HIPAA Violation Penalty Tiers Explained

HIPAA Violation Fines

HIPAA violation fines are given by the Department of Health and Human Services Office for Civil Rights (OCR) and state attorneys general to entities that fail to comply with HIPAA regulations.

Join our newsletter:

How Are Most HIPAA Violation Fines Issued?

In most instances, covered entities and business associates acknowledge potential non-compliance with specific aspects of HIPAA Rules. This leads to the agreement on a settlement amount and the resolution of the case without admitting liability. Furthermore, a corrective action plan is created to rectify the HIPAA violations.
However if HIPAA-covered entities contest the investigation's findings, it can result in the imposition of a civil monetary penalty.
While the Department of Health and Human Services Office for Civil Rights (OCR) administers fines for HIPAA breaches, state attorneys general often opt for pursuing monetary penalties against HIPAA-covered entities based on state laws, that is, if equivalent provisions exist at the state level. Legal actions for state law violations are typically more straightforward to succeed, and the state-level penalty framework may allow for the imposition of more substantial financial sanctions. Only a limited number of states have chosen to utilize their authority granted by HIPAA/HITECH to impose financial penalties on HIPAA-covered entities and their business associates for violations of HIPAA Rules.

HIPAA Violation Penalty Tiers Explained

HIPAA violations penalties are made up of 4 tiers. Each tier is defined by the level of culpability, additionally each tier has both a minimum and maximum base fine (please note the fines are subject to a cost-of-living adjustment multiplier, for example for 2023 the multiplier is 1.07745). Tier 1 HIPAA Violation applies to entities that were unaware of the HIPAA violation and exercised responsible due deligance, this carries a minimum fine of $100 and a max fine of $50,000 per violation with an annual penalty limit of $25,000. Tier 2 HIPAA Violation applies to entities that knew or should have known about the HIPAA violation if they had exercised responsible due diligence, this carries a minimum fine of $1000 and a max fine of $50,000 per violation with an annual max penalty limit of $100,000. Tier 3 HIPAA Violation applies to entities that were in wilful neglect of HIPAA rules but corrected the violation within 30 days of discovery, this carries a minimum fine of $10,000 and a max fine of $50,000 per violation with an annual max penalty limit of $250,000. Tier 4 HIPAA Violation applies to entities that were in wilful neglect of HIPAA rules and with no effort to correct the violation within 30 days of discovery, this carries a minimum fine of $50,000 per violation with an annual penalty limit of $1,500,000

How many HIPAA Violations have been reported and How many HIPAA Violations have been issued fines?

As of June 2022, although the Health and Human Services Office for Civil Rights received over 300,000 complaints and data breach reports, it has sanctioned fines or reached settlements in just 110 cases. The majority of the remaining cases, where HIPAA violations were identified, were resolved through technical assistance and the implementation of corrective action plans.

Can the Health and Human Services Office for Civil Rights pursue criminal charges for HIPAA violations?

When the Office for Civil Rights examines a case and identifies potential grounds for criminal prosecution, it refers the case to the Department of Justice. The Department of Justice holds the power to pursue criminal charges for HIPAA violations, this has resulted in jail sentences for several individuals found responsible for breaching HIPAA regulations.

Why are the majority of HIPAA Violations Right of Access failures?

Starting in 2019, the Office for Civil Rights initiated an enforcement effort known as the Right of Access initiative. This initiative aims to tackle the growing volume of patient complaints concerning difficulties or delays in obtaining copies of their Protected Health Information (PHI). It's important to note that this focus on the Right of Access issue does not imply that the Health and Human Services Office for Civil Rights is neglecting other categories of HIPAA violations; the agency remains actively engaged in investigating various types of violations and data breaches.

2022 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement or Civil Monetary Penalty Violation
2022 Health Specialists of Central Florida Inc $20,000 Settlement HIPAA Right of Access failure
2022 New Vision Dental $23,000 Settlement PHI disclosure, notice of privacy practices, releasing PHI on social media
2022 Great Expressions Dental Center of Georgia, P.C. $80,000 Settlement HIPAA Right of Access failure
2022 Family Dental Care, P.C. $30,000 Settlement HIPAA Right of Access failure
2022 B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental $25,000 Settlement HIPAA Right of Access failure
2022 New England Dermatology and Laser Center $300,640 Settlement Improper disposal of PHI, and failure to maintain safeguards
2022 ACPM Podiatry $100,000 Civil Monetary Penalty HIPAA Right of Access failure
2022 Memorial Hermann Health System $240,000 Settlement HIPAA Right of Access failure
2022 Southwest Surgical Associates $65,000 Settlement HIPAA Right of Access failure
2022 Hillcrest Nursing and Rehabilitation $55,000 Settlement HIPAA Right of Access failure
2022 MelroseWakefield Healthcare $55,000 Settlement HIPAA Right of Access failure
2022 Erie County Medical Center Corporation $50,000 Settlement HIPAA Right of Access failure
2022 Fallbrook Family Health Center $30,000 Settlement HIPAA Right of Access failure
2022 Associated Retina Specialists $22,500 Settlement HIPAA Right of Access failure
2022 Coastal Ear, Nose, and Throat $20,000 Settlement HIPAA Right of Access failure
2022 Lawrence Bell, Jr. D.D.S $5,000 Settlement HIPAA Right of Access failure
2022 Danbury Psychiatric Consultants $3,500 Settlement HIPAA Right of Access failure
2022 Oklahoma State University – Center for Health Sciences $875,000 Settlement Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications, and the disclosure of the PHI of 279,865 individuals
2022 Dr. Brockley $30,000 Settlement HIPAA Right of Access
2022 Jacob & Associates $28,000 Settlement HIPAA Right of Access, notice of privacy practices, HIPAA Privacy Officer
2022 Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., $50,000 Civil Monetary Penalty Prohibited disclosure on social media
2022 Northcutt Dental-Fairhope $62,500 Settlement Prohibited disclosure for marketing, notice of privacy practices, HIPAA Privacy Officer

2021 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement or Civil Monetary Penalty Violation
2021 Advanced Spine & Pain Management $32,150 Settlement HIPAA Right of Access failure
2021 Denver Retina Center $30,000 Settlement HIPAA Right of Access failure
2021 Dr. Robert Glaser $100,000 Civil Monetary Penalty HIPAA Right of Access failure
2021 Rainrock Treatment Center LLC (dba monte Nido Rainrock) $160,000 Settlement HIPAA Right of Access failure
2021 Wake Health Medical Group $10,000 Settlement HIPAA Right of Access failure
2021 Children’s Hospital & Medical Center $80,000 Settlement HIPAA Right of Access failure
2021 The Diabetes, Endocrinology & Lipidology Center, Inc. $5,000 Settlement HIPAA Right of Access failure
2021 AEON Clinical Laboratories (Peachstate) $25,000 Settlement HIPAA Security Rule failures (risk assessment, risk management, audit controls, and lack of documentation of HIPAA Security Rule policies and procedures)
2021 Village Plastic Surgery $30,000 Settlement HIPAA Right of Access failure
2021 Arbour Hospital $65,000 Settlement HIPAA Right of Access failure
2021 Sharpe Healthcare $70,000 Settlement HIPAA Right of Access failure
2021 Renown Health $75,000 Settlement HIPAA Right of Access failure
2021 Excellus Health Plan $5,100,000 Settlement Risk analysis failure, risk management failure, lack of information system activity reviews, lack of technical policies to prevent unauthorized ePHI access, and a breach of 9,358,891 records.
2021 Banner Health $200,000 Settlement HIPAA Right of Access failure

2020 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement or Civil Monetary Penalty Violation
2020 Peter Wrobel, M.D., P.C., dba Elite Primary Care $36,000 Settlement HIPAA Right of Access failure
2020 University of Cincinnati Medical Center $65,000 Settlement HIPAA Right of Access failure
2020 Dr. Rajendra Bhayani $15,000 Settlement HIPAA Right of Access failure
2020 Riverside Psychiatric Medical Group $25,000 Settlement HIPAA Right of Access failure
2020 City of New Haven, CT $202,400 Settlement Failure to terminate access rights, risk analysis failure, failure to implement Privacy Rule policies, failure to issue unique IDs, impermissible disclosure of the PHI of 498 individuals
2020 Aetna $1,000,000 Settlement Failure to conduct an evaluation in response to environmental or operational changes affecting ePHI security, identity check failure, minimum necessary information failure, lack of admin, technical, and physical safeguards
2020 NY Spine $100,000 Settlement HIPAA Right of Access failure
2020 Dignity Health, dba St. Joseph’s Hospital and Medical Center $160,000 Settlement HIPAA Right of Access failure
2020 Premera Blue Cross $6,850,000 Settlement Risk assessment failure, risk management failure, insufficient hardware, and software controls,
2020 CHSPSC LLC $2,300,000 Settlement Risk analysis failure, failure to implement information system activity reviews, security incident procedure failure, and insufficient access controls.
2020 Athens Orthopedic Clinic PA $1,500,000 Settlement Failures to conduct a risk analysis, risk management failure, lack of audit controls, no HIPAA policies and procedures, lack of business associate agreements, and no HIPAA Privacy Rule training to the workforce.
2020 Housing Works, Inc. $38,000 Settlement HIPAA Right of Access failure
2020 All Inclusive Medical Services, Inc. $15,000 Settlement HIPAA Right of Access failure
2020 Beth Israel Lahey Health Behavioral Services $70,000 Settlement HIPAA Right of Access failure
2020 King MD $3,500 Settlement HIPAA Right of Access failure
2020 Wise Psychiatry, PC $10,000 Settlement HIPAA Right of Access failure
2020 Lifespan Health System Affiliated Covered Entity $1,040,000 Settlement Lack of encryption, device and media controls, and business associate agreement failures.
2020 Metropolitan Community Health Services dba Agape Health Services $25,000 Settlement Systemic noncompliance with the HIPAA Security Rule
2020 Steven A. Porter, M.D $100,000 Settlement Risk analysis and risk management failures

2019 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement or Civil Monetary Penalty Violation
2019 West Georgia Ambulance $65,000 Settlement Risk analysis failure; no security awareness training program; failure to implement HIPAA Security Rule policies and procedures.
2019 Korunda Medical, LLC $85,000 Settlement HIPAA Right of Access failure.
2019 Sentara Hospitals $2,175,000 Settlement Breach notification failure; business associate agreement failure
2019 University of Rochester Medical Center $3,000,000 Settlement Loss of flash drive/laptop; no encryption; risk analysis failure; risk management failure; lack of device media controls.
2019 Elite Dental Associates $10,000 Settlement Social media disclosure; notice of privacy practices; impermissible PHI disclosure.
2019 Bayfront Health St Petersburg $85,000 Settlement HIPAA Right of Access failure
2019 Medical Informatics Engineering $100,000 Settlement Risk analysis failure; impermissible disclosure of 3.5 million records
2019 Touchstone Medical imaging $3,000,000 Settlement No BAAs; insufficient access rights; risk analysis failure; failure to respond to a security incident; breach notification failure; media notification failure; impermissible disclosure of 307,839 individuals’ PHI.
2019 Texas Department of Aging and Disability Services $1,600,000 Civil Monetary Penalty Risk analysis failure; access control failure; information system activity monitoring failure; impermissible disclosure of 6,617 patients ePHI
2019 Jackson Health System $2,154,000 Civil Monetary Penalty Multiple Privacy Rule, Security Rule, and Breach Notification Rule violations

2018 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement or Civil Monetary Penalty Violation
2018 Fresenius Medical Care North America $3,500,000 Settlement Risk analysis failures, impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards
2018 Filefax, Inc. $100,000 Settlement Prohibited disclosure of PHI
2018 University of Texas MD Anderson Cancer Center $4,348,000 Civil Monetary Penalty Prohibited disclosure of ePHI; No Encryption
2018 Massachusetts General Hospital $515,000 Settlement Filming patients without consent
2018 Brigham and Women’s Hospital $384,000 Settlement Filming patients without consent
2018 Boston Medical Center $100,000 Settlement Filming patients without consent
2018 Anthem Inc $16,000,000 Settlement Risk Analysis failures; Insufficient reviews of system activity; Failure related to response to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access
2018 Allergy Associates of Hartford $125,000 Settlement PHI disclosure to a reporter; No sanctions against employees
2018 Advanced Care Hospitalists $500,000 Settlement Prohibited PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014
2018 Pagosa Springs Medical Center $111,400 Settlement Failure to terminate employee access; No BAA
2018 Cottage Health $3,000,000 Settlement Risk analysis failure; Risk management failure; No BAA

2017 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement or Civil Monetary Penalty Reason
2017 21st Century Oncology $2,300,000 Settlement Multiple HIPAA Violations
2017 Memorial Hermann Health System $2,400,000 Settlement Careless Handling of PHI
2017 St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement Unauthorized Disclosure of PHI
2017 The Center for Children’s Digestive Health $31,000 Settlement Lack of a Business Associate Agreement
2017 Cardionet $2,500,000 Settlement Prohibited Disclosure of PHI
2017 Metro Community Provider Network $400,000 Settlement Lack of Security Management Process
2017 Memorial Healthcare System $5,500,000 Settlement Insufficient ePHI Access Controls
2017 Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty Prohibited Disclosure of ePHI
2017 MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement Prohibited Disclosure of ePHI
2017 Presense Health $475,000 Settlement Delayed Breach Notifications

2016 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement or Civil Monetary Penalty Reason
2016 University of Massachusetts Amherst (UMass) $650,000 Settlement Failure to Manage Security Risks
2016 St. Joseph Health $2,140,500 Settlement Failure to Conduct Risk Analysis
2016 Care New England Health System $400,000 Settlement Lack of a Business Associate Agreement
2016 Advocate Health Care Network $5,550,000 Settlement Multiple HIPAA Violations
2016 University of Mississippi Medical Center $2,750,000 Settlement Multiple HIPAA Violations
2016 Oregon Health & Science University $2,700,000 Settlement Lack of a Business Associate Agreement
2016 Catholic Health Care Services of the Archdiocese of Philadelphia $650,000 Settlement Failure to Safeguard ePHI
2016 New York Presbyterian Hospital $2,200,000 Settlement Filming Patients without Authorization
2016 Raleigh Orthopaedic Clinic, P.A. of North Carolina $750,000 Settlement Lack of Business Associate Agreement
2016 Feinstein Institute for Medical Research $3,900,000 Settlement Prohibited Disclosure of PHI
2016 North Memorial Health Care of Minnesota $1,550,000 Settlement Lack of a Business Associate Agreement
2016 Complete P.T., Pool & Land Physical Therapy, Inc. $25,000 Settlement Prohibited Disclosure of PHI
2016 Lincare, Inc. $239,800 Civil Monetary Penalty Failure to Safeguard PHI

2015 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement or Civil Monetary Penalty Reason
2015 University of Washington Medicine $750,000 Settlement Failure to Conduct Risk Analysis
2015 Triple S Management Corporation $3,500,000 Settlement Multiple HIPAA Violations
2015 Lahey Hospital and Medical Center $850,000 Settlement Multiple HIPAA Violations
2015 Cancer Care Group, P.C. $750,000 Settlement Failure to Conduct Risk Analysis
2015 St. Elizabeth’s Medical Center $218,400 Settlement Multiple HIPAA Violations
2015 Cornell Prescription Pharmacy $125,000 Settlement Improper Disposal of PHI

2014 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement or Civil Monetary Penalty Reason
2014 Anchorage Community Mental Health Services $150,000 Settlement Failure to Manage Risks to ePHI
2014 Parkview Health System, Inc. $800,000 Settlement Failure to Safeguard PHI
2014 New York and Presbyterian Hospital and Columbia University $4,800,000 Settlement Failure to Conduct Risk Analysis
2014 QCA Health Plan, Inc., of Arkansas $250,000 Settlement Failure to Safeguard ePHI
2014 Concentra Health Services $1,725,220 Settlement Failure to Safeguard ePHI
2014 Skagit County, Washington $215,000 Settlement Failure to Safeguard ePHI

2013 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement or Civil Monetary Penalty Reason
2013 Adult & Pediatric Dermatology, P.C. $150,000 Settlement Failure to Safeguard ePHI
2013 Affinity Health Plan, Inc. $1,215,780 Settlement Failure to Permanently Erase ePHI
2013 WellPoint $1,700,000 Settlement Failure to Safeguard ePHI
2013 Shasta Regional Medical Center $275,000 Settlement Disclosure of PHI Without Patient Consent
2013 Idaho State University $400,000 Settlement Failure to Safeguard ePHI

2012 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement or Civil Monetary Penalty Reason
2012 The Hospice of Northern Idaho $50,000 Settlement Theft of an Unencrypted Laptop
2012 Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. $1,500,000 Settlement Multiple HIPAA Violations
2012 Alaska DHSS $1,700,000 Settlement Failure to Perform Risk Analysis/Risk Management Failures
2012 Phoenix Cardiac Surgery $100,000 Settlement Lack of HIPAA Safeguards
2012 Blue Cross Blue Shield of Tennessee $1,500,000 Settlement Failure to Implement Appropriate Administrative Safeguards

2011 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement or Civil Monetary Penalty Reason
2011 University of California at Los Angeles Health System $865,500 Settlement Failure to Restrict Access to Medical Records
2011 General Hospital Corp. & Massachusetts General Physicians Organization Inc. $1,000,000 Settlement Failure to Safeguard PHI
2011 Cignet Health of Prince George’s County $4,300,000 Civil Monetary Penalty Denying Patients Access to Medical Records

2010 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement or Civil Monetary Penalty Reason
2010 Management Services Organization Washington Inc. $35,000 Settlement Risk Analysis Failures / Insufficient Security Measures
2010 Rite Aid Corporation $1,000,000 Settlement Multiple HIPAA Violations

2009 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement or Civil Monetary Penalty Reason
2009 CVS Pharmacy Inc. $2,250,000 Settlement Multiple HIPAA Violations

2008 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement or Civil Monetary Penalty Reason
2008 Providence Health & Services $100,000 Settlement Failure to Implement Appropriate Administrative Safeguards

State Attorneys General HIPAA Fines and Settlements

State attorneys general possess the power to levy financial penalties for breaches of HIPAA. However, in many cases where HIPAA was violated, fines are imposed based on state laws.

Civil monetary penalties and settlements imposed for HIPAA violations or breaches of equivalent state laws:

Year State Entity Amount Individuals affected Settlement or Civil Monetary Penalty Violation
2023 Colorado Broomfield Skilled Nursing and Rehabilitation Center $60,000 ($25,000 suspended) 677 individuals Settlement Violations of HIPAA data encryption requirements, state data protection laws, and deceptive trading practices.
2023 Indiana Schneck Medical Center $250,000 89,707 individuals Settlement Violations of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule; Indiana Disclosure of Security Breach Act; Indiana Deceptive Consumer Sales Act.
2023 California Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals $49,000,000 7,700 individuals Settlement Violations of the HIPAA; California Hazardous Waste Control Law, Medical Waste Management Act; California Confidentiality of Medical Information Act; California Customer Records Law; California Unfair Competition Law
2023 California Kaiser Permanente $450,000 Less than 167,095 individuals Settlement Prohibited disclosure of PHI and negligent maintenance or disposal of PHI in violation of the California Confidentiality of Medical Information Act (CMIA)
2023 New York Professional Business Systems Inc (dba Practicefirst Medical Management Solutions and PBS Medcode Corp $550,000 1.2 million Settlement Data security failures: Patch management, data encryption, vulnerability scans, and penetration tests
2023 Oregon, New Jersey, Florida, Pennsylvania EyeMed Vision Care $2,500,000 2.1 million Settlement Data security failures including access controls
2023 New York Heidell, Pittoni, Murphy & Bach LLP $200,000 61,438 Settlement Violation of 17 HIPAA Privacy and Security Rule provisions
2023 Pennsylvania/Ohio DNA Diagnostics Center $400,000 2.1 million Settlement Lack of safeguards, failure to update asset inventory, and failure to disable/remove assets not used for business purposes.
2022 Oregon/Utah Avalon Healthcare $200,000 14,500 Settlement Breach notification delay and information security program failures
2022 Massachusetts Aveanna Healthcare $425,000 166,000 Settlement Lack of security safeguards to combat phishing, including no multifactor authentication
2022 New York EyeMed Vision Care $600,000 2.1 million Settlement Multiple violations of HIPAA and New York General Business Law.
2021 New Jersey Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC) $425,000 105,000 Settlement Failure to ensure the confidentiality, integrity, and availability of PHI, failure to protect against reasonably anticipated threats, failure to implement security measures to reduce risks, failure to conduct an accurate risk assessment, lack of a security awareness and training program.
2021 New Jersey Command Marketing Innovations, LLC and Strategic Content Imaging LLC $130,000 (Plus $65,000 suspended) 55,715 Settlement Failure to ensure the confidentiality of PHI, lack of PHI safeguards, failure to review security measures following changes to procedures.
2021 New Jersey Diamond Institute for Infertility and Menopause $495,000 14,663 Settlement Multiple Privacy Rule and Security Rule failures, and violations of the Consumer Fraud Act.
2021 Multistate American Medical Collection Agency $21 million (suspended) 21,000,000 Settlement Security failures, including the failure to detect a data breach.
2020 Multistate CHSPSC LLC $5,000,000 6.1 million Settlement Failure to implement and maintain reasonable security practices
2020 Multistate Anthem Inc $48.2 million 78.8 million Settlement Multiple violations of HIPAA and state laws
2019 Multistate Premera Blue Cross $10,000,000 10.4 million Settlement Multiple HIPAA violations
2019 Multistate Medical Informatics Engineering $900,000 3.5 million Settlement Multiple HIPAA violations
2019 CA Aetna $935,000 1,991 Settlement 2 mailings exposed PHI (Afib, HIV)
2018 MA McLean Hospital $75,000 1,500 Settlement Loss of backup tapes
2018 NJ EmblemHealth $100,000 6,443 (81,000) Settlement Mailing error exposed SSNs
2018 NJ Best Transcription Medical $200,000 1,650 Settlement Exposure of ePHi via search engines
2018 CT Aetna $99,959 13,160 Settlement (Multistate action) 2 mailings exposed PHI (Afib, HIV data)
2018 NJ Aetna $365,211.59 13,160 Settlement (Multistate action) 2 mailings exposed PHI (Afib, HIV data)
2018 DC Aetna $175,000 13,160 Settlement (Multistate action) 2 mailings exposed PHI (Afib, HIV data)
2018 MA UMass Memorial Medical Group / UMass Memorial Medical Center $230,000 15,000 Settlement Failure to secure ePHI and multiple breaches
2018 NY Arc of Erie County $200,000 3,751 Settlement Failure to secure ePHI
2018 NJ Virtua Medical Group $417,816 1,654 Settlement Multiple violations of HIPAA Rules
2018 NY EmblemHealth $575,000 81,122 Settlement Prohibited disclosure of ePHI
2018 NY Aetna $1,150,000 12,000 Settlement 2 mailings exposed PHI (Afib, HIV data)
2017 CA Cottage Health System $2,000,000 More than 54,000 Settlement Failure to adequately protect medical records
2017 MA Multi-State Billing Services $100,000 2,600 Settlement Theft of unencrypted laptop containing PHI
2017 NJ Horizon Healthcare Services Inc., $1,100,000 3.7 million Settlement Loss of unencrypted laptop computers
2017 VT SAManage USA, Inc. $264,000 660 Settlement Spreadsheet indexed by search engines and PHI viewable
2017 NY CoPilot Provider Support Services, Inc $130,000 221,178 Settlement Delayed breach notification
2015 NY University of Rochester Medical Center $15,000 3,403 Settlement List of patients provided to nurse who took it to a new employer
2015 CT Hartford Hospital/ EMC Corporation $90,000 8,883 Settlement Theft of unencrypted laptop containing PHI
2014 MA Women & Infants Hospital of Rhode Island $150,000 12,000 Settlement Loss of backup tapes containing PHI
2014 MA Boston Children’s Hospital $40,000 2,159 Settlement Loss of laptop containing PHI
2014 MA Beth Israel Deaconess Medical Center $100,000 3,796 Settlement Loss of laptop containing PHI
2013 MA Goldthwait Associates $140,000 67,000 Settlement Improper disposal
2012 MN Accretive Health $2,500,000 24,000 Settlement Mishandling of PHI
2012 MA South Shore Hospital $750,000 800,000 Settlement Loss of backup tapes containing PHI
2011 VT Health Net Inc. $55,000 1,500,000 Settlement Loss of unencrypted hard drive/delayed breach notifications
2011 IN WellPoint Inc. $100,000 32,000 Settlement Failure to report a breach in a reasonable timeframe
2010 CT Health Net Inc. $250,000 1,500,000 Settlement Loss of unencrypted hard drive/delayed breach notifications
 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.