Listed here is a summary of some of the most significant HIPAA breach cases that have lead to settlement agreements with the Department of Health and Human Services’ Office for Civil Rights (OCR).
We have also listed some cases that have been pursued by OCR after a number of HIPAA violations were identified in the course of during HIPAA data breach investigations, and investigations of complaints submitted by patients and healthcare staff.
OCR has grown its enforcement capabilities since 2018 leading to additional HIPAA breach cases that warrant financial penalties such as settlements and civil monetary fines. To date in 2017, there have been nine HIPAA fines issued to resolve breach cases. In 2016, a record period of 12 months for enforcement of HIPAA Rules, there were 12 settlements and one civil monetary penalty issued to settle HIPAA breach incidents.
Due to enhancing its enforcement capability, OCR is indicating that any breach of HIPAA Rules lead to the most severe punishment possible.
Consequences of Violating HIPAA Breach Consequences
The consequences of breaching HIPAA can be severe and it is important to remember fines for a HIPAA violation can be sanctioned by the HHS´ Office for Civil Rights (OCR) even if no breach of PHI has taken place. The financial consequences of breaching HIPAA depend on the extent of negligence and – if a breach has taken place – the amount of records possibly exposed by the breach and the danger that may be caused by the unauthorized disclosure:
- A breach of HIPAA that took place due to ignorance can result in a financial penalty of $100 – $50,000.
- A breach that took place as a result of reasonable vigilance can result in a financial penalty of of $1,000 – $50,000.
- A breach that took place as a result of willful neglect which is addressed within thirty days will result in a financial penalty of between $10,000 and $50,000.
- A breach that took place as a result of willful neglect which is not addressed inside of 30 days lead to a maximum financial penalty of $50,000.
The figures included here represent the financial penalties can be sanctioned by OCR. Attorney Generals can also sanctions financial penalties if a breach of PHI breaches state legislation; and – if it can be shown that an individual has sustained harm as a result of the negligence of a Covered Entity or Business Associate – it is also possible for the individual to initiate a civil lawsuit for compensation. In some legal jurisdictions, the amount of punitive damages awarded could be in excess of the maximum $1.5 million fine (per breach) that can be OCR.
Wakefern Food Corporation Settles HIPAA Breach Case with NJ Attorney General for $235,000
Following claims of breaches of federal and state legislation, linked to a data breach involving the protected health information of 9,700 customers of two ShopRite supermarkets in Millville, New Jersey and Kingston NY, Wakefern Food Corporation has agreed to pay $235,000 in civil financial penalties and implement a range of security enhancements.
$48.2 Million In HIPAA Penalties Paid by Anthem to Settles State Attorneys General Data Breach Investigations
Anthem Inc. has come to an agreement to settle actions by state attorneys general in different US states in relation to the 2014 78.8 million record data breach. Along with the $48.2 million financial penalty, Anthem has committed to implementing a number of corrective actions to better data security practices. These include steps such as configuring a thorough information security program using the principles of zero trust architecture. Ongoing security updates are now shared with the board of directors and significant security events are reported as soon as possible to the CEO.
Grays Harbor Community Hospital Ransomware Lawsuit May be Settled for $185,000
Following mediation talks, there has been an agreement to a proposed settlement between Grays Harbor Community Hospital and Harbor Medical Group and the representative plaintiff in a proposed class action lawsuit connected to a June 2019 ransomware attack that lead to the encryption of patient data.
HIPAA Violation Case Settled Between Ambulance Company & OCR for $65,000
The Department of Health and Human Services’ Office for Civil Rights (OCR) has revealed a $65,000 HIPAA violation settlement has been agreed with West Georgia Ambulance, Inc., to address multiple breaches of Health Insurance Portability and Accountability Act Rules.