022 | MelroseWakefield Healthcare | $55,000 | Settlement | HIPAA Right of Access failure |
| 2022 | Erie County Medical Center Corporation | $50,000 | Settlement | HIPAA Right of Access failure |
| 2022 | Fallbrook Family Health Center | $30,000 | Settlement | HIPAA Right of Access failure |
| 2022 | Associated Retina Specialists | $22,500 | Settlement | HIPAA Right of Access failure |
| 2022 | Coastal Ear, Nose, and Throat | $20,000 | Settlement | HIPAA Right of Access failure |
| 2022 | Lawrence Bell, Jr. D.D.S | $5,000 | Settlement | HIPAA Right of Access failure |
| 2022 | Danbury Psychiatric Consultants | $3,500 | Settlement | HIPAA Right of Access failure |
| 2022 | Oklahoma State University – Center for Health Sciences | $875,000 | Settlement | Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications, and the disclosure of the PHI of 279,865 individuals |
| 2022 | Dr. Brockley | $30,000 | Settlement | HIPAA Right of Access |
| 2022 | Jacob & Associates | $28,000 | Settlement | HIPAA Right of Access, notice of privacy practices, HIPAA Privacy Officer |
| 2022 | Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., | $50,000 | Civil Monetary Penalty | Prohibited disclosure on social media |
| 2022 | Northcutt Dental-Fairhope | $62,500 | Settlement | Prohibited disclosure for marketing, notice of privacy practices, HIPAA Privacy Officer |
| Year | Entity | Amount | Settlement or Civil Monetary Penalty | Violation |
|---|---|---|---|---|
| 2021 | Advanced Spine & Pain Management | $32,150 | Settlement | HIPAA Right of Access failure |
| 2021 | Denver Retina Center | $30,000 | Settlement | HIPAA Right of Access failure |
| 2021 | Dr. Robert Glaser | $100,000 | Civil Monetary Penalty | HIPAA Right of Access failure |
| 2021 | Rainrock Treatment Center LLC (dba monte Nido Rainrock) | $160,000 | Settlement | HIPAA Right of Access failure |
| 2021 | Wake Health Medical Group | $10,000 | Settlement | HIPAA Right of Access failure |
| 2021 | Children’s Hospital & Medical Center | $80,000 | Settlement | HIPAA Right of Access failure |
| 2021 | The Diabetes, Endocrinology & Lipidology Center, Inc. | $5,000 | Settlement | HIPAA Right of Access failure |
| 2021 | AEON Clinical Laboratories (Peachstate) | $25,000 | Settlement | HIPAA Security Rule failures (risk assessment, risk management, audit controls, and lack of documentation of HIPAA Security Rule policies and procedures) |
| 2021 | Village Plastic Surgery | $30,000 | Settlement | HIPAA Right of Access failure |
| 2021 | Arbour Hospital | $65,000 | Settlement | HIPAA Right of Access failure |
| 2021 | Sharpe Healthcare | $70,000 | Settlement | HIPAA Right of Access failure |
| 2021 | Renown Health | $75,000 | Settlement | HIPAA Right of Access failure |
| 2021 | Excellus Health Plan | $5,100,000 | Settlement | Risk analysis failure, risk management failure, lack of information system activity reviews, lack of technical policies to prevent unauthorized ePHI access, and a breach of 9,358,891 records. |
| 2021 | Banner Health | $200,000 | Settlement | HIPAA Right of Access failure |
| Year | Entity | Amount | Settlement or Civil Monetary Penalty | Violation |
|---|---|---|---|---|
| 2020 | Peter Wrobel, M.D., P.C., dba Elite Primary Care | $36,000 | Settlement | HIPAA Right of Access failure |
| 2020 | University of Cincinnati Medical Center | $65,000 | Settlement | HIPAA Right of Access failure |
| 2020 | Dr. Rajendra Bhayani | $15,000 | Settlement | HIPAA Right of Access failure |
| 2020 | Riverside Psychiatric Medical Group | $25,000 | Settlement | HIPAA Right of Access failure |
| 2020 | City of New Haven, CT | $202,400 | Settlement | Failure to terminate access rights, risk analysis failure, failure to implement Privacy Rule policies, failure to issue unique IDs, impermissible disclosure of the PHI of 498 individuals |
| 2020 | Aetna | $1,000,000 | Settlement | Failure to conduct an evaluation in response to environmental or operational changes affecting ePHI security, identity check failure, minimum necessary information failure, lack of admin, technical, and physical safeguards |
| 2020 | NY Spine | $100,000 | Settlement | HIPAA Right of Access failure |
| 2020 | Dignity Health, dba St. Joseph’s Hospital and Medical Center | $160,000 | Settlement | HIPAA Right of Access failure |
| 2020 | Premera Blue Cross | $6,850,000 | Settlement | Risk assessment failure, risk management failure, insufficient hardware, and software controls, |
| 2020 | CHSPSC LLC | $2,300,000 | Settlement | Risk analysis failure, failure to implement information system activity reviews, security incident procedure failure, and insufficient access controls. |
| 2020 | Athens Orthopedic Clinic PA | $1,500,000 | Settlement | Failures to conduct a risk analysis, risk management failure, lack of audit controls, no HIPAA policies and procedures, lack of business associate agreements, and no HIPAA Privacy Rule training to the workforce. |
| 2020 | Housing Works, Inc. | $38,000 | Settlement | HIPAA Right of Access failure |
| 2020 | All Inclusive Medical Services, Inc. | $15,000 | Settlement | HIPAA Right of Access failure |
| 2020 | Beth Israel Lahey Health Behavioral Services | $70,000 | Settlement | HIPAA Right of Access failure |
| 2020 | King MD | $3,500 | Settlement | HIPAA Right of Access failure |
| 2020 | Wise Psychiatry, PC | $10,000 | Settlement | HIPAA Right of Access failure |
| 2020 | Lifespan Health System Affiliated Covered Entity | $1,040,000 | Settlement | Lack of encryption, device and media controls, and business associate agreement failures. |
| 2020 | Metropolitan Community Health Services dba Agape Health Services | $25,000 | Settlement | Systemic noncompliance with the HIPAA Security Rule |
| 2020 | Steven A. Porter, M.D | $100,000 | Settlement | Risk analysis and risk management failures |
| Year | Entity | Amount | Settlement or Civil Monetary Penalty | Violation |
|---|---|---|---|---|
| 2019 | West Georgia Ambulance | $65,000 | Settlement | Risk analysis failure; no security awareness training program; failure to implement HIPAA Security Rule policies and procedures. |
| 2019 | Korunda Medical, LLC | $85,000 | Settlement | HIPAA Right of Access failure. |
| 2019 | Sentara Hospitals | $2,175,000 | Settlement | Breach notification failure; business associate agreement failure |
| 2019 | University of Rochester Medical Center | $3,000,000 | Settlement | Loss of flash drive/laptop; no encryption; risk analysis failure; risk management failure; lack of device media controls. |
| 2019 | Elite Dental Associates | $10,000 | Settlement | Social media disclosure; notice of privacy practices; impermissible PHI disclosure. |
| 2019 | Bayfront Health St Petersburg | $85,000 | Settlement | HIPAA Right of Access failure |
| 2019 | Medical Informatics Engineering | $100,000 | Settlement | Risk analysis failure; impermissible disclosure of 3.5 million records |
| 2019 | Touchstone Medical imaging | $3,000,000 | Settlement | No BAAs; insufficient access rights; risk analysis failure; failure to respond to a security incident; breach notification failure; media notification failure; impermissible disclosure of 307,839 individuals’ PHI. |
| 2019 | Texas Department of Aging and Disability Services | $1,600,000 | Civil Monetary Penalty | Risk analysis failure; access control failure; information system activity monitoring failure; impermissible disclosure of 6,617 patients ePHI |
| 2019 | Jackson Health System | $2,154,000 | Civil Monetary Penalty | Multiple Privacy Rule, Security Rule, and Breach Notification Rule violations |
| Year | Entity | Amount | Settlement or Civil Monetary Penalty | Violation |
|---|---|---|---|---|
| 2018 | Fresenius Medical Care North America | $3,500,000 | Settlement | Risk analysis failures, impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards |
| 2018 | Filefax, Inc. | $100,000 | Settlement | Prohibited disclosure of PHI |
| 2018 | University of Texas MD Anderson Cancer Center | $4,348,000 | Civil Monetary Penalty | Prohibited disclosure of ePHI; No Encryption |
| 2018 | Massachusetts General Hospital | $515,000 | Settlement | Filming patients without consent |
| 2018 | Brigham and Women’s Hospital | $384,000 | Settlement | Filming patients without consent |
| 2018 | Boston Medical Center | $100,000 | Settlement | Filming patients without consent |
| 2018 | Anthem Inc | $16,000,000 | Settlement | Risk Analysis failures; Insufficient reviews of system activity; Failure related to response to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access |
| 2018 | Allergy Associates of Hartford | $125,000 | Settlement | PHI disclosure to a reporter; No sanctions against employees |
| 2018 | Advanced Care Hospitalists | $500,000 | Settlement | Prohibited PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014 |
| 2018 | Pagosa Springs Medical Center | $111,400 | Settlement | Failure to terminate employee access; No BAA |
| 2018 | Cottage Health | $3,000,000 | Settlement | Risk analysis failure; Risk management failure; No BAA |
| Year | Entity | Amount | Settlement or Civil Monetary Penalty | Reason |
|---|---|---|---|---|
| 2017 | 21st Century Oncology | $2,300,000 | Settlement | Multiple HIPAA Violations |
| 2017 | Memorial Hermann Health System | $2,400,000 | Settlement | Careless Handling of PHI |
| 2017 | St. Luke’s-Roosevelt Hospital Center Inc. | $387,000 | Settlement | Unauthorized Disclosure of PHI |
| 2017 | The Center for Children’s Digestive Health | $31,000 | Settlement | Lack of a Business Associate Agreement |
| 2017 | Cardionet | $2,500,000 | Settlement | Prohibited Disclosure of PHI |
| 2017 | Metro Community Provider Network | $400,000 | Settlement | Lack of Security Management Process |
| 2017 | Memorial Healthcare System | $5,500,000 | Settlement | Insufficient ePHI Access Controls |
| 2017 | Children’s Medical Center of Dallas | $3,200,000 | Civil Monetary Penalty | Prohibited Disclosure of ePHI |
| 2017 | MAPFRE Life Insurance Company of Puerto Rico | $2,200,000 | Settlement | Prohibited Disclosure of ePHI |
| 2017 | Presense Health | $475,000 | Settlement | Delayed Breach Notifications |
| Year | Entity | Amount | Settlement or Civil Monetary Penalty | Reason |
|---|---|---|---|---|
| 2016 | University of Massachusetts Amherst (UMass) | $650,000 | Settlement | Failure to Manage Security Risks |
| 2016 | St. Joseph Health | $2,140,500 | Settlement | Failure to Conduct Risk Analysis |
| 2016 | Care New England Health System | $400,000 | Settlement | Lack of a Business Associate Agreement |
| 2016 | Advocate Health Care Network | $5,550,000 | Settlement | Multiple HIPAA Violations |
| 2016 | University of Mississippi Medical Center | $2,750,000 | Settlement | Multiple HIPAA Violations |
| 2016 | Oregon Health & Science University | $2,700,000 | Settlement | Lack of a Business Associate Agreement |
| 2016 | Catholic Health Care Services of the Archdiocese of Philadelphia | $650,000 | Settlement | Failure to Safeguard ePHI |
| 2016 | New York Presbyterian Hospital | $2,200,000 | Settlement | Filming Patients without Authorization |
| 2016 | Raleigh Orthopaedic Clinic, P.A. of North Carolina | $750,000 | Settlement | Lack of Business Associate Agreement |
| 2016 | Feinstein Institute for Medical Research | $3,900,000 | Settlement | Prohibited Disclosure of PHI |
| 2016 | North Memorial Health Care of Minnesota | $1,550,000 | Settlement | Lack of a Business Associate Agreement |
| 2016 | Complete P.T., Pool & Land Physical Therapy, Inc. | $25,000 | Settlement | Prohibited Disclosure of PHI |
| 2016 | Lincare, Inc. | $239,800 | Civil Monetary Penalty | Failure to Safeguard PHI |
| Year | Entity | Amount | Settlement or Civil Monetary Penalty | Reason |
|---|---|---|---|---|
| 2015 | University of Washington Medicine | $750,000 | Settlement | Failure to Conduct Risk Analysis |
| 2015 | Triple S Management Corporation | $3,500,000 | Settlement | Multiple HIPAA Violations |
| 2015 | Lahey Hospital and Medical Center | $850,000 | Settlement | Multiple HIPAA Violations |
| 2015 | Cancer Care Group, P.C. | $750,000 | Settlement | Failure to Conduct Risk Analysis |
| 2015 | St. Elizabeth’s Medical Center | $218,400 | Settlement | Multiple HIPAA Violations |
| 2015 | Cornell Prescription Pharmacy | $125,000 | Settlement | Improper Disposal of PHI |
| Year | Entity | Amount | Settlement or Civil Monetary Penalty | Reason |
|---|---|---|---|---|
| 2014 | Anchorage Community Mental Health Services | $150,000 | Settlement | Failure to Manage Risks to ePHI |
| 2014 | Parkview Health System, Inc. | $800,000 | Settlement | Failure to Safeguard PHI |
| 2014 | New York and Presbyterian Hospital and Columbia University | $4,800,000 | Settlement | Failure to Conduct Risk Analysis |
| 2014 | QCA Health Plan, Inc., of Arkansas | $250,000 | Settlement | Failure to Safeguard ePHI |
| 2014 | Concentra Health Services | $1,725,220 | Settlement | Failure to Safeguard ePHI |
| 2014 | Skagit County, Washington | $215,000 | Settlement | Failure to Safeguard ePHI |
| Year | Entity | Amount | Settlement or Civil Monetary Penalty | Reason |
|---|---|---|---|---|
| 2013 | Adult & Pediatric Dermatology, P.C. | $150,000 | Settlement | Failure to Safeguard ePHI |
| 2013 | Affinity Health Plan, Inc. | $1,215,780 | Settlement | Failure to Permanently Erase ePHI |
| 2013 | WellPoint | $1,700,000 | Settlement | Failure to Safeguard ePHI |
| 2013 | Shasta Regional Medical Center | $275,000 | Settlement | Disclosure of PHI Without Patient Consent |
| 2013 | Idaho State University | $400,000 | Settlement | Failure to Safeguard ePHI |
| Year | Entity | Amount | Settlement or Civil Monetary Penalty | Reason |
|---|---|---|---|---|
| 2012 | The Hospice of Northern Idaho | $50,000 | Settlement | Theft of an Unencrypted Laptop |
| 2012 | Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. | $1,500,000 | Settlement | Multiple HIPAA Violations |
| 2012 | Alaska DHSS | $1,700,000 | Settlement | Failure to Perform Risk Analysis/Risk Management Failures |
| 2012 | Phoenix Cardiac Surgery | $100,000 | Settlement | Lack of HIPAA Safeguards |
| 2012 | Blue Cross Blue Shield of Tennessee | $1,500,000 | Settlement | Failure to Implement Appropriate Administrative Safeguards |
| Year | Entity | Amount | Settlement or Civil Monetary Penalty | Reason |
|---|---|---|---|---|
| 2011 | University of California at Los Angeles Health System | $865,500 | Settlement | Failure to Restrict Access to Medical Records |
| 2011 | General Hospital Corp. & Massachusetts General Physicians Organization Inc. | $1,000,000 | Settlement | Failure to Safeguard PHI |
| 2011 | Cignet Health of Prince George’s County | $4,300,000 | Civil Monetary Penalty | Denying Patients Access to Medical Records |
| Year | Entity | Amount | Settlement or Civil Monetary Penalty | Reason |
|---|---|---|---|---|
| 2010 | Management Services Organization Washington Inc. | $35,000 | Settlement | Risk Analysis Failures / Insufficient Security Measures |
| 2010 | Rite Aid Corporation | $1,000,000 | Settlement | Multiple HIPAA Violations |
| Year | Entity | Amount | Settlement or Civil Monetary Penalty | Reason |
|---|---|---|---|---|
| 2009 | CVS Pharmacy Inc. | $2,250,000 | Settlement | Multiple HIPAA Violations |
| Year | Entity | Amount | Settlement or Civil Monetary Penalty | Reason |
|---|---|---|---|---|
| 2008 | Providence Health & Services | $100,000 | Settlement | Failure to Implement Appropriate Administrative Safeguards |
State attorneys general possess the power to levy financial penalties for breaches of HIPAA. However, in many cases where HIPAA was violated, fines are imposed based on state laws.
| Year | State | Entity | Amount | Individuals affected | Settlement or Civil Monetary Penalty | Violation |
|---|---|---|---|---|---|---|
| 2023 | Colorado | Broomfield Skilled Nursing and Rehabilitation Center | $60,000 ($25,000 suspended) | 677 individuals | Settlement | Violations of HIPAA data encryption requirements, state data protection laws, and deceptive trading practices. |
| 2023 | Indiana | Schneck Medical Center | $250,000 | 89,707 individuals | Settlement | Violations of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule; Indiana Disclosure of Security Breach Act; Indiana Deceptive Consumer Sales Act. |
| 2023 | California | Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals | $49,000,000 | 7,700 individuals | Settlement | Violations of the HIPAA; California Hazardous Waste Control Law, Medical Waste Management Act; California Confidentiality of Medical Information Act; California Customer Records Law; California Unfair Competition Law |
| 2023 | California | Kaiser Permanente | $450,000 | Less than 167,095 individuals | Settlement | Prohibited disclosure of PHI and negligent maintenance or disposal of PHI in violation of the California Confidentiality of Medical Information Act (CMIA) |
| 2023 | New York | Professional Business Systems Inc (dba Practicefirst Medical Management Solutions and PBS Medcode Corp | $550,000 | 1.2 million | Settlement | Data security failures: Patch management, data encryption, vulnerability scans, and penetration tests |
| 2023 | Oregon, New Jersey, Florida, Pennsylvania | EyeMed Vision Care | $2,500,000 | 2.1 million | Settlement | Data security failures including access controls |
| 2023 | New York | Heidell, Pittoni, Murphy & Bach LLP | $200,000 | 61,438 | Settlement | Violation of 17 HIPAA Privacy and Security Rule provisions |
| 2023 | Pennsylvania/Ohio | DNA Diagnostics Center | $400,000 | 2.1 million | Settlement | Lack of safeguards, failure to update asset inventory, and failure to disable/remove assets not used for business purposes. |
| 2022 | Oregon/Utah | Avalon Healthcare | $200,000 | 14,500 | Settlement | Breach notification delay and information security program failures |
| 2022 | Massachusetts | Aveanna Healthcare | $425,000 | 166,000 | Settlement | Lack of security safeguards to combat phishing, including no multifactor authentication |
| 2022 | New York | EyeMed Vision Care | $600,000 | 2.1 million | Settlement | Multiple violations of HIPAA and New York General Business Law. |
| 2021 | New Jersey | Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC) | $425,000 | 105,000 | Settlement | Failure to ensure the confidentiality, integrity, and availability of PHI, failure to protect against reasonably anticipated threats, failure to implement security measures to reduce risks, failure to conduct an accurate risk assessment, lack of a security awareness and training program. |
| 2021 | New Jersey | Command Marketing Innovations, LLC and Strategic Content Imaging LLC | $130,000 (Plus $65,000 suspended) | 55,715 | Settlement | Failure to ensure the confidentiality of PHI, lack of PHI safeguards, failure to review security measures following changes to procedures. |
| 2021 | New Jersey | Diamond Institute for Infertility and Menopause | $495,000 | 14,663 | Settlement | Multiple Privacy Rule and Security Rule failures, and violations of the Consumer Fraud Act. |
| 2021 | Multistate | American Medical Collection Agency | $21 million (suspended) | 21,000,000 | Settlement | Security failures, including the failure to detect a data breach. |
| 2020 | Multistate | CHSPSC LLC | $5,000,000 | 6.1 million | Settlement | Failure to implement and maintain reasonable security practices |
| 2020 | Multistate | Anthem Inc | $48.2 million | 78.8 million | Settlement | Multiple violations of HIPAA and state laws |
| 2019 | Multistate | Premera Blue Cross | $10,000,000 | 10.4 million | Settlement | Multiple HIPAA violations |
| 2019 | Multistate | Medical Informatics Engineering | $900,000 | 3.5 million | Settlement | Multiple HIPAA violations |
| 2019 | CA | Aetna | $935,000 | 1,991 | Settlement | 2 mailings exposed PHI (Afib, HIV) |
| 2018 | MA | McLean Hospital | $75,000 | 1,500 | Settlement | Loss of backup tapes |
| 2018 | NJ | EmblemHealth | $100,000 | 6,443 (81,000) | Settlement | Mailing error exposed SSNs |
| 2018 | NJ | Best Transcription Medical | $200,000 | 1,650 | Settlement | Exposure of ePHi via search engines |
| 2018 | CT | Aetna | $99,959 | 13,160 | Settlement (Multistate action) | 2 mailings exposed PHI (Afib, HIV data) |
| 2018 | NJ | Aetna | $365,211.59 | 13,160 | Settlement (Multistate action) | 2 mailings exposed PHI (Afib, HIV data) |
| 2018 | DC | Aetna | $175,000 | 13,160 | Settlement (Multistate action) | 2 mailings exposed PHI (Afib, HIV data) |
| 2018 | MA | UMass Memorial Medical Group / UMass Memorial Medical Center | $230,000 | 15,000 | Settlement | Failure to secure ePHI and multiple breaches |
| 2018 | NY | Arc of Erie County | $200,000 | 3,751 | Settlement | Failure to secure ePHI |
| 2018 | NJ | Virtua Medical Group | $417,816 | 1,654 | Settlement | Multiple violations of HIPAA Rules |
| 2018 | NY | EmblemHealth | $575,000 | 81,122 | Settlement | Prohibited disclosure of ePHI |
| 2018 | NY | Aetna | $1,150,000 | 12,000 | Settlement | 2 mailings exposed PHI (Afib, HIV data) |
| 2017 | CA | Cottage Health System | $2,000,000 | More than 54,000 | Settlement | Failure to adequately protect medical records |
| 2017 | MA | Multi-State Billing Services | $100,000 | 2,600 | Settlement | Theft of unencrypted laptop containing PHI |
| 2017 | NJ | Horizon Healthcare Services Inc., | $1,100,000 | 3.7 million | Settlement | Loss of unencrypted laptop computers |
| 2017 | VT | SAManage USA, Inc. | $264,000 | 660 | Settlement | Spreadsheet indexed by search engines and PHI viewable |
| 2017 | NY | CoPilot Provider Support Services, Inc | $130,000 | 221,178 | Settlement | Delayed breach notification |
| 2015 | NY | University of Rochester Medical Center | $15,000 | 3,403 | Settlement | List of patients provided to nurse who took it to a new employer |
| 2015 | CT | Hartford Hospital/ EMC Corporation | $90,000 | 8,883 | Settlement | Theft of unencrypted laptop containing PHI |
| 2014 | MA | Women & Infants Hospital of Rhode Island | $150,000 | 12,000 | Settlement | Loss of backup tapes containing PHI |
| 2014 | MA | Boston Children’s Hospital | $40,000 | 2,159 | Settlement | Loss of laptop containing PHI |
| 2014 | MA | Beth Israel Deaconess Medical Center | $100,000 | 3,796 | Settlement | Loss of laptop containing PHI |
| 2013 | MA | Goldthwait Associates | $140,000 | 67,000 | Settlement | Improper disposal |
| 2012 | MN | Accretive Health | $2,500,000 | 24,000 | Settlement | Mishandling of PHI |
| 2012 | MA | South Shore Hospital | $750,000 | 800,000 | Settlement | Loss of backup tapes containing PHI |
| 2011 | VT | Health Net Inc. | $55,000 | 1,500,000 | Settlement | Loss of unencrypted hard drive/delayed breach notifications |
| 2011 | IN | WellPoint Inc. | $100,000 | 32,000 | Settlement | Failure to report a breach in a reasonable timeframe |
| 2010 | CT | Health Net Inc. | $250,000 | 1,500,000 | Settlement | Loss of unencrypted hard drive/delayed breach notifications |
Quick & Simple
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
