HIPAA Breach Cases 2020

by | Nov 19, 2020

Listed here is a summary of some of the most significant HIPAA breach cases that have lead to settlement agreements with the Department of Health and Human Services’ Office for Civil Rights (OCR).

We have also listed some cases that have been pursued by OCR after a number of HIPAA violations were identified in the course of during HIPAA data breach investigations, and investigations of complaints submitted by patients and healthcare staff.

OCR has grown its enforcement capabilities since 2018 leading to additional HIPAA breach cases that warrant financial penalties such as settlements and civil monetary fines. To date in 2017, there have been nine HIPAA fines issued to resolve breach cases. In 2016, a record period of 12 months for enforcement of HIPAA Rules, there were 12 settlements and one civil monetary penalty issued to settle HIPAA breach incidents.

Due to enhancing its enforcement capability, OCR is indicating that any breach of HIPAA Rules lead to the most severe punishment possible.

Consequences of Violating HIPAA Breach Consequences

The consequences of breaching HIPAA can be severe and it is important to remember fines for a HIPAA violation can be sanctioned by the HHS´ Office for Civil Rights (OCR) even if no breach of PHI has taken place. The financial consequences of breaching HIPAA depend on the extent of negligence and – if a breach has taken place – the amount of records possibly exposed by the breach and the danger that may be caused by the unauthorized disclosure:

  • A breach of HIPAA that took place due to ignorance can result in a financial penalty of $100 – $50,000.
  • A breach that took place as a result of reasonable vigilance can result in a financial penalty of of $1,000 – $50,000.
  • A breach that took place as a result of willful neglect which is addressed within thirty days will result in a financial penalty of between $10,000 and $50,000.
  • A breach that took place as a result of willful neglect which is not addressed inside of 30 days lead to a maximum financial penalty of $50,000.

The figures included here represent the financial penalties  can be sanctioned by OCR. Attorney Generals can also sanctions financial penalties if a breach of PHI breaches state legislation; and – if it can be shown that an individual has sustained harm as a result of the negligence of a Covered Entity or Business Associate – it is also possible for the individual to initiate a civil lawsuit for compensation. In some legal jurisdictions, the amount of punitive damages awarded could be in excess of the maximum $1.5 million fine (per breach) that can be OCR.

Wakefern Food Corporation Settles HIPAA Breach Case with NJ Attorney General for $235,000

Following claims of breaches of federal and state legislation, linked to a data breach involving the protected health information of 9,700 customers of two ShopRite supermarkets in Millville, New Jersey and Kingston NY, Wakefern Food Corporation has agreed to pay $235,000 in civil financial penalties and implement a range of security enhancements.

Read more here.

$48.2 Million In HIPAA Penalties Paid by Anthem to Settles State Attorneys General Data Breach Investigations

Anthem Inc. has come to an agreement to settle actions by state attorneys general in different US states  in relation to the 2014 78.8 million record data breach. Along with the $48.2 million financial penalty, Anthem has committed to implementing a number of corrective actions to better data security practices. These include steps such as configuring a thorough information security program using the principles of zero trust architecture. Ongoing security updates are now shared with the board of directors and significant security events are reported as soon as possible to the CEO.

Read more here.

Grays Harbor Community Hospital Ransomware Lawsuit May be Settled for $185,000

Following mediation talks, there has been an agreement to a proposed settlement between Grays Harbor Community Hospital and Harbor Medical Group and the representative plaintiff in a proposed class action lawsuit connected to a June 2019 ransomware attack that lead to the encryption of patient data.

Read more here.

HIPAA Violation Case Settled Between Ambulance Company & OCR for $65,000

The Department of Health and Human Services’ Office for Civil Rights (OCR) has revealed a $65,000 HIPAA violation settlement has been agreed with West Georgia Ambulance, Inc., to address multiple breaches of Health Insurance Portability and Accountability Act Rules.

Read more here.


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy