HIPAA Violation Fines
HIPAA violation fines can be issued by the Department of Health and Human Service’ Office for Civil Rights (OCR) and state attorneys general.
In the majority of cases, covered entities and business associates accept there have been potential failures to comply with certain elements of HIPAA Rules and a settlement amount is agreed and the case is resolved with no admission of liability. In addition to the settlement, a corrective action plan is issued to address HIPAA failures.
When HIPAA-covered entities disagree with the findings of the investigation, a civil monetary penalty may be issued.
While OCR issues fines for HIPAA violations, attorneys general tend to choose to pursue financial penalties against HIPAA covered entities under state laws rather than HIPAA, if equivalent laws exist at the state level. Actions for violations of state laws tend to be easier to win and the penalty structure at the state level may allow higher financial penalties to be issued.
Only a handful of states have exercised their right under HIPAA/HITECH to pursue financial penalties for violations of HIPAA Rules against HIPAA-covered entities and their business associates.
Penalty Structure for HIPAA Violations
State attorneys general can issue fines for HIPAA violations up to a maximum of $25,000 per violation category, per year.
Listed below are the HIPAA violation fines and settlements issued by the HHS’ Office for Civil Rights since the HIPAA Enforcement Rule was signed into law.
2020 HIPAA Violation Fines and Settlements
| Year | Entity | Amount | Settlement/CMP | Reason |
| 2020 | Peter Wrobel, M.D., P.C., dba Elite Primary Care | $36,000 | Settlement | HIPAA Right of Access failure |
| 2020 | University of Cincinnati Medical Center | $65,000 | Settlement | HIPAA Right of Access failure |
| 2020 | Dr. Rajendra Bhayani | $15,000 | Settlement | HIPAA Right of Access failure |
| 2020 | Riverside Psychiatric Medical Group | $25,000 | Settlement | HIPAA Right of Access failure |
| 2020 | City of New Haven, CT | $202,400 | Settlement | Failure to terminate access rights, risk analysis failure, failure to implement Privacy Rule policies, failure to issue unique IDs, impermissible disclosure the PHI of 498 individuals |
| 2020 | Aetna | $1,000,000 | Settlement | Failure to conduct evaluation in response to environmental or operational changes affecting ePHI security, identity check failure, minimum necessary information failure, lack of admin, technical, and physical safeguards |
| 2020 | NY Spine | $100,000 | Settlement | HIPAA Right of Access failure |
| 2020 | Dignity Health, dba St. Joseph’s Hospital and Medical Center | $160,000 | Settlement | HIPAA Right of Access failure |
| 2020 | Premera Blue Cross | $6,850,000 | Settlement | Risk assessment failure, risk management failure, insufficient hardware and software controls, |
| 2020 | CHSPSC LLC | $2,300,000 | Settlement | Risk analysis failure, failure to implement information system activity reviews, security incident procedure failure, and insufficient access controls. |
| 2020 | Athens Orthopedic Clinic PA | $1,500,000 | Settlement | Failures to conduct a risk analysis, risk management failure, lack of audit controls, no HIPAA policies and procedures, lack of business associate agreements, and no HIPAA Privacy Rule training to workforce. |
| 2020 | Housing Works, Inc. | $38,000 | Settlement | HIPAA Right of Access failure |
| 2020 | All Inclusive Medical Services, Inc. | $15,000 | Settlement | HIPAA Right of Access failure |
| 2020 | Beth Israel Lahey Health Behavioral Services | $70,000 | Settlement | HIPAA Right of Access failure |
| 2020 | King MD | $3,500 | Settlement | HIPAA Right of Access failure |
| 2020 | Wise Psychiatry, PC | $10,000 | Settlement | HIPAA Right of Access failure |
| 2020 | Lifespan Health System Affiliated Covered Entity | $1,040,000 | Settlement | Lack of encryption, device and media controls and business associate agreement failures. |
| 2020 | Metropolitan Community Health Services dba Agape Health Services | $25,000 | Settlement | Systemic noncompliance with the HIPAA Security Rule |
| 2020 | Steven A. Porter, M.D | $100,000 | Settlement | Risk analysis and risk management failures |
2019 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
| 2019 | West Georgia Ambulance | $65,000 | Settlement | Risk analysis failure; no security awareness training program; failure to implement HIPAA Security Rule policies and procedures. |
| 2019 | Korunda Medical, LLC | $85,000 | Settlement | HIPAA Right of Access failure. |
| 2019 | Sentara Hospitals | $2,175,000 | Settlement | Breach notification failure; business associate agreement failure |
| 2019 | University of Rochester Medical Center | $3,000,000 | Settlement | Loss of flash drive/laptop; no encryption; risk analysis failure; risk management failure; lack of device media controls. |
| 2019 | Elite Dental Associates | $10,000 | Settlement | Social media disclosure; notice of privacy practices; impermissible PHI disclosure. |
| 2019 | Bayfront Health St Petersburg | $85,000 | Settlement | HIPAA Right of Access failure |
| 2019 | Medical Informatics Engineering | $100,000 | Settlement | Risk analysis failure; impermissible disclosure of 3.5 million records |
| 2019 | Touchstone Medical imaging | $3,000,000 | Settlement | No BAAs; insufficient access rights; risk analysis failure; failure to respond to a security incident; breach notification failure; media notification failure; impermissible disclosure of 307,839 individuals’ PHI. |
| 2019 | Texas Department of Aging and Disability Services | $1,600,000 | Civil Monetary Penalty | Risk analysis failure; access control failure; information system activity monitoring failure; impermissible disclosure of 6,617 patients ePHI |
| 2019 | Jackson Health System | $2,154,000 | Civil Monetary Penalty | Multiple Privacy Rule, Security Rule, and Breach Notification Rule violations |
2018 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
| 2018 | Fresenius Medical Care North America | $3,500,000 | Settlement | Risk analysis failures, impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards |
| 2018 | Filefax, Inc. | $100,000 | Settlement | Impermissible disclosure of PHI |
| 2018 | University of Texas MD Anderson Cancer Center | $4,348,000 | Civil Monetary Penalty | Impermissible disclosure of ePHI; No Encryption |
| 2018 | Massachusetts General Hospital | $515,000 | Settlement | Filming patients without consent |
| 2018 | Brigham and Women’s Hospital | $384,000 | Settlement | Filming patients without consent |
| 2018 | Boston Medical Center | $100,000 | Settlement | Filming patients without consent |
| 2018 | Anthem Inc | $16,000,000 | Settlement | Risk Analysis failures; Insufficient reviews of system activity; Failure related to response to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access |
| 2018 | Allergy Associates of Hartford | $125,000 | Settlement | PHI disclosure to reporter; No sanctions against employee |
| 2018 | Advanced Care Hospitalists | $500,000 | Settlement | Impermissible PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014 |
| 2018 | Pagosa Springs Medical Center | $111,400 | Settlement | Failure to terminate employee access; No BAA |
| 2018 | Cottage Health | $3,000,000 | Settlement | Risk analysis failure; Risk management failure; No BAA |
2017 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2017 | 21st Century Oncology | $2,300,000 | Settlement | Multiple HIPAA Violations |
| 2017 | Memorial Hermann Health System | $2,400,000 | Settlement | Careless Handling of PHI |
| 2017 | St. Luke’s-Roosevelt Hospital Center Inc. | $387,000 | Settlement | Unauthorized Disclosure of PHI |
| 2017 | The Center for Children’s Digestive Health | $31,000 | Settlement | Lack of a Business Associate Agreement |
| 2017 | Cardionet | $2,500,000 | Settlement | Impermissible Disclosure of PHI |
| 2017 | Metro Community Provider Network | $400,000 | Settlement | Lack of Security Management Process |
| 2017 | Memorial Healthcare System | $5,500,000 | Settlement | Insufficient ePHI Access Controls |
| 2017 | Children’s Medical Center of Dallas | $3,200,000 | Civil Monetary Penalty | Impermissible Disclosure of ePHI |
| 2017 | MAPFRE Life Insurance Company of Puerto Rico | $2,200,000 | Settlement | Impermissible Disclosure of ePHI |
| 2017 | Presense Health | $475,000 | Settlement | Delayed Breach Notifications |
2016 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2016 | University of Massachusetts Amherst (UMass) | $650,000 | Settlement | Failure to Manage Security Risks |
| 2016 | St. Joseph Health | $2,140,500 | Settlement | Failure to Conduct Risk Analysis |
| 2016 | Care New England Health System | $400,000 | Settlement | Lack of a Business Associate Agreement |
| 2016 | Advocate Health Care Network | $5,550,000 | Settlement | Multiple HIPAA Violations |
| 2016 | University of Mississippi Medical Center | $2,750,000 | Settlement | Multiple HIPAA Violations |
| 2016 | Oregon Health & Science University | $2,700,000 | Settlement | Lack of a Business Associate Agreement |
| 2016 | Catholic Health Care Services of the Archdiocese of Philadelphia | $650,000 | Settlement | Failure to Safeguard ePHI |
| 2016 | New York Presbyterian Hospital | $2,200,000 | Settlement | Filming Patients without Authorization |
| 2016 | Raleigh Orthopaedic Clinic, P.A. of North Carolina | $750,000 | Settlement | Lack of Business Associate Agreement |
| 2016 | Feinstein Institute for Medical Research | $3,900,000 | Settlement | Impermissible Disclosure of PHI |
| 2016 | North Memorial Health Care of Minnesota | $1,550,000 | Settlement | Lack of a Business Associate Agreement |
| 2016 | Complete P.T., Pool & Land Physical Therapy, Inc. | $25,000 | Settlement | Impermissible Disclosure of PHI |
| 2016 | Lincare, Inc. | $239,800 | Civil Monetary Penalty | Failure to Safeguard PHI |
2015 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2015 | University of Washington Medicine | $750,000 | Settlement | Failure to Conduct Risk Analysis |
| 2015 | Triple S Management Corporation | $3,500,000 | Settlement | Multiple HIPAA Violations |
| 2015 | Lahey Hospital and Medical Center | $850,000 | Settlement | Multiple HIPAA Violations |
| 2015 | Cancer Care Group, P.C. | $750,000 | Settlement | Failure to Conduct Risk Analysis |
| 2015 | St. Elizabeth’s Medical Center | $218,400 | Settlement | Multiple HIPAA Violations |
| 2015 | Cornell Prescription Pharmacy | $125,000 | Settlement | Improper Disposal of PHI |
2014 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2014 | Anchorage Community Mental Health Services | $150,000 | Settlement | Failure to Manage Risks to ePHI |
| 2014 | Parkview Health System, Inc. | $800,000 | Settlement | Failure to Safeguard PHI |
| 2014 | New York and Presbyterian Hospital and Columbia University | $4,800,000 | Settlement | Failure to Conduct Risk Analysis |
| 2014 | QCA Health Plan, Inc., of Arkansas | $250,000 | Settlement | Failure to Safeguard ePHI |
| 2014 | Concentra Health Services | $1,725,220 | Settlement | Failure to Safeguard ePHI |
| 2014 | Skagit County, Washington | $215,000 | Settlement | Failure to Safeguard ePHI |
2013 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2013 | Adult & Pediatric Dermatology, P.C. | $150,000 | Settlement | Failure to Safeguard ePHI |
| 2013 | Affinity Health Plan, Inc. | $1,215,780 | Settlement | Failure to Permanently Erase ePHI |
| 2013 | WellPoint | $1,700,000 | Settlement | Failure to Safeguard ePHI |
| 2013 | Shasta Regional Medical Center | $275,000 | Settlement | Disclosure of PHI Without Patient Consent |
| 2013 | Idaho State University | $400,000 | Settlement | Failure to Safeguard ePHI |
2012 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2012 | The Hospice of Northern Idaho | $50,000 | Settlement | Theft of an Unencrypted Laptop |
| 2012 | Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. | $1,500,000 | Settlement | Multiple HIPAA Violations |
| 2012 | Alaska DHSS | $1,700,000 | Settlement | Failure to Perform Risk Analysis/Risk Management Failures |
| 2012 | Phoenix Cardiac Surgery | $100,000 | Settlement | Lack of HIPAA Safeguards |
| 2012 | Blue Cross Blue Shield of Tennessee | $1,500,000 | Settlement | Failure to Implement Appropriate Administrative Safeguards |
2011 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2011 | University of California at Los Angeles Health System | $865,500 | Settlement | Failure to Restrict Access to Medical Records |
| 2011 | General Hospital Corp. & Massachusetts General Physicians Organization Inc. | $1,000,000 | Settlement | Failure to Safeguard PHI |
| 2011 | Cignet Health of Prince George’s County | $4,300,000 | Civil Monetary Penalty | Denying Patients Access to Medical Records |
2010 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2010 | Management Services Organization Washington Inc. | $35,000 | Settlement | Risk Analysis Failures / Insufficient Security Measures |
| 2010 | Rite Aid Corporation | $1,000,000 | Settlement | Multiple HIPAA Violations |
2009 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2009 | CVS Pharmacy Inc. | $2,250,000 | Settlement | Multiple HIPAA Violations |
2008 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2008 | Providence Health & Services | $100,000 | Settlement | Failure to Implement Appropriate Administrative Safeguards |
Attorneys General HIPAA Fines and Settlements
| Year | State | Entity | Amount | Individuals affected | Settlement/CMP | Reason |
| 2020 | Multistate | CHSPSC LLC | $5,000,000 | 6.1 million | Settlement | Failure to implement and maintain reasonable security practices |
| 2020 | Multistate | Anthem Inc | $48.2 million | 78.8 million | Settlement | Multiple violations of HIPAA and state laws |
| 2019 | Multistate | Premera Blue Cross | $10,000,000 | 10.4 million | Settlement | Multiple HIPAA violations |
| 2019 | Multistate | Medical Informatics Engineering | $900,000 | 3.5 million | Settlement | Multiple HIPAA violations |
| 2019 | CA | Aetna | $935,000 | 1,991 | Settlement | 2 mailings exposed PHI (Afib, HIV) |
| 2018 | MA | McLean Hospital | $75,000 | 1,500 | Settlement | Loss of backup tapes |
| 2018 | NJ | EmblemHealth | $100,000 | 6,443 (81,000) | Settlement | Mailing error exposed SSNs |
| 2018 | NJ | Best Transcription Medical | $200,000 | 1,650 | Settlement | Exposure of ePHi via search engines |
| 2018 | WA | Aetna | TBA | 13,160 | Settlement (Multistate action) | 2 mailings exposed PHI (Afib, HIV data) |
| 2018 | CT | Aetna | $99,959 | 13,160 | Settlement (Multistate action) | 2 mailings exposed PHI (Afib, HIV data) |
| 2018 | NJ | Aetna | $365,211.59 | 13,160 | Settlement (Multistate action) | 2 mailings exposed PHI (Afib, HIV data) |
| 2018 | DC | Aetna | $175,000 | 13,160 | Settlement (Multistate action) | 2 mailings exposed PHI (Afib, HIV data) |
| 2018 | MA | UMass Memorial Medical Group / UMass Memorial Medical Center | $230,000 | 15,000 | Settlement | Failure to secure ePHI and multiple breaches |
| 2018 | NY | Arc of Erie County | $200,000 | 3,751 | Settlement | Failure to secure ePHI |
| 2018 | NJ | Virtua Medical Group | $417,816 | 1,654 | Settlement | Multiple violations of HIPAA Rules |
| 2018 | NY | EmblemHealth | $575,000 | 81,122 | Settlement | Impermissible disclosure of ePHI |
| 2018 | NY | Aetna | $1,150,000 | 12,000 | Settlement | 2 mailings exposed PHI (Afib, HIV data) |
| 2017 | CA | Cottage Health System | $2,000,000 | More than 54,000 | Settlement | Failure to adequately protect medical records |
| 2017 | MA | Multi-State Billing Services | $100,000 | 2,600 | Settlement | Theft of unencrypted laptop containing PHI |
| 2017 | NJ | Horizon Healthcare Services Inc., | $1,100,000 | 3.7 million | Settlement | Loss of unencrypted laptop computers |
| 2017 | VT | SAManage USA, Inc. | $264,000 | 660 | Settlement | Spreadsheet indexed by search engines and PHI viewable |
| 2017 | NY | CoPilot Provider Support Services, Inc | $130,000 | 221,178 | Settlement | Delayed breach notification |
| 2015 | NY | University of Rochester Medical Center | $15,000 | 3,403 | Settlement | List of patients provided to nurse who took it to a new employer |
| 2015 | CT | Hartford Hospital/ EMC Corporation | $90,000 | 8,883 | Settlement | Theft of unencrypted laptop containing PHI |
| 2014 | MA | Women & Infants Hospital of Rhode Island | $150,000 | 12,000 | Settlement | Loss of backup tapes containing PHI |
| 2014 | MA | Boston Children’s Hospital | $40,000 | 2,159 | Settlement | Loss of laptop containing PHI |
| 2014 | MA | Beth Israel Deaconess Medical Center | $100,000 | 3,796 | Settlement | Loss of laptop containing PHI |
| 2013 | MA | Goldthwait Associates | $140,000 | 67,000 | Settlement | Improper disposal |
| 2012 | MN | Accretive Health | $2,500,000 | 24,000 | Settlement | Mishandling of PHI |
| 2012 | MA | South Shore Hospital | $750,000 | 800,000 | Settlement | Loss of backup tapes containing PHI |
| 2011 | VT | Health Net Inc. | $55,000 | 1,500,000 | Settlement | Loss of unencrypted hard drive/delayed breach notifications |
| 2011 | IN | WellPoint Inc. | $100,000 | 32,000 | Settlement | Failure to report breach in a reasonable timeframe |
| 2010 | CT | Health Net Inc. | $250,000 | 1,500,000 | Settlement | Loss of unencrypted hard drive/delayed breach notifications |
Cases have been included if there have been potential violations of HIPAA Rules even if the financial penalty was issued for violations of state laws.