Over the years, there have been countless cases of HIPAA (Health Insurance Portability and Accountability Act) violations, which can result in significant financial penalties. Most are directly linked not to accidental employee misconduct or malicious intent but to a lack of understanding of HIPAA standards by healthcare organizations.
According to a study by NueMD, almost 36% of medical professionals do not fully understand HIPAA regulations. One thing is for certain — every time a healthcare provider fails to protect patient information and comply with HIPAA regulations, the likelihood of data breaches grows higher.
Top 20 Worst HIPAA Violation Cases
Here are the worst cases of HIPAA violations in history and an examination of how healthcare entities failed to follow HIPAA regulations:
1. Anthem, Inc. - $115 Million Class-Action Lawsuit for Failure to Implement Security Controls
The Anthem data breach is regarded as one of the biggest healthcare data breaches in history after a series of cyber attacks executed by hackers compromised the ePHI (electronic protected health information) of nearly 79 million people in 2015.
Anthem settled a consolidated class-action lawsuit for the data breach victims for $115 million in 2018. Additionally, Anthem paid a penalty of $16 million for HIPAA violations paid to the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
Anthem was also penalized for failing to conduct an enterprise-wide risk analysis, insufficient system monitoring procedures, lack of identification and response to cyber security incidents, and failing to implement the minimum requirements for access controls to protect against cyber attackers from as early as February 2014.
Anthem was also forced to pay for substantial corrective actions to clear up any other potential violations of HIPAA Privacy and Security Rules. Following the fine,
2. Memorial Healthcare System (MHS) - $5.5 Million Settlement for Internal PHI Breach
In 2017, the South Florida Memorial Healthcare System (MHS) settled with OCR for $5.5 million with an additional corrective action plan. MHS reported that two of its employees illegally accessed and stole the PHI and PII (including social security numbers) of over 115,000 patients to sell. This led to a large-scale investigation that revealed a dozen staff members misused the credentials of former staff to access PHI between 2011 and 2021 regularly.
The issue here is whether or not MHS had proper internal security controls to prevent the internal data breach from happening. Although federal criminal charges were brought upon the individuals attempting to sell the stolen PHI, OCR investigated MHS for failure to implement access control and limit access privileges to parties that did not have the required authorization.
Despite having policies regarding PHI access policies, they forgot to review policies around the misuse of login credentials. Additionally, MHS also failed to monitor system activity regularly, which would have revealed unauthorized access to patient information. As a result, MHS settled with OCR for one of the largest penalties in history.
3. NY-Presbyterian Hospital / Columbia University Medical Center - $4.8 Million Fine for Data Leak
The New York Presbyterian Hospital and Columbia University Medical Center were fined $4.8 million in HIPAA penalties when it was revealed the two institutions exposed the PHI of about 6800 patients in 2010.
The data leak occurred when a Columbia University physician attempted to deactivate a personal server from the shared data network that had the ePHI of the patients. During deactivation, the physician failed to use any safeguards, which left the records exposed on the internet and fully searchable on search engines.
NY-Presbyterian took most of the fine, around $3.3 million, while Columbia University paid the remaining $1.5 million, totaling one of the largest healthcare fines in history. Both parties agreed to a substantive corrective action plan to develop a standardized risk assessment process, revise data policies, provide security education and HIPAA training for staff, and provide progress reports to OCR.
4. Advocate Health Care (AHC) - $5.55 Million Fine
The Advocate Health Care (AHC) Network's $5.55 million HIPAA fine is one of the largest healthcare fines in history. During a 3-month span in 2013, AHC suffered two data breaches and one failure to attain a business associate agreement (BAA) that exposed nearly 4 million patient records:
- Four desktop computers were stolen from AHC’s Park Ridge offices
- A laptop belonging to an AHC employee with 2,237 ePHI was stolen from an unlocked vehicle
- AHC did not obtain a BAA prior to working with Blackhawk Consulting Group
AHC did not meet HIPAA standards by failing to have physical security for their offices, failing to encrypt the desktop and laptop computers, and neglecting to obtain a BAA. The settlement included agreements to address all HIPAA failures within a two-year period.
5. Cignet Health - $4.3 Million Fine for Denying Patients Access to Their Medical Records
Between 2008 and 2009, the medical institution Cignet Health of St. George County denied 41 patients access to their medical information without any viable justification. Patients immediately went to the OCR, citing that Cignet Health was in violation of the HIPAA statute that requires “covered entities” to provide patients with copies of their health records within 30-60 days after request.
To make matters worse, the institution refused to cooperate during the investigation, refused to comply with the OCR’s requests to provide medical records, and ignored all subsequent patient complaints. The initial violations would’ve resulted in a $1.3 million fine, but the refusal to cooperate with investigations and willful neglect to comply with the HIPAA Privacy Rule added an additional $3 million to the fine.
This HIPAA violation case is regarded as the first-ever civil money penalty imposed by the HHS.
6. Feinstein Institute for Medical Research - $3.9 Million Fine for Unencrypted Laptop Cost Medical Research
The Feinstein Institute for Medical Research was penalized $3.9 million for a stolen, unencrypted laptop in 2016, which, at the time, was the second-largest HIPAA fine for a single covered entity.
The medical research institute had a laptop stolen in 2012, in which an employee left the unsecured laptop in complete view in the back of their vehicle. Shortly after, the laptop was stolen from the car, exposing the ePHI of more than 13,000 patients. OCR cited this security breach as a poor security management process, which was “insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.”
Specifically, the investigation identified a severe lack of policies for removing devices from the facilities, a lack of physical protections to prevent the theft of data or physical devices, and a failure to implement device encryption.
In addition to the fine, the Feinstein Institute was mandated to take up a Corrective Action Plan (CAP) to resolve all HIPAA violations.
7. Children’s Medical Center - $3.2 Million Fine for Ignoring Encryption Recommendation, Twice in Two Years
The Children’s Medical Center of Dallas was fined $3.2 million for deliberately ignoring recommendations to encrypt its data, resulting in multiple HIPAA violations dating back to 2009. The first incident involved a lost unencrypted Blackberry device in 2009, and the center suffered another stolen laptop in 2013, totaling lost PHI for over 6000 patients.
Despite filing breach reports with the OCR, the Children’s Medical Center still failed to implement encryption controls and ePHI protection. The seventh-largest pediatric health provider in the nation also neglected to perform risk assessments and evaluations, despite strong recommendations from a third party.
External risk management analyses had been run twice from 2006 to 2008, which recommended encryption for portable devices, laptops, mobile devices, and hard drives. However, the medical center continued to issue unencrypted devices until 2013, ignoring the “high-priority” advice both times.
The continued non-compliance resulted in one of the largest healthcare fines of 2017.
8. University of Rochester Medical Center - $3 Million Fine for Failure to Encrypt Devices & Report Breaches
The University of Rochester Medical Center was fined $3 million in HIPAA penalties in 2019 for losing a flash drive containing an unknown amount of unencrypted PHI in 2010 and a separate incident in 2013. Additionally, a surgeon’s unencrypted laptop was stolen in 2017, containing the PHI of 43 patients.
Upon investigation, OCR discovered that despite the three incidents of stolen unencrypted devices, URMC still failed to implement adequate security measures and did not perform the necessary organization-wide risk analysis and assessments. Furthermore, despite having three stolen devices, URMC didn’t put any device or media controls in place, failing to meet basic fundamental security measures that should have been in place much sooner.
The large fine was further compounded by the fact that the URMC failed to report the breach, did nothing to mitigate the damages, and continued using unencrypted devices. URMC was required to take significant corrective action to remediate all HIPAA Privacy and Security Rules violations following the penalties.
9. Cottage Health - $3 Million Fine for Multiple Data Breaches
California medical institution, Cottage Health, suffered two breaches that exposed the ePHI of 62,500 patients. Cottage Health had left a major internal server completely unsecured in 2013, allowing anyone on the internet to access it without credentials. A separate incident involving a server misconfiguration was also discovered in 2015 when the IT team accidentally removed server protections while resolving a troubleshooting ticket.
After OCR’s investigations, the office found that Cottage Health failed to comply with HIPAA’s Security Rules and penalized the institution $3 million. The main violations were failing to implement organizational risk assessments to identify security risks and vulnerabilities to protect PHI. Risk analysis assessments must be submitted to OCR within 180 days.
Additional fines were added due to a missing business associate agreement with a third-party contractor that also handled PHI from Cottage Health. Part of the HIPAA rules requires all parties that handle PHI to stay HIPAA-compliant, which falls on the organization to implement with their third parties.
10. University of Mississippi Medical Center - $2.75 Million Fine for Multiple HIPAA Violations
Although UMMC first violated HIPAA standards by losing an unencrypted laptop to theft, the investigation that followed revealed a list of HIPAA violations that led to a massive $2.75 million fine in 2010.
The initially stolen laptop contained information on over 500 patients, but more importantly, the laptop had complete access to the university’s wireless network, which exposed over 67,000 sensitive health files. Additionally, the network was secured with a generic username and password, which would have exposed over 10,000 patients stored on one of UMMC’s network drives.
It was also found that UMMC did not have the following:
- Incident response policies regarding security violations
- Unique user IDs to track user activity
- Comprehensive risk assessments
- Procedures to reduce existing security risks
- Adequate breach notification processes for victims
OCR mandated a three-year CAP with regular progress reports to ensure that UMMC addresses all HIPAA violations.
11. Oregon Health & Science University(OHSU) - $2.7 Million Fine for Multiple Data Breaches
Oregon Health & Science University (OHSU) was fined $2.7 million in 2013 for exposing patient information resulting from two data breaches. The first breach occurred when a laptop was stolen from a physician during a Hawaii vacation, containing information on over 4000 patients. The second breach occurred when OHSU contracted a cloud storage service to share PHI without entering a BAA, which exposed over 3000 patients.
In both incidents, OHSU was negligent, and OCR imposed a three-year CAP to achieve HIPAA compliance. Fortunately, no patient data was compromised.
12. CardioNet - $2.5 Million Settlement for a Stolen Laptop
A cardiac monitoring clinic, CardioNet, was penalized $2.5 million during a HIPAA settlement with the Office for Civil Rights (OCR). An employee’s laptop with over 1300 patient medical records was stolen from his parked car near their home in Pennsylvania in January 2021.
After an investigation by the OCR, they determined that the clinic had “insufficient risk analysis and risk management processes in place” when the laptop was stolen. CardioNet did not have any policies for securing their mobile devices' physical protection and did not have any encryption implemented to secure ePHI. Policies that had been created were left in draft mode and had not been implemented while the clinic was in operation.
As part of the $2.5 million settlement, CardioNet agreed to implement a Corrective Action Plan (CAP) to implement its digital device and data security policies.
13. Memorial Hermann Health (MHH) System - $2.4 Million Fine for Releasing Patient Information
In 2015, the Memorial Hermann Health (MHH) System was fined $2.4 million by HHS for publicly releasing patient information. What stands out about this case is that the patient had used a fake identification card and was subsequently arrested for medical fraud. The disclosure of the incident to the public was allowed under HIPAA, but shortly after, MHH published a press release that revealed the patient’s name.
Even though the name was publicly available through police records, as soon as MHH released the name through their press release and gave the name to media outlets, the health system was in immediate violation of HIPAA rules.
MHH was forced to pay the fine, update its policies regarding the impermissible use of patient information, and train all employees on safeguarding private information.
14. NewYork-Presbyterian Hospital - $2.2 Million Settlement for “Egregious Disclosure” of PHI for Reality TV Show
NewYork-Presbyterian Hospital agreed to a $2.2 million settlement with OCR after severely violating HIPAA Privacy Rules. NY-Presbyterian allowed an ABC reality TV program to film two patients in 2013 without consent or authorization, both of which were experiencing significant health issues. To make matters worse, one of the patients died during the filming of the TV show.
After an investigation by the OCR (Office of Civil Rights), it was found that NY-Presbyterian Hospital allegedly gave ABC full access to the two patients and other parts of the hospital, which directly violates patient privacy and PHI, especially since both parties did not gain consent. The blatant disregard for hospital policies and HIPAA Privacy Rules enabled the OCR to impose penalties on the hospital.
In addition to the fine, NY-Presbyterian was put on probation for two years under OCR supervision. The OCR also mandated a CAP to review media policies and HIPAA compliance in regard to patient privacy.
15. St. Joseph Health - $2.14 Million Fine for Failure to Conduct Risk Assessments
St. Joseph Health, a not-for-profit Catholic healthcare system, was fined $2.14 million in a HIPAA settlement and received an order to conduct a corrective action plan. The healthcare institution was investigated for an alleged PHI breach of more than 31,000 patients from 2011 to 2012.
The initial breach was reported to OCR, and multiple HIPAA violations were found after the investigation. Files for over 31,000 patients were left completely unsecured on the internet for over a year, with multiple records being indexed by Google. St. Joseph had purchased a server for file sharing and kept the default security settings, which provided no protection for their sensitive files.
Furthermore, a failure to conduct proper risk assessments overshadowed the entire healthcare system. St. Joseph had hired independent contractors to review security risks, but OCR concluded that those assessments were inadequate and did not cover the entire organization, violating HIPAA’s requirement for a “comprehensive” risk analysis.
16. Concentra - $1.7 Million Fine for Stolen Unencrypted Laptops
Like the other stolen laptop cases, Concentra was fined $1.7 million for unencrypted stolen laptops at its Springfield location. Despite previous warnings that leaving devices unencrypted posed serious risks to patient ePHI, Concentra largely ignored the warnings, forcing OCR to penalize the healthcare institution.
Although there was some evidence of Concentra attempting to encrypt its devices, it was an incomplete and scattered effort. Along with other insufficient security protocols, Concentra agreed to a CAP to resolve its HIPAA compliance shortcomings.
17. Walgreens - $1.4 Million Fine for Illegal Sharing of Private Medical Information
In 2014, a pharmacist from Walgreens in Indiana was in violation of HIPAA after illegally sharing medical information belonging to a woman who had a previous child with her husband. Walgreens appealed that the company should not be liable for an employee knowingly violating policies, but the court still penalized the pharmacy chain.
The main thing to note here is that HIPAA does not have any express rules regarding privacy violations. However, there are penalties that result from the “improper use and disclosure of individually identifiable medical information.”
Ultimately, the fine was upheld in court for “negligent supervision, negligent retention, and negligence by way of professional malpractice.” This incident established precedence for privacy violations under HIPAA while holding private employers accountable for negligent employees.
18. Raleigh Orthopaedic Clinic - $750,000 Fine for Improper Disclosure of Medical Files to Third-Party Contractor
In 2016, an orthopedic clinic in North Carolina was fined $750,000 for using an outside vendor to digitize its x-ray medical records and other health information in exchange for allowing the firm to harvest the silver from the leftover x-ray film.
Although the practice was not illegal, Raleigh Orthopaedic Clinic did not sign a business associate agreement (BAA) with the vendor, which violates HIPAA’s Privacy Rule. After investigating the violation, OCR found that the clinic exposed the PHI of roughly 17,300 patients.
In addition to the settlement, Raleigh Orthopaedic was mandated to revise its business policies and establish a process of partnering with third-party contractors. The clinic also had to designate an individual to be in charge of the BAA process and maintain proper documentation for partnerships up to 6 years from the agreement date or until the termination of the relationship.
19. UCLA Medical Center - 13 Firings & 6 Suspensions for Illegally Viewing Britney Spears’ Medical Records
In early 2008, Britney Spears, the popular singer, was hospitalized at the UCLA Medical Center. During her hospitalization, her medical records were illegally accessed by the staff in the hospital. After an internal investigation, six doctors and thirteen employees were fired for snooping into Britney Spears’ medical records.
Without a valid reason, none of the individuals involved were allowed to view her patient records. More than half of them weren’t authorized nor regarded as dedicated medical staff to view her PHI, which violates HIPAA rules. UCLA was not fined for the incident.
20. UCLA Medical Center - Surgeon Imprisoned for Accessing Celebrities’ PHI
In another high-profile case involving UCLA Medical Center, Huping Zhou, a cardiothoracic surgeon from China working as a researcher, was caught illegally accessing UCLA medical records in 2003, violating HIPAA Privacy Rules. The breach began shortly after he was dismissed from the research program due to performance issues.
Specifically, Zhou was illegally viewing records of coworkers and celebrities who had been patients in the UCLA hospital, including celebrities like Leonardo DiCaprio, Drew Barrymore, Arnold Schwarzenegger, and Tom Hanks. Zhou was ultimately sentenced to four months in jail and fined $2,000 for the incident in a guilty plea deal.
Initially, Zhou’s defense argued that UCLA did not provide sufficient confidentiality training for its employees, which would have been a HIPAA violation by UCLA. However, due to Zhou’s experience as a doctor, the argument was overruled, and he was convicted. Even though UCLA maintained they had sufficient protocols in place to ensure patient confidentiality, the incident led them to increase safeguards against unauthorized patient record access, increased auditing of systems, and additional accountability training for employees.