10 Companies That Lost Millions For These Avoidable HIPAA Violations

As Telehealth grows and becomes more relevant to healthcare, so too are the protections around it. Through Telehealth, medical providers are creating, storing, exchanging and deleting Electronic Protected Health Information (ePHI) all the time; but is this safe? Can video streams be tapped without their knowing? Is the information that’s stored online secure? Will PHI end up in the public view? HIPAA regulations have standards to prevent these, but are providers and their associates following them? Here’s what happened to 10 that didn’t.

(These 10 are not in any order and were chosen only to outline the various reasons and amounts for which one can be penalized)



1) $4.8 Million – New York-Presbyterian Hospital and Columbia University Medical Center
The largest HIPAA settlement at the time, however the OCR had been investigating large scale violations since before this incident in early 2014. The reason this case is so special is because it was a joint breach between NYP and CU by the actions of one CU physician. According to HHS’ report: “The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI.  Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.” 6,800 people’s sensitive health information released to the internet; this is definitely cause for a hefty fine. After a full investigation sparked by this incident, OCR found these other violations:

  1. Failure to conduct an accurate and thorough risk assessment
  2. (As a result ->) Missing risk management and contingency plans
  3. No implemented policies and procedures for authorizing access to its databases


2) $445,000 – Presence Health

A significantly smaller fine than the last but still not small, the U.S. Department of Health and Human Services has fined Presence Health for lack of a timely breach notification. (According to the HIPAA Breach Notification Rule, Covered Entities are to notify the affected individuals within 60 days of discovery.)


3) $2.14 Million – St. Joseph Health
A nonprofit yet large network, SJH was served a hefty fine along with a comprehensive corrective action plan. They were reported to have ePHI that was publicly accessible through internet search engines. Other violations include:

  1. Vulnerabilities to the PHI of 31,800 individuals
  2. Implementation of a new server without proper evaluation on environmental and operational changes
  3. While hiring a number of contractors to assess risk, as required by the HIPAA security rule, it was “conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis”.


4) $2.75 Million – University of Mississippi Medical Center
While aware of the vulnerabilities to its system since 2005, UMMC did nothing and an investigation was sprung when approximately 10,000 individuals ePHI was breached via a stolen laptop. It contained easy access to thousands of patient files. Other violations found include:

  1. Did not implement policies to prevent, detect, contain and correct security violations
  2. Lacked policies on physical safeguards (i.e: for workstations, restricting access to ePHI)
  3. Did not assign unique user information to track and identify identity in information systems
  4. Did not notify individuals of the breach


5) $1.7 Million – Alaska Department of Health and Social Services
Choosing this one to show that even a state health division must be careful following HIPAA regulations. There are no exceptions; if you are investigated by the OCR, you are not immune to penalty. In this incident, an unencrypted hard drive containing PHI was stolen from an employee’s car. This sparked an investigation which found violations of:

  1. No risk assessment
  2. Did not implement security measures
  3. Neglected to have security training


6) $4.3 Million – Cignet Health Center
OCR had investigated Cignet for refusing 41 patient requests for their medical records. A violation that resulted in a $1.3 Million fine. This wasn’t the only one Cignet committed. They were also in violation of refusing OCR’s request for records / refusing to cooperate overall. (Fined $3 million for this)


7) $650,000 – Catholic Health Care Services of the Archdiocese of Philadelphia
Due to the theft of an employee’s mobile device containing PHI of nursing home residents, CHCS was fined over half a million dollars. The company is a provider to six nursing facilities but it had neglected to cover these HIPAA rules:

  1. Encrypt any ePHI that is created, received, maintained, etc.
  2. Conduct an enterprise-wide risk analysis
  3. Have a contingency plan
  4. Train staff on security measures


8) $750,000 – Raleigh Orthopedic Clinic, P.A. of North Carolina
This hefty fine was simply the result of not having a Business Associate Agreement (BAA). This is a section of HIPAA that many are finding they cannot disregard. Raleigh Orthopedic had disclosed the information of over 17,000 patients to a potential partner without signing a BAA / without protecting their patients’ information from misuse and improper disclosure. While it may seem easy to overlook, its consequences are no light matter.


9) $1.55M – North Memorial Health Care of Minnesota
Just to underscore the importance of a BAA, here is another fine issued by the OCR. This fine was particularly expensive because they had released the information of almost 300,000 patients. In the end they had overlooked two major cornerstones of HIPAA rules: a. BAA b. Enterprise-wide risk assessment.


10) 750,000 – University of Washington Medical
Because an employee opened up an email containing malicious malware, the ePHI of 90,000 individuals was compromised. In addition to this, the OCR fined them for not having procedures to prevent, detect, contain and correct such violations. With this relatively miniature fine (though not at all miniature on its own), they must now include a corrective plan with annual reports on their compliance efforts.

The Takeaway

The main reason to follow HIPAA regulations so closely is to protect our patients, clients and ourselves. Privacy and confidentiality in this day is increasingly cherished and we have to work to secure that. For those of you that need another reason, these penalty examples are for you. For those that are genuinely concerned, don’t worry; just take action. The theme in these incidents is repetitive and preventable:

  • Have a signed BAA with anyone handling your PHI
  • Guard your mobile devices and encrypt them
  • Implement security policies and procedures

Click here for more information on BAAs

Click here for summaries on the HIPAA Security Rule