HIPAA Violation Fines

HIPAA violation fines can be issued by the Department of Health and Human Service’ Office for Civil Rights (OCR) and state attorneys general.

In the majority of cases, covered entities and business associates accept there have been potential failures to comply with certain elements of HIPAA Rules and a settlement amount is agreed and the case is resolved with no admission of liability. In addition to the settlement, a corrective action plan is issued to address HIPAA failures.

When HIPAA-covered entities disagree with the findings of the investigation, a civil monetary penalty may be issued.

While OCR issues fines for HIPAA violations, attorneys general tend to choose to pursue financial penalties against HIPAA covered entities under state laws rather than HIPAA, if equivalent laws exist at the state level. Actions for violations of state laws tend to be easier to win and the penalty structure at the state level may allow higher financial penalties to be issued.

Only a handful of states have exercised their right under HIPAA/HITECH to pursue financial penalties for violations of HIPAA Rules against HIPAA-covered entities and their business associates.

Penalty Structure for HIPAA Violations

State attorneys general can issue fines for HIPAA violations up to a maximum of $25,000 per violation category, per year.

Listed below are the HIPAA violation fines and settlements issued by the HHS’ Office for Civil Rights since the HIPAA Enforcement Rule was signed into law.

2020 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement/CMP Reason
2020 Peter Wrobel, M.D., P.C., dba Elite Primary Care $36,000 Settlement HIPAA Right of Access failure
2020 University of Cincinnati Medical Center $65,000 Settlement HIPAA Right of Access failure
2020 Dr. Rajendra Bhayani $15,000 Settlement HIPAA Right of Access failure
2020 Riverside Psychiatric Medical Group $25,000 Settlement HIPAA Right of Access failure
2020 City of New Haven, CT $202,400 Settlement Failure to terminate access rights, risk analysis failure, failure to implement Privacy Rule policies, failure to issue unique IDs, impermissible disclosure the PHI of 498 individuals
2020 Aetna $1,000,000 Settlement Failure to conduct evaluation in response to environmental or operational changes affecting ePHI security, identity check failure, minimum necessary information failure, lack of admin, technical, and physical safeguards
2020 NY Spine $100,000 Settlement HIPAA Right of Access failure
2020 Dignity Health, dba St. Joseph’s Hospital and Medical Center $160,000 Settlement HIPAA Right of Access failure
2020 Premera Blue Cross $6,850,000 Settlement Risk assessment failure, risk management failure, insufficient hardware and software controls,
2020 CHSPSC LLC $2,300,000 Settlement Risk analysis failure, failure to implement information system activity reviews, security incident procedure failure, and insufficient access controls.
2020 Athens Orthopedic Clinic PA $1,500,000 Settlement Failures to conduct a risk analysis, risk management failure, lack of audit controls, no HIPAA policies and procedures, lack of business associate agreements, and no HIPAA Privacy Rule training to workforce.
2020 Housing Works, Inc. $38,000 Settlement HIPAA Right of Access failure
2020 All Inclusive Medical Services, Inc. $15,000 Settlement HIPAA Right of Access failure
2020 Beth Israel Lahey Health Behavioral Services $70,000 Settlement HIPAA Right of Access failure
2020 King MD $3,500 Settlement HIPAA Right of Access failure
2020 Wise Psychiatry, PC $10,000 Settlement HIPAA Right of Access failure
2020 Lifespan Health System Affiliated Covered Entity $1,040,000 Settlement Lack of encryption, device and media controls and business associate agreement failures.
2020 Metropolitan Community Health Services dba Agape Health Services $25,000 Settlement Systemic noncompliance with the HIPAA Security Rule
2020 Steven A. Porter, M.D $100,000 Settlement Risk analysis and risk management failures

2019 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2019 West Georgia Ambulance $65,000 Settlement Risk analysis failure; no security awareness training program; failure to implement HIPAA Security Rule policies and procedures.
2019 Korunda Medical, LLC $85,000 Settlement HIPAA Right of Access failure.
2019 Sentara Hospitals $2,175,000 Settlement Breach notification failure; business associate agreement failure
2019 University of Rochester Medical Center $3,000,000 Settlement Loss of flash drive/laptop; no encryption; risk analysis failure; risk management failure; lack of device media controls.
2019 Elite Dental Associates $10,000 Settlement Social media disclosure; notice of privacy practices; impermissible PHI disclosure.
2019 Bayfront Health St Petersburg $85,000 Settlement HIPAA Right of Access failure
2019 Medical Informatics Engineering $100,000 Settlement Risk analysis failure; impermissible disclosure of 3.5 million records
2019 Touchstone Medical imaging $3,000,000 Settlement No BAAs; insufficient access rights; risk analysis failure; failure to respond to a security incident; breach notification failure; media notification failure; impermissible disclosure of 307,839 individuals’ PHI.
2019 Texas Department of Aging and Disability Services $1,600,000 Civil Monetary Penalty Risk analysis failure; access control failure; information system activity monitoring failure; impermissible disclosure of 6,617 patients ePHI
2019 Jackson Health System $2,154,000 Civil Monetary Penalty Multiple Privacy Rule, Security Rule, and Breach Notification Rule violations

2018 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2018 Fresenius Medical Care North America $3,500,000 Settlement Risk analysis failures, impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards
2018 Filefax, Inc. $100,000 Settlement Impermissible disclosure of PHI
2018 University of Texas MD Anderson Cancer Center $4,348,000 Civil Monetary Penalty Impermissible disclosure of ePHI; No Encryption
2018 Massachusetts General Hospital $515,000 Settlement Filming patients without consent
2018 Brigham and Women’s Hospital $384,000 Settlement Filming patients without consent
2018 Boston Medical Center $100,000 Settlement Filming patients without consent
2018 Anthem Inc $16,000,000 Settlement Risk Analysis failures; Insufficient reviews of system activity; Failure related to response to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access
2018 Allergy Associates of Hartford $125,000 Settlement PHI disclosure to reporter; No sanctions against employee
2018 Advanced Care Hospitalists $500,000 Settlement Impermissible PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014
2018 Pagosa Springs Medical Center $111,400 Settlement Failure to terminate employee access; No BAA
2018 Cottage Health $3,000,000 Settlement Risk analysis failure; Risk management failure; No BAA

2017 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2017 21st Century Oncology $2,300,000 Settlement Multiple HIPAA Violations
2017 Memorial Hermann Health System $2,400,000 Settlement Careless Handling of PHI
2017 St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement Unauthorized Disclosure of PHI
2017 The Center for Children’s Digestive Health $31,000 Settlement Lack of a Business Associate Agreement
2017 Cardionet $2,500,000 Settlement Impermissible Disclosure of PHI
2017 Metro Community Provider Network $400,000 Settlement Lack of Security Management Process
2017 Memorial Healthcare System $5,500,000 Settlement Insufficient ePHI Access Controls
2017 Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty Impermissible Disclosure of ePHI
2017 MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement Impermissible Disclosure of ePHI
2017 Presense Health $475,000 Settlement Delayed Breach Notifications

2016 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2016 University of Massachusetts Amherst (UMass) $650,000 Settlement Failure to Manage Security Risks
2016 St. Joseph Health $2,140,500 Settlement Failure to Conduct Risk Analysis
2016 Care New England Health System $400,000 Settlement Lack of a Business Associate Agreement
2016 Advocate Health Care Network $5,550,000 Settlement Multiple HIPAA Violations
2016 University of Mississippi Medical Center $2,750,000 Settlement Multiple HIPAA Violations
2016 Oregon Health & Science University $2,700,000 Settlement Lack of a Business Associate Agreement
2016 Catholic Health Care Services of the Archdiocese of Philadelphia $650,000 Settlement Failure to Safeguard ePHI
2016 New York Presbyterian Hospital $2,200,000 Settlement Filming Patients without Authorization
2016 Raleigh Orthopaedic Clinic, P.A. of North Carolina $750,000 Settlement Lack of Business Associate Agreement
2016 Feinstein Institute for Medical Research $3,900,000 Settlement Impermissible Disclosure of PHI
2016 North Memorial Health Care of Minnesota $1,550,000 Settlement Lack of a Business Associate Agreement
2016 Complete P.T., Pool & Land Physical Therapy, Inc. $25,000 Settlement Impermissible Disclosure of PHI
2016 Lincare, Inc. $239,800 Civil Monetary Penalty Failure to Safeguard PHI

2015 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2015 University of Washington Medicine $750,000 Settlement Failure to Conduct Risk Analysis
2015 Triple S Management Corporation $3,500,000 Settlement Multiple HIPAA Violations
2015 Lahey Hospital and Medical Center $850,000 Settlement Multiple HIPAA Violations
2015 Cancer Care Group, P.C. $750,000 Settlement Failure to Conduct Risk Analysis
2015 St. Elizabeth’s Medical Center $218,400 Settlement Multiple HIPAA Violations
2015 Cornell Prescription Pharmacy $125,000 Settlement Improper Disposal of PHI

2014 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2014 Anchorage Community Mental Health Services $150,000 Settlement Failure to Manage Risks to ePHI
2014 Parkview Health System, Inc. $800,000 Settlement Failure to Safeguard PHI
2014 New York and Presbyterian Hospital and Columbia University $4,800,000 Settlement Failure to Conduct Risk Analysis
2014 QCA Health Plan, Inc., of Arkansas $250,000 Settlement Failure to Safeguard ePHI
2014 Concentra Health Services $1,725,220 Settlement Failure to Safeguard ePHI
2014 Skagit County, Washington $215,000 Settlement Failure to Safeguard ePHI

2013 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2013 Adult & Pediatric Dermatology, P.C. $150,000 Settlement Failure to Safeguard ePHI
2013 Affinity Health Plan, Inc. $1,215,780 Settlement Failure to Permanently Erase ePHI
2013 WellPoint $1,700,000 Settlement Failure to Safeguard ePHI
2013 Shasta Regional Medical Center $275,000 Settlement Disclosure of PHI Without Patient Consent
2013 Idaho State University $400,000 Settlement Failure to Safeguard ePHI

2012 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2012 The Hospice of Northern Idaho $50,000 Settlement Theft of an Unencrypted Laptop
2012 Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. $1,500,000 Settlement Multiple HIPAA Violations
2012 Alaska DHSS $1,700,000 Settlement Failure to Perform Risk Analysis/Risk Management Failures
2012 Phoenix Cardiac Surgery $100,000 Settlement Lack of HIPAA Safeguards
2012 Blue Cross Blue Shield of Tennessee $1,500,000 Settlement Failure to Implement Appropriate Administrative Safeguards

2011 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2011 University of California at Los Angeles Health System $865,500 Settlement Failure to Restrict Access to Medical Records
2011 General Hospital Corp. & Massachusetts General Physicians Organization Inc. $1,000,000 Settlement Failure to Safeguard PHI
2011 Cignet Health of Prince George’s County $4,300,000 Civil Monetary Penalty Denying Patients Access to Medical Records

2010 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2010 Management Services Organization Washington Inc. $35,000 Settlement Risk Analysis Failures / Insufficient Security Measures
2010 Rite Aid Corporation $1,000,000 Settlement Multiple HIPAA Violations

2009 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2009 CVS Pharmacy Inc. $2,250,000 Settlement Multiple HIPAA Violations

2008 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2008 Providence Health & Services $100,000 Settlement Failure to Implement Appropriate Administrative Safeguards

Attorneys General HIPAA Fines and Settlements

Year State Entity Amount Individuals affected Settlement/CMP Reason
2020 Multistate CHSPSC LLC $5,000,000 6.1 million Settlement Failure to implement and maintain reasonable security practices
2020 Multistate Anthem Inc $48.2 million 78.8 million Settlement Multiple violations of HIPAA and state laws
2019 Multistate Premera Blue Cross $10,000,000 10.4 million Settlement Multiple HIPAA violations
2019 Multistate Medical Informatics Engineering $900,000 3.5 million Settlement Multiple HIPAA violations
2019 CA Aetna $935,000 1,991 Settlement 2 mailings exposed PHI (Afib, HIV)
2018 MA McLean Hospital $75,000 1,500 Settlement Loss of backup tapes
2018 NJ EmblemHealth $100,000 6,443 (81,000) Settlement Mailing error exposed SSNs
2018 NJ Best Transcription Medical $200,000 1,650 Settlement Exposure of ePHi via search engines
2018 WA Aetna TBA 13,160 Settlement (Multistate action) 2 mailings exposed PHI (Afib, HIV data)
2018 CT Aetna $99,959 13,160 Settlement (Multistate action) 2 mailings exposed PHI (Afib, HIV data)
2018 NJ Aetna $365,211.59 13,160 Settlement (Multistate action) 2 mailings exposed PHI (Afib, HIV data)
2018 DC Aetna $175,000 13,160 Settlement (Multistate action) 2 mailings exposed PHI (Afib, HIV data)
2018 MA UMass Memorial Medical Group / UMass Memorial Medical Center $230,000 15,000 Settlement Failure to secure ePHI  and multiple breaches
2018 NY Arc of Erie County $200,000 3,751 Settlement Failure to secure ePHI
2018 NJ Virtua Medical Group $417,816 1,654 Settlement Multiple violations of HIPAA Rules
2018 NY EmblemHealth $575,000 81,122 Settlement Impermissible disclosure of ePHI
2018 NY Aetna $1,150,000 12,000 Settlement 2 mailings exposed PHI (Afib, HIV data)
2017 CA Cottage Health System $2,000,000 More than 54,000 Settlement Failure to adequately protect medical records
2017 MA Multi-State Billing Services $100,000 2,600 Settlement Theft of unencrypted laptop containing PHI
2017 NJ Horizon Healthcare Services Inc., $1,100,000 3.7 million Settlement Loss of unencrypted laptop computers
2017 VT SAManage USA, Inc. $264,000 660 Settlement Spreadsheet indexed by search engines and PHI viewable
2017 NY CoPilot Provider Support Services, Inc $130,000 221,178 Settlement Delayed breach notification
2015 NY University of Rochester Medical Center $15,000 3,403 Settlement List of patients provided to nurse who took it to a new employer
2015 CT Hartford Hospital/ EMC Corporation $90,000 8,883 Settlement Theft of unencrypted laptop containing PHI
2014 MA Women & Infants Hospital of Rhode Island $150,000 12,000 Settlement Loss of backup tapes containing PHI
2014 MA Boston Children’s Hospital $40,000 2,159 Settlement Loss of laptop containing PHI
2014 MA Beth Israel Deaconess Medical Center $100,000 3,796 Settlement Loss of laptop containing PHI
2013 MA Goldthwait Associates $140,000 67,000 Settlement Improper disposal
2012 MN Accretive Health $2,500,000 24,000 Settlement Mishandling of PHI
2012 MA South Shore Hospital $750,000 800,000 Settlement Loss of backup tapes containing PHI
2011 VT Health Net Inc. $55,000 1,500,000 Settlement Loss of unencrypted hard drive/delayed breach notifications
2011 IN WellPoint Inc. $100,000 32,000 Settlement Failure to report breach in a reasonable timeframe
2010 CT Health Net Inc. $250,000 1,500,000 Settlement Loss of unencrypted hard drive/delayed breach notifications

Cases have been included if there have been potential violations of HIPAA Rules even if the financial penalty was issued for violations of state laws.