HIPAA Enforcement by State Attorneys General

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance; however, state Attorneys General also play a role in enforcing compliance with the Health Insurance Portability and Accountability Act Rules.

The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and can obtain damages on behalf of state residents.

The Connecticut Attorney General was the first to exercise this right in 2010 against Health Net Inc. for the loss of an unencrypted hard drive containing the electronic protected health information of 1.5 million individuals and delayed breach notifications. The case was settled for $250,000. The Vermont Attorney General followed suit with a similar action against Health Net in 2011 that was settled for $55,000, and Indiana brought a civil action against Wellpoint Inc. in 2011 that was settled for $100,000.

State Attorney HIPAA cases were relatively rare occurrences, with only 11 settlements reached with HIPAA covered entities and business associates to resolve HIPAA violations between 2010 and 2015. HIPAA enforcement by state attorneys general was stepped up in 2017 with 5 settlements and again in 2018 when 12 cases resulted in financial penalties for violations of the HIPAA Rules.

In 2019 and 2020, a total of 5 cases have resulted in financial penalties, although those penalties have been sizeable, and four of the five cases were multistate actions against HIPAA-covered entities and business associates where several state attorneys general participated in the actions. These multistate actions allow state attorneys general to pool their resources and investigate potential violations of HIPAA and state laws more efficiently.

When civil actions are brought against covered entities or business associates by state Attorneys General, they are separate from any Office for Civil Rights actions.

Several data breaches have resulted in settlements being reached at both the federal and state level. Community Health Systems/CHSPSC, Anthem Inc., Premera Blue Cross, Aetna, Cottage Health System, University of Rochester Medical Center, and Medical Informatics Engineering have all settled cases with OCR and state attorneys general to resolve potential HIPAA violations.

In many of the state AG enforcement actions below, the financial penalties resolve violations of federal (HIPAA) and state laws. Over the years there have been several cases where HIPAA Rules have been violated, but the decision was taken to bring actions for violations of equivalent provisions in state laws.

HIPAA Enforcement by State Attorneys General in 2022

There have been no reported HIPAA enforcement actions by state attorneys general so far in 2022. This post will be updated throughout the year when 2022 enforcement actions are made public.

HIPAA Enforcement by State Attorneys General in 2021

New Jersey was particularly active in HIPAA enforcement in 2021 and was the only state to initiate its own investigations and issue financial penalties to resolve HIPAA violations in 2021. New Jersey also participated in a joint investigation into the data breach at American Medical Collection Agency (AMCA) – One of the largest ever breaches of healthcare data. The AMCA HIPAA case saw a $21 million financial penalty imposed; however, due to the huge costs incurred as a result of the breach, AMCA filed for bankruptcy protection. Due to the financial position of the company, the financial penalty was suspended and will only need to be paid if AMCA defaults on the terms of the settlement agreement.

Year State Entity Amount Individuals Affected Reason for Investigation Findings
2021 New Jersey Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC) $425,000 105,000 Phishing attack and data breach Failure to ensure the confidentiality, integrity, and availability of PHI, failure to protect against reasonably anticipated threats, failure to implement security measures to reduce risks, failure to conduct an accurate risk assessment, lack of a security awareness and training program.
2021 New Jersey Command Marketing Innovations, LLC and Strategic Content Imaging LLC $130,000 (Plus $65,000 suspended) 55,715 Printing and mismailing incident Failure to ensure the confidentiality of PHI, lack of PHI safeguards, failure to review security measures following changes to procedures
2021 New Jersey Diamond Institute for Infertility and Menopause $495,000 14,663 Hacking incident and data breach Multiple Privacy Rule and Security Rule failures, and violations of Consumer Fraud Act
2021 Multi-state (41 state attorneys general) American Medical Collection Agency $21 million (suspended) 21 million Hacking incident and data breach Security failures including failure to detect a data breach

HIPAA Enforcement by State Attorneys General in 2020

Year State Entity Amount Individuals affected Reason for Investigation Findings
2020 Multistate (28 states) Community Health Systems / CHSPSC LLC $5,000,000 6.1 million Hacked by Chinese APT group Failure to implement and maintain reasonable security practices
2020 Multistate (43 states) Anthem Inc $39.5 million 78.8 million Phishing attack and major data breach Multiple violations of HIPAA and state laws
2020 California Anthem Inc $8.7 million 78.8 million Phishing attack and major data breach Multiple violations of HIPAA and state laws

HIPAA Enforcement by State Attorneys General in 2019

Year State Entity Amount Individuals affected Reason for Investigation Findings
2019 Multistate (30 states) Premera Blue Cross $10,000,000 10.4 million Hacking incident and major data breach Multiple violations of HIPAA and state laws
2019 Multistate (16 states) Medical Informatics Engineering $900,000 3.5 million Breach of NoMoreClipboard data Multiple violations of HIPAA and state laws
2019 California Aetna $935,000 1,991 2 mailings exposed PHI (Afib, HIV) Impermissible disclosure of sensitive health information

HIPAA Enforcement by State Attorneys General in 2018

Year State Entity Amount Individuals affected Reason for Investigation Findings
2018 Massachusetts McLean Hospital $75,000 1,500 Loss of backup tapes Insufficient risk assessment, failure to encrypt data, delayed breach notifications
2018 New Jersey EmblemHealth $100,000 6,443 (81,000) Mailing error exposed SSNs Impermissible disclosure of PHI, lack of staff training
2018 New Jersey Best Transcription Medical $200,000 1,650 Exposure of ePHI in Internet Risk assessment and risk management failure, breach notification failure
2018 Multistate (CT, NJ, DC) Aetna 640170.59 13,160 2 mailings exposed PHI (Afib, HIV) Impermissible disclosure of sensitive health information
2018 Massachusetts UMass Memorial Medical Group / UMass Memorial Medical Center $230,000 15,000 Multiple data breaches Failure to secure ePHI
2018 New York Arc of Erie County $200,000 3,751 Exposure of ePHI on the Internet Failure to secure ePHI
2018 New Jersey Virtua Medical Group $417,816 1,654 Exposure of ePHI on the Internet Multiple violations of the HIPAA Rules
2018 New York EmblemHealth $575,000 81,122 Mailing error exposed SSNs Impermissible disclosure of PHI, lack of staff training
2018 New York Aetna $1,150,000 12,000 2 mailings exposed PHI (Afib, HIV) Impermissible disclosure of sensitive health information

HIPAA Enforcement by State Attorneys General in 2017

Year State Entity Amount Individuals affected Reason for Investigation Findings
2017 California Cottage Health System $2,000,000 More than 54,000 Exposure of PHI on the Internet Failure to safeguard personal information
2017 Massachusetts Multi-State Billing Services $100,000 2,600 Theft of unencrypted laptop computer Failure to safeguard personal information
2017 New Jersey Horizon Healthcare Services Inc $1,100,000 3.7 million Theft of 2 unencrypted laptop computers Failure to safeguard personal information
2017 Vermont SAManage USA, Inc. $264,000 660 Exposure of PHI on the Internet Failure to secure ePHI, breach notification failure
2017 New York CoPilot Provider Support Services, Inc $130,000 221,178 Delayed breach notification Violation of breach notification requirements

HIPAA Enforcement by State Attorneys General (2010-2016)

Year State Entity Amount Individuals affected Reason for Investigation Findings
2015 New York University of Rochester Medical Center $15,000 3,403 List of patients provided to nurse who took it to a new employer Impermissible disclosure of ePHI
2015 Connecticut Hartford Hospital/ EMC Corporation $90,000 8,883 Theft of unencrypted laptop containing PHI Lack of Business Associate Agreement, failure to encrypt ePHI
2014 Massachusetts Women & Infants Hospital of Rhode Island $150,000 12,000 Loss of backup tapes containing PHI Failure to safeguard ePHI, lack of staff training
2014 Massachusetts Boston Children’s Hospital $40,000 2,159 Loss of laptop containing PHI Failure to encrypt ePHI
2014 Massachusetts Beth Israel Deaconess Medical Center $100,000 3,796 Loss of laptop containing PHI Failure to encrypt ePHI
2013 Massachusetts Goldthwait Associates $140,000 67,000 Mishandling of PHI Improper disposal of PHI
2012 Minnesota Accretive Health $2,500,000 24,000 Mishandling of PHI Failure to safeguard PHI
2012 Massachusetts South Shore Hospital $750,000 800,000 Loss of backup tapes containing PHI Failure to safeguard PHI
2011 Vermont Health Net Inc. $55,000 1,500,000 Loss of unencrypted hard drive/delayed breach notifications Failure to safeguard PHI, violation of breach notification requirements
2011 Indiana WellPoint Inc. $100,000 32,000 Failure to report breach in a reasonable timeframe Violation of breach notification requirements
2010 Connecticut Health Net Inc. $250,000 1,500,000 Loss of unencrypted hard drive Failure to safeguard PHI, violation of breach notification requirements

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.