Top 10 Settlements and Fines for HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is the key law governing healthcare privacy. The key provision of HIPAA is that medical providers, insurance companies, and others with access to medical information are strictly prevented from sharing or publicizing data they know about patients without permission. The assumption is that it is not OK to share the medical records of any patient. In fact, a specific acknowledgment must come from the patient in order to share protected health information. Any neglect can trigger legal action, including fines, but the legal concept of "willful neglect" is important in proving the guilt of the medical provider. (This is vitally important in one of the cases below.)

Most cited healthcare entities showed the same kinds of security issues. Failures to conduct an enterprise-wide risk analysis, implement risk management programs, conduct information system activity reviews, and properly manage access to data, including adequately securing and encrypting devices, lead to HIPAA violations and massive fines. Prevention strategies, like simple staff training, might have prevented actions that allowed hackers access to healthcare IT systems, and disaster recovery and business continuity plans could help ensure that appropriate steps were taken to limit risks after a breach discovery. 

Here are the 10 highest settlements brought by the Office for Civil Rights (OCR) in the U.S. Department of Health and Human Services (HHS) to consider for anyone that regularly deals with the healthcare industry. 

What can you learn from the 10 most expensive HIPAA violations to date?

1. 2018 Anthem, $16 million

In 2018, Anthem, one of the nation's largest health benefits companies, had the largest health data breach, followed by the largest HIPAA settlement in history. Their $16 million dollar fine accompanied a corrective action plan to bring them into compliance with HIPAA requirements.

Cyber attackers gained access when at least one employee of an Anthem subsidiary responded to a malicious phishing email. This opened the door to additional attacks between December 2, 2014, through the end of January 2015. The OCR determined that Anthem didn't take appropriate measures to detect hackers, failed to conduct an enterprise-wide risk analysis, and didn't have procedures to review system activity, among other violations. 

2. 2020 Premera Blue Cross, $6.85 million

Premera Blue Cross, the largest health plan in the Pacific Northwest, paid more than $6.85 million in fines in 2020 to settle HIPAA violations related to a breach affecting over 10.4 million people. The second-largest payment to resolve a HIPAA investigation in history included fines, corrective action, and two years of monitoring. 

A successful phishing email allowed hackers to install malware providing access to PBC's IT system in May 2014, which went undetected for nearly nine months until January 2015. The investigation found systemic noncompliance with the HIPAA rules, including failure to conduct an enterprise-wide risk analysis and implement risk management and audit controls.  

3. 2016 Advocate Health Care, $5.5 million 

Advocate Health Care in Illinois is one of the largest private hospital networks in the country. In 2016, the $5.5 million fine they were given was the largest HIPAA fine to that point. The company had to pay when it admitted that four unencrypted laptops were stolen and the company's network was breached in two additional incidents. During the investigation, violations were discovered dating back to the inception of HIPAA regulations. The organization adopted a corrective action plan and the largest single fine for an entity at the time.

4. 2017 Memorial Healthcare Systems, $5.5 million 

Memorial Healthcare Systems is a nonprofit corporation operating six hospitals, an urgent care center, a nursing home, and various ancillary health care facilities throughout the South Florida area. A former employee's login credentials were used without notice for nearly a year, and protected information was accessed for nearly a year between 2011 and 2012. As a result, they were fined $5.5 million in 2017. HIPAA requires termination or modification of user access, and MHS failed to follow its own policies and procedures. Additionally, a lack of regular review of audit logs and a lack of access controls were identified as concerns during risk analyses over several years, making the breach highly preventable.

5. 2021 Lifetime Healthcare Companies, $5.1 Million

In 2021, Excellus Health Plan, a Lifetime Healthcare Companies affiliate health insurance coverage provider, was required to pay $5.1 million, take corrective action, and be monitored for two years. Cyber-attackers gained access to IT systems, installed malware, and conducted recon activities exposing the data of more than 9.3 million people for more than a year. Failure to perform enterprise-wide risk analysis and implement risk management actions like IT system activity review were among the issues cited.

6. 2018 University of Texas MD Anderson Cancer Center, $4.3 million

The University of Texas MD Anderson Cancer Center (MD Anderson) was fined $4.3 million in 2018 after investigations of data breaches related to three unencrypted items reported by the hospital in 2013 and 2014. Internal assessments had pointed out that the lack of device-level encryption posed a high security risk. 

However, in January 2021, the financial penalty was overturned by the 5th U.S. Circuit Court of Appeals which determined that M.D Anderson had implemented various mechanisms to encrypt information following HIPAA requirements, even if some employees didn't correctly use them. In addition to other factors, this good-faith security action by the organization played a key role in the new ruling.

6. 2013 Columbia and New York Presbyterian Hospitals, $4.8 million

In 2013, two New York hospitals, Columbia and New York Presbyterian were jointly fined $4.8 million after a botched server deactivation caused PHI to appear on search engines. The OCR found that the hospitals did not do a proper risk assessment and did not have enough protections in place to prevent the data breach. In addition to the fine, they were required to upgrade systems and create appropriate policies and defenses for future cyber attacks.

7. 2016 Feinstein Research, $3.9 million

Feinstein Research, a biomedical research nonprofit sponsored by Northwell Health, reported a laptop containing research had been stolen from an employee's car in 2012. The OCR determined in 2016 that Feinstein failed to safeguard PHI as required. Security management was incomplete and limited in scope. There were insufficient safeguards for limiting access to unauthorized users. It lacked policies and procedures to govern the receipt and removal of laptops containing protected data. The organization agreed to pay a settlement of $3.9 million and undertake corrective action. 

8. 2015 Triple-S Management $3.5 million

Triple-S Management settled its HIPAA violations in 2015 with a $3.5 million settlement and a corrective action plan after repeatedly failing to put safeguards in place after an investigation discovered widespread noncompliance with regulations throughout the organization. Issues included failures to implement security measures, lack of physical and technical safeguards, and inappropriate disclosure to outside vendors without appropriate business agreements, in addition to other violations. Their compliance requirements included risk analysis and management plans, policies and procedures to facilitate HIPAA compliance, and a training program for all workforce and business associates.

9. 2018 Fresenius Medical Care North America (FMCNA) $3.5 million

In 2018 Fresenius Medical Care North America (FMCNA) agreed to pay $3.5 million and adopt a comprehensive corrective action plan to settle potential HIPAA violations. Their properties include dialysis facilities, outpatient cardiac and vascular labs, urgent care centers, and other medical facilities. Vulnerabilities at multiple locations caused breaches that exposed PHI. These issues ranged from failure to implement security policies, encrypt information, and safeguard facilities and equipment from unauthorized access and theft. This case highlighted the need for security across multiple organizations.

10. 2017 Children’s Medical Center of Dallas, $3.2 million

The theft of devices that were neither password-protected nor encrypted was the cause of the Children's Medical Center of Dallas 2017 fine of $3.2 million. The organization failed to implement a "high priority" recommendation to add encryption on portable devices to protect PHI if a device is lost or stolen. The breach could have been avoided had the Children's Medical Center acted on the recommendations. Fortunately, the OCR determined that the loss did no apparent harm and the breaches were not the result of willful negligence, so they were given the minimum possible penalty of $3.2 million.

SecureNetMD® is a leading software and solutions provider helping healthcare providers with communication technologies. Our custom-tailored, advanced systems can help you steer clear of HIPAA violations. For more information, please contact us.