HIPAA Fines Listed by Year

HIPAA Settlements, Fines, and Penalties

HIPAA settlements are hard to keep track of–that’s why we’ve created this simple directory of large-scale HIPAA fines listed by year. All information is provided by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on their HIPAA Resolution Agreements overview.

For the full list of HIPAA breaches and fines, you can visit OCR’s Breach Portal, or “Wall of Shame“. This is where OCR lists the countless other small-scale HIPAA breaches and fines. View our HIPAA fines chart below for the full HIPAA settlements list.

Remember that large-scale settlements are only a fraction of the fines levied by federal investigators every year. Once you’ve had a HIPAA breach, the name of your practice is permanently listed on The Wall of Shame–including the offense, date, and number of individuals affected.

Avoid HIPAA Fines and Become HIPAA Compliant!

What is the Penalty for a HIPAA Violation?

HIPAA violations cost your practice. The federal fines for noncompliance are based on the level of perceived negligence found within your organization at the time oft he HIPAA violation. These fines and consequences can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation. View our HIPAA fines chart below for the full HIPAA fines list.

OCR has also levied criminal charges for HIPAA violations in the past. Director of OCR, Jocelyn Samuels, went on record in February of 2016, saying that:

“While OCR prefers to resolve issues through voluntary compliance, […] we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules.”

Source: HHS, Federal Register.gov

2019 HIPAA Fines

Date	Organization	Fine Total	Link to OCR Settlement
February 7, 2019	Cottage Health	$3,000,000	Cottage Health Settles Potential Violations of HIPAA Rules for $3 Million
May 6, 2019	Touchstone Medical Imaging	$3,000,000	Tennessee Diagnostic Medical Imaging Services Company Pays $3,000,000 to Settle Breach Exposing Over 300,000 Patients’ Protected Health Information
May 23, 2019	Indiana Medical Records	$100,000	Indiana Medical Records Service Pays $100,000 to Settle HIPAA Breach – May 23, 2019
September 9, 2019	Bayfront Health St. Petersburg	$85,000	OCR Settles First Case in HIPAA Right of Access Initiative
October 2, 2019	Elite Dental Associates	$10,000	Dental Practice Pays $10,000 to Settle Social Media Disclosures of Patients’ Protected Health Information
October 23, 2019	Jackson Health System	$2,150,000	OCR Imposes a $2.15 Million Civil Money Penalty against Jackson Health System for HIPAA Violations
November 5, 2019	University of Rochester Medical Center	$3,000,000	Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA Settlement
November 7, 2019	Texas Health and Human Services Commission	$1,600,000	OCR Imposes a $1.6 Million Civil Money Penalty against Texas Health and Human Services Commission for HIPAA Violations

	2019 TOTAL:	$12,945,000

2018 HIPAA Fines

Date	Organization	Fine Total	Link to OCR Settlement
February 1, 2018	Fresenius Medical Care North America (FMCNA)	$3,500,000	Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules
February 13, 2018	Filefax, Inc.	$100,000	Consequences for HIPAA violations don’t stop when a business closes
June 18, 2018	The University of Texas MD Anderson Cancer Center	$4,348,000	Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations
September 20, 2018	Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH)	$999,000	Unauthorized Disclosure of Patients’ Protected Health Information During ABC Television Filming Results in Multiple HIPAA Settlements Totaling $999,000
October 16, 2018	Anthem	$16,000,000	Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History
November 26, 2018	Allergy Associates of Hartford, P.C.	$125,000	Allergy practice pays $125,000 to settle doctor’s disclosure of patient information to a reporter
December 4, 2018	Advanced Care Hospitalists PL (ACH)	$500,000	Florida contractor physicians’ group shares protected health information with unknown vendor without a business associate agreement
December 11, 2018	Pagosa Springs Medical Center (PSMC)	$111,400	Colorado hospital failed to terminate former employee’s access to electronic protected health information
December 12, 2018	Cottage Health	$3,000,000	Cottage Health Settles Potential Violations of HIPAA Rules for $3 Million
	2018 TOTAL:	$28,683,400

2017 HIPAA Fines

Date	Organization	Fine Total	Link to OCR Settlement
January 9, 2017	Presence Health	$475,000	First HIPAA enforcement action for lack of timely breach notification settles for $475,000
January 18, 2017	MAPFRE	$2,200,000	HIPAA settlement demonstrates importance of implementing safeguards for ePHI
February 1, 2017	Children’s Medical Center of Dallas	$3,200,000	Lack of timely action risks security and costs money
February 16, 2017	Memorial Healthcare Systems	$5,500,000	$5.5 million HIPAA settlement shines light on the importance of audit controls
April 12, 2017	Metro Community Provider Network (MCPN)	$400,000	Overlooking risks leads to breach, $400,000 settlement
April 20, 2017	The Center for Children’s Digestive Health (CCDH)	$31,000	No Business Associate Agreement? $31K Mistake
April 24, 2017	CardioNet	$2,500,000	$2.5 million settlement shows that not understanding HIPAA requirements creates risk
May 10, 2017	Memorial Hermann Health System (MHHS)	$2,400,000	Texas health system settles potential HIPAA violations for disclosing patient information
May 23, 2017	St. Luke’s Roosevelt Hospital System Inc.	$387,200	Careless handling of HIV information jeopardizes patient’s privacy, costs entity $387k
June 7, 2017	Rite Aid	$1,000,000	Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case
December 18, 2017	21st Century Oncology	$2,300,000	$2.3 Millon Levied for Multiple HIPAA Violations at NY-Based Provider
	2017 TOTAL:	$20,393,200

2016 HIPAA Fines

Date	Organization	Fine Total	Link to OCR Settlement
February 3, 2016	Lincare, Inc.	$239,800	Administrative Law Judge rules in favor of OCR enforcement, requiring Lincare, Inc. to pay $239,800
February 16, 2016	Physical Therapy	$25,000	Physical therapy provider settles violations that it impermissibly disclosed patient information
March 16, 2016	North Memorial	$1,550,000	$1.55 million settlement underscores the importance of executing HIPAA business associate agreements
March 17, 2016	Feinstein Research	$3,900,000	Improper disclosure of research participants’ protected health information results in $3.9 million HIPAA settlement
April 20, 2016	Raleigh Orthopaedic	$750,000	$750,000 settlement highlights the need for HIPAA business associate agreements
April 21, 2016	New York Presbyterian	$2,200,000	Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital
June 29, 2016	Catholic Health Services of Philadelphia	$650,000	Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement
July 18, 2016	Oregon Health & Science University	$2,700,000	Widespread HIPAA vulnerabilities result in $2.7 million settlement with Oregon Health & Science University
July 21, 2016	Univeristy of Mississippi Medical Center	$2,750,000	Multiple alleged HIPAA violations result in $2.75 million settlement with the University of Mississippi Medical Center (UMMC)
August 4, 2016	Advocate Health	$5,550,000	Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million
September 23, 2016	Care New England Health System	$400,000	HIPAA settlement illustrates the importance of reviewing and updating, as necessary, business associate agreements
October 17, 2016	St. Joseph’s	$2,140,000	$2.14 million HIPAA settlement underscores importance of managing security risk
November 22, 2016	UMass	$650,000	UMass settles potential HIPAA violations following malware infection
	2016 TOTAL:	$23,504,800

2015 HIPAA Fines

Date	Organization	Fine Total	Link to OCR Settlement
April 22, 2015	Cornell Prescription Pharmacy	$125,000	HIPAA Settlement Highlights the Continuing Importance of Secure Disposal of Paper Medical Records
June 10, 2015	St. Elizabeth’s Medical Center	$218,000	HIPAA Settlement Highlights Importance of Safeguards When Using Internet Applications
August 31, 2015	Cancer Care Group, P.C.	$750,000	750,000 HIPAA Settlement Emphasizes the Importance of Risk Analysis and Device and Media Control Policies
November 24, 2015	Lahey Hospital and Medical Center	$850,000	HIPAA Settlement Reinforces Lessons for Users of Medical Devices
November 30, 2015	Triple-S Management	$3,500,000	Triple-S Management Corporation Settles HHS Charges by Agreeing to $3.5 Million HIPAA Settlement
December 14, 2015	University of Washington Medicine	$750,000	$750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis
	2015 TOTAL:	$6,193,000

Avoid HIPAA Fines and Get Compliant Today

Get Started!