Since the HIPAA privacy rule was enacted in April of 2003, OCR has received over 331,100 HIPAA complaints. Although many of these complaints required no action, a shocking 30,000 cases required some type of corrective action. And to make matters worse, OCR has imposed civil penalties on nearly 150 entities, totaling over $100,000,000. Much has been written about the Keys to Success for HIPAA Compliance, and the value of becoming HIPAA certified. Studying real life HIPAA violation cases is one of the best ways to understand how a HIPAA breach can occur unintentionally, or due to bad actors.
In this article, we present the HIPAA violation cases with the top 10 highest fines for HIPAA violation. These famous HIPAA violation cases have valuable lessons for anyone who is intent on implementing a high performance compliance program. These are a cautionary tale for what can happen when our defenses are down. They also motivate us to protect patient data in the way that each patient deserves. Let’s dive in.
Anthem, $16 million (2018)
In 2018, Anthem faced a hefty fine of $16 million due to a breach impacting close to 78.8 million individuals. This catastrophic event was caused by a cyber-attack where hackers exploited a vulnerability, leading to a continuous, targeted multi-phased attack. This breach was done by a hacker acting on behalf of a foreign government. As a corrective measure, Anthem was asked to conduct a thorough risk assessment and to submit new internal policies and procedures for review by OCR.
Primary Lesson: Vigilance in cybersecurity is paramount. Regular reviews of access logs, alongside annual employee training, can prevent such large-scale breaches.
Premera Blue Cross, $6.85 million (2020)
Premera Blue Cross found itself in hot waters in 2020, with a breach affecting nearly 11 million individuals. A cyberattack gave hackers unauthorized access to the organization's IT system, exposing vast amounts of sensitive patient data. Alongside the fine, Premera was directed to put into place a robust corrective action plan, including enhanced risk analysis and management strategies.
Primary Lesson: Continuous monitoring and robust firewalls are essential. An organization's IT infrastructure should be equipped to detect and fend off intrusions swiftly. Premera’s breach was undetected for nearly 9 months.
Advocate Health Care, $5.5 million (2016)
2016 was a challenging year for Advocate Health Care, as breaches across its network compromised data of around 4 million individuals. These ranged from an unencrypted laptop's theft from a vehicle to unauthorized access to their patient registration site. The corrective action included strengthening security measures and emphasizing data encryption.
Primary Lesson: Physical security is as crucial as digital. Encrypting and securely storing devices with sensitive information can prevent many potential breaches.
Memorial Healthcare Systems, $5.5 million (2017)
Memorial Healthcare Systems was slapped with a $5.5 million fine in 2017, after a data breach affecting over 115,000 individuals. The breach was a result of unauthorized access to its facilities' PHI (Protected Health Information) by its very own employees. Current employees and former employees whose credentials had not been terminated exploited access. The corrective actions emphasized better access controls and rigorous activity reviews.
Primary Lesson: Internal threats can be just as damaging as external ones. Regular audits and strict access controls are vital to ensuring that only authorized personnel can access sensitive data. Maintaining these audits and controls is an important responsibility of the HIPAA Privacy Officer.
Lifetime Healthcare Companies, $5.1 Million (2021)
Lifetime Healthcare Companies had to shell out $5.1 million in 2021 following a breach that affected about 9.3 million individuals. The breach occurred when hackers installed malware onto their computer network systems, allowing them nearly 2 years of unfettered access to member data. The corrective actions outlined included a detailed risk assessment and establishing a stringent information system activity review.
Primary Lesson: Email systems are common targets. Proper safeguards, training, and monitoring of email systems can prevent a significant number of potential breaches. Learn about how the SLAM method can prevent costly HIPAA breaches.
Columbia and New York Presbyterian Hospitals, $4.8 million (2013)
In 2013, Columbia University and New York Presbyterian Hospital faced a collective fine of $4.8 million due to a breach impacting 6,800 patients. The breach resulted from a physician who inadvertently deactivated a firewall on a server containing ePHI. Unbeknownst to the hospital and the university, the server became accessible on search engines, exposing patient records. The institutions had to engage in a risk analysis, create a risk management plan, and train staff accordingly.
Primary Lesson: Proper handling and decommissioning of equipment containing ePHI is essential. Routine checks and protocol for deactivation can prevent unintentional data exposure.
University of Texas MD Anderson Cancer Center, $4.3 million (2018)
The University of Texas MD Anderson Cancer Center was hit with a $4.3 million fine in 2018 after breaches affecting over 33,500 individuals. The incidents involved the theft of an unencrypted laptop and the loss of unencrypted USB thumb drives containing ePHI. After the breach, the Center received advice to enhance its encryption policies and upgrade data handling protocols.
Primary Lesson: Encryption isn't optional; it's a necessity unless alternative yet equivalent protection is in place. Portable devices containing sensitive information should be encrypted to safeguard data. And proper physical safeguards should be implemented.
Feinstein Research, $3.9 million (2016)
Feinstein Institute for Medical Research was charged a $3.9 million penalty in 2016 due to a breach that affected around 13,000 patients. The incident was attributed to the theft of a laptop from an employee’s car that contained unencrypted ePHI. As part of the resolution, Feinstein Research was directed to enhance its security management processes and ensure comprehensive encryption.
Primary Lesson: A simple oversight can have substantial consequences. Equip all devices with necessary security measures and instill in staff the importance of secure storage and transportation.
Triple-S Management $3.5 million (2015)
Triple-S Management was fined $3.5 million in 2015 after multiple incidents impacting over 1 million individuals. The breaches arose from various issues, including sending mailings with visible Medical Health Insurance Claim numbers, former employees retaining unauthorized system access, and other unauthorized disclosures. The company was compelled to carry out a risk analysis, manage identified risks, and train its workforce.
Primary Lesson: Data handling extends beyond the digital realm. Even simple tasks like mailing should be done with utmost attention to detail to prevent unwanted data exposure.
Fresenius Medical Care North America (FMCNA) $3.5 million (2018)
FMCNA was subjected to a $3.5 million fine in 2018 due to 5 breaches across multiple locations, affecting several hundreds of individuals. The incidents ranged from stolen desktop computers and flash drives to unauthorized access of systems. The company was tasked with implementing a comprehensive risk analysis and managing those risks appropriately.
Primary Lesson: A decentralized breach in multiple locations can be as devastating as a centralized one. Consistent security policies and training across all locations are imperative to avoid dire consequences.
Staying HIPAA compliant
A major theme among these HIPAA violation case examples is poor and inconsistent training of personnel. At TeachMeHIPAA, we offer affordable and high quality training for you and your staff. Furthermore, to protect against breaches via non-compliant software, we created our Ultimate Guide to HIPAA Compliant Software and Services. Learn from these examples, and take decisive steps today to protect your organization from severe penalties for HIPAA violations.