HIPAA Fines Listed by Year

HIPAA Settlements, Fines, and Penalties

HIPAA settlements are hard to keep track of–that’s why we’ve created this simple directory of large-scale HIPAA fines listed by year. All information on HIPAA violation cases is provided by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on their HIPAA Resolution Agreements overview.

For the full list of HIPAA breaches and fines, you can visit OCR’s Breach Portal, or “Wall of Shame“. This is where OCR lists the countless other small-scale HIPAA breaches and fines. View our HIPAA fines chart below for the full HIPAA settlements list.

Remember that large-scale settlements are only a fraction of the fines levied by federal investigators every year. Once you’ve had a HIPAA breach, one of the consequences of violating HIPAA is that the name of your practice is permanently listed on The Wall of Shame for violating HIPAA–including the offense, date, and number of individuals affected. Look through this chart for HIPAA violation case examples.

Get Compliant. Avoid Fines.

See how our software helps you avoid fines likes the ones listed below

2024 HIPAA Fines $5,315,000

The investigation begun from a complaint involving 291,000 files containing PHI. The investigation found multiple violations stemming from the failure to conduct a risk analysis and insufficient monitoring against cyber attacks.  See the full details here!

A patient requested a copy of their medical records from American Medical Response (AMR). After several attempts, and AMR’s failure to provide the records, the patient issued a complaint with OCR. See the full details here!

In May 2020, a complaint was filed against Hackensack Meridian Health alleging that the skilled nursing facility failed to provide a patient’s personal representative with a copy of requested medical records. As a result of an OCR investigation, the records were provided in November 2020. See the full details here!

submitted a breach report to OCR, informing the HIPAA enforcers that it had suffered an attack on its network server, compromising the PHI of more than 14,000 patients. See the full details here!

The NYPD informed Montefiore Medical Center that there was evidence that patient information had been stolen from the hospital’s database. It turns out, the culprit was an employee.

For six months, the employee in question stole patient PHI and sold it to an identity theft ring. What’s worse is, the incident occurred two years prior to the NYPD informing them, putting into question the data security practices of Montefiore.

See the full details here!

Date Organization Fine Total OCR Settlement Announcement
1/4/2023

Life Hope Labs

$16,500
2/2/2023 Banner Health $1,250,000
5/8/2023 David Mente, MA, LPC $15,000 HHS Office for Civil Rights Enters Into $15,000 Settlement Resolving Potential HIPAA Violation Under the Right of Access Initiative
5/16/2023 MedEvolve $350,000 OCR Settles HIPAA Investigation with Business Associate
6/5/2023 Manasa Health Center $30,000 HHS Office for Civil Rights Reaches Agreement with Health Care Provider in New Jersey That Disclosed Patient Information in Response to Negative Online Reviews
6/15/2023 Yakima Valley Memorial Hospital $240,000 Employee Snooping Leads to $240,000 HIPAA Fine
6/28/2023 iHealth Solutions $75,000 iHealth Solutions Resolves HIPAA Probe, Pays $75,000 Settlement to HHS Office for Civil Rights
8/24/2023 UnitedHealthcare $80,000 UnitedHealthcare’s $80,000 HIPAA Resolution Unveils Secrets of Patient Medical Records
9/11/23 L.A. Care Health Plan $1,300,000 HHS OCR Achieves Resolution with L.A. Care Health Plan in HIPAA Security Rule Case
10/31/23 Doctors’ Management Services $100,000 OCR Did the Math, 200K Patients Exposed Equals a $100K Fine
11/20/23 St. Joseph’s Medical Center $80,000 HHS Reaches $80K Settlement for PHI Disclosure to News Outlet
12/7/23 Lafourche Medical Group $480,000 HHS Settled First Ever Phishing Investigation with Louisiana Medical Group
12/15/23 Optum Medical Care of New Jersey $160,000 Optum Medical Care Settlement Marks OCR’s 46th Right of Access Enforcement Action
 2023 TOTAL: $4,176,500
Date Organization Fine Total OCR Settlement Announcement
3/28/2022

Dr. Donald Brockley, D.D.M

$30,000
3/28/2022 Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. $50,000
3/28/2022 Jacob and Associates $28,000
3/28/2022 Northcutt Dental $62,500
7/14/2022 Oklahoma State University $875,000 Oklahoma State University – Center for Health Services Pays $875,000 to Settle Hacking Breach
7/15/2022 ACPM Podiatry $100,000 ACPM Podiatry HIPAA Enforcement Action
7/15/2022 Associated Retina Specialists $22,500 Associated Retina Specialists HIPAA Enforcement Action
7/15/2022 Dr. Lawrence Bell, D.D.S. $5,000 Dr. Lawrence Bell, D.D.S. HIPAA Enforcement Action
7/15/2022 Coastal Ear, Nose, and Throat $20,000 Coastal Ear, Nose, and Throat HIPAA Enforcement Action
7/15/2022 Danbury Psychiatric Consultants, LLC $3,500
7/15/2022 Erie County Medical Center Corporation $50,000 Erie County Medical Center Corporation HIPAA Enforcement Action
7/15/2022 Fallbrook Family Health Center $30,000 Fallbrook Family Health Center HIPAA Enforcement Action
7/15/2022 Hillcrest Commons Nursing and Rehabilitation $55,000 Hillcrest Commons Nursing and Rehabilitation HIPAA Enforcement Action
7/15/2022 Melrose Walkefield Healthcare $55,000 Melrose Walkefield Healthcare HIPAA Enforcement Action
7/15/2022 Memorial Hermann Health System $240,000 Memorial Hermann Health System HIPAA Enforcement Action
7/15/2022 Southwest Surgical Associates, LLP $65,000 Southwest Surgical Associates, LLP HIPAA Enforcement Action
8/23/2022 New England Dermatology and Laser Center $300,640 Investigation Leads to $300,640 HIPAA Settlement and Corrective Action Plan
9/20/2022 Family Dental Care $30,000 Trio of Dentist HIPAA Violations Leads to $135,000 in Settlements
9/20/2022 B. Steven L. Hardy, D.D.S. $25,000 Trio of Dentist HIPAA Violations Leads to $135,000 in Settlements
9/20/2022 Great Expressions Dental Center of Georgia $80,000 Trio of Dentist HIPAA Violations Leads to $135,000 in Settlements
12/14/2022 Dr. Brandon Au $23,000 Impermissible disclosure of PHI
12/15/2022 Health Specialists of Central Florida Inc $20,000 HHS Civil Rights Office Resolves HIPAA Right of Access Investigation with $20,000 Settlement
 2022 TOTAL: $2,170,140
Date Organization Fine Total OCR Settlement Announcement
1/12/2021

Banner Health

$200,000 OCR Settles Fourteenth Investigation in HIPAA Right of Access Initiative
1/15/2021 Lifetime Healthcare Companies $5,100,000 Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People
2/10/2021 Renown Health, P.C $75,000 OCR Settles Fifteenth Investigation in HIPAA Right of Access Initiative
2/12/2021 Sharp HealthCare $70,000 OCR Settles Sixteenth Investigation in HIPAA Right of Access Initiative
3/24/2021 Arbour Hospital $65,000 OCR Settles Seventeenth Investigation in HIPAA Right of Access Initiative
3/26/2021 Village Plastic Surgery $30,000 OCR Settles Eighteenth Investigation in HIPAA Right of Access Initiative
5/25/2021 AEON Clinical Laboratories $25,000 Clinical Laboratory Pays $25,000 to Settle Potential HIPAA Security Rule Violations
6/2/2021 The Diabetes, Endocrinology & Lipidology Center $5,000 OCR Settles Nineteenth Investigation in HIPAA Right of Access Initiative
9/10/2021 Children’s Hospital & Medical Center $80,000 OCR Resolves Twentieth Investigation in HIPAA Right of Access Initiative with $80,000 Settlement
11/30/2021 Advanced Spine & Pain Management (ASPM) $32,150
Five enforcement actions hold healthcare providers accountable for HIPAA Right of Access
11/30/2021 Denver Retina Center $30,000 Five enforcement actions hold healthcare providers accountable for HIPAA Right of Access
11/30/2021 Dr. Robert Glaser $100,000 Five enforcement actions hold healthcare providers accountable for HIPAA Right of Access
11/30/2021 Rainrock Treatment Center, LLC dba Monte Nido Rainrock (“Monte Nido $160,000 Five enforcement actions hold healthcare providers accountable for HIPAA Right of Access
11/30/2021 Wake Health Medical Group $10,000 Five enforcement actions hold healthcare providers accountable for HIPAA Right of Access
 2021 TOTAL: $5,980,000
Date Organization Fine Total Link to OCR Settlement
3/3/2020

The practice of Steven A. Porter, M.D

$100,000 Health Care Provider Pays $100,000 Settlement to OCR for Failing to Implement HIPAA Security Rule Requirements
7/23/2020 Metropolitan Community Health Services $25,000 Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements
7/27/2020 Lifespan Health System $1,040,000 Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach
9/15/2020 Housing Works, Inc $38,000 OCR Settles Five More Investigations in HIPAA Right of Access Initiative
9/15/2020 All Inclusive Medical Services, Inc $15,000 OCR Settles Five More Investigations in HIPAA Right of Access Initiative
9/15/2020 Beth Israel Lahey Behavioral Services $70,000 OCR Settles Five More Investigations in HIPAA Right of Access Initiative
9/15/2020 King MD $3,500 OCR Settles Five More Investigations in HIPAA Right of Access Initiative
9/15/2020 Wise Psychiatry, PC $10,000 OCR Settles Five More Investigations in HIPAA Right of Access Initiative
9/21/2020 Athens Orthopedic Clinic PA $1,500,000 Orthopedic Clinic Pays $1.5 Million to Settle Systemic Noncompliance with HIPAA Rules
9/23/2020 CHSPSC LLC $2,300,000 HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individuals
9/25/2020 Premera Blue Cross $6,850,000 Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People
10/7/2020 Dignity Health, DBA St. Joseph’s Hospital and Medical Center $160,000 OCR Settles Eighth Investigation in HIPAA Right of Access Initiative
10/9/2020 NY Spine Medicine (NY Spine) $100,000 OCR Settles Ninth Investigation in HIPAA Right of Access Initiative
10/28/2020 Aetna $1,000,000 Aetna Pays $1,000,000 to Settle Three HIPAA Breaches
10/28/2020 Riverside Psychiatric Medical Group $25,000 OCR Settles Tenth Investigation in HIPAA Right of Access Initiative
10/30/2020 City of New Haven, Connecticut $202,400 City Health Department failed to terminate former employee’s access to protected health information
11/12/2020 Dr. Rajendra Bhayani $15,000 OCR Settles Eleventh Investigation in HIPAA Right of Access Initiative
11/19/2020 University of Cincinnati Medical Center, LLC $65,000 OCR Settles Twelfth Investigation in HIPAA Right of Access Initiative
12/22/2020 Elite Primary Care $36,000 OCR Settles Thirteenth Investigation in HIPAA Right of Access Initiative
 2020 TOTAL: $13,554,900
Date Organization Fine Total Link to OCR Settlement
February 7, 2019

Cottage Health

$3,000,000 Cottage Health Settles Potential Violations of HIPAA Rules for $3 Million
May 6, 2019 Touchstone Medical Imaging $3,000,000 Tennessee Diagnostic Medical Imaging Services Company Pays $3,000,000 to Settle Breach Exposing Over 300,000 Patients’ Protected Health Information
May 23, 2019 Medical Informatics Engineering  $100,000 Indiana Medical Records Service Pays $100,000 to Settle HIPAA Breach – May 23, 2019
September 9, 2019 Bayfront Health St. Petersburg $85,000

OCR Settles First Case in HIPAA Right of Access Initiative

October 2, 2019 Elite Dental Associates $10,000 Dental Practice Pays $10,000 to Settle Social Media Disclosures of Patients’ Protected Health Information
October 23, 2019

Jackson Health System

$2,150,000

OCR Imposes a $2.15 Million Civil Money Penalty against Jackson Health System for HIPAA Violations

November 5, 2019 University of Rochester Medical Center $3,000,000

Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA Settlement

November 7, 2019

Texas Health and Human Services Commission

$1,600,000

OCR Imposes a $1.6 Million Civil Money Penalty against Texas Health and Human Services Commission for HIPAA Violations

November 27, 2019 Sentara Hospitals $2,175,000 OCR Secures $2.175 Million HIPAA Settlement after Hospitals Failed to Properly Notify HHS of a Breach of Unsecured Protected Health Information
December 12, 2019 Korunda Medical $85,000 OCR Settles Second Case in HIPAA Right of Access Initiative
December 30, 2019 West Georgia Ambulance $65,000 Ambulance Company Pays $65,000 to Settle Allegations of Longstanding HIPAA Noncompliance
 2019 TOTAL: $15,270,000
Date Organization Fine Total Link to OCR Settlement
February 1, 2018 Fresenius Medical Care North America (FMCNA) $3,500,000 Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules
February 13, 2018  Filefax, Inc.  $100,000  Consequences for HIPAA violations don’t stop when a business closes
June 18, 2018 The University of Texas MD Anderson Cancer Center  $4,348,000  Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations
September 20, 2018  Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH) $999,000

Unauthorized Disclosure of Patients’ Protected Health Information During ABC Television Filming Results in Multiple HIPAA Settlements Totaling $999,000

October 16, 2018  Anthem $16,000,000

Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History

November 26, 2018 Allergy Associates of Hartford, P.C. $125,000 Allergy practice pays $125,000 to settle doctor’s disclosure of patient information to a reporter
December 4, 2018 Advanced Care Hospitalists PL (ACH) $500,000 Florida contractor physicians’ group shares protected health information with unknown vendor without a business associate agreement
December 11, 2018 Pagosa Springs Medical Center (PSMC) $111,400 Colorado hospital failed to terminate former employee’s access to electronic protected health information
December 12, 2018 Cottage Health $3,000,000 Cottage Health Settles Potential Violations of HIPAA Rules for $3 Million
 2018 TOTAL: $28,683,400
Date Organization Fine Total Link to OCR Settlement
January 9, 2017 Presence Health $475,000 First HIPAA enforcement action for lack of timely breach notification settles for $475,000
January 18, 2017 MAPFRE $2,200,000 HIPAA settlement demonstrates importance of implementing safeguards for ePHI
February 1, 2017 Children’s Medical Center of Dallas $3,200,000 Lack of timely action risks security and costs money
February 16, 2017 Memorial Healthcare Systems $5,500,000 $5.5 million HIPAA settlement shines light on the importance of audit controls
April 12, 2017 Metro Community Provider Network (MCPN) $400,000 Overlooking risks leads to breach, $400,000 settlement
April 20, 2017 The Center for Children’s Digestive Health (CCDH) $31,000 No Business Associate Agreement?  $31K Mistake
April 24, 2017 CardioNet $2,500,000 $2.5 million settlement shows that not understanding HIPAA requirements creates risk
May 10, 2017 Memorial Hermann Health System (MHHS) $2,400,000 Texas health system settles potential HIPAA violations for disclosing patient information
 May 23, 2017  St. Luke’s Roosevelt Hospital System Inc.  $387,200 Careless handling of HIV information jeopardizes patient’s privacy, costs entity $387k
 June 7, 2017  Rite Aid  $1,000,000

Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case

 December 18, 2017  21st Century Oncology  $2,300,000 $2.3 Millon Levied for Multiple HIPAA Violations at NY-Based Provider
 2017 TOTAL: $20,393,200
Date Organization Fine Total Link to OCR Settlement
February 3, 2016 Lincare, Inc. $239,800 Administrative Law Judge rules in favor of OCR enforcement, requiring Lincare, Inc. to pay $239,800
February 16, 2016 Physical Therapy $25,000 Physical therapy provider settles violations that it impermissibly disclosed patient information
March 16, 2016 North Memorial $1,550,000 $1.55 million settlement underscores the importance of executing HIPAA business associate agreements
March 17, 2016 Feinstein Research $3,900,000 Improper disclosure of research participants’ protected health information results in $3.9 million HIPAA settlement
 April 20, 2016 Raleigh Orthopaedic $750,000 $750,000 settlement highlights the need for HIPAA business associate agreements
April 21, 2016 New York Presbyterian $2,200,000 Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital
June 29, 2016 Catholic Health Services of Philadelphia $650,000 Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement
July 18, 2016 Oregon Health & Science University $2,700,000 Widespread HIPAA vulnerabilities result in $2.7 million settlement with Oregon Health & Science University
July 21, 2016 University of Mississippi Medical Center $2,750,000 Multiple alleged HIPAA violations result in $2.75 million settlement with the University of Mississippi Medical Center (UMMC)
August 4, 2016 Advocate Health $5,550,000 Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million
September 23, 2016 Care New England Health System $400,000 HIPAA settlement illustrates the importance of reviewing and updating, as necessary, business associate agreements
October 17, 2016 St. Joseph’s $2,140,000 $2.14 million HIPAA settlement underscores importance of managing security risk
November 22, 2016 UMass $650,000 UMass settles potential HIPAA violations following malware infection
2016 TOTAL: $23,504,800  
Date Organization Fine Total Link to OCR Settlement
April 22, 2015 Cornell Prescription Pharmacy $125,000 HIPAA Settlement Highlights the Continuing Importance of Secure Disposal of Paper Medical Records
June 10, 2015 St. Elizabeth’s Medical Center $218,000 HIPAA Settlement Highlights Importance of Safeguards When Using Internet Applications
August 31, 2015 Cancer Care Group, P.C. $750,000 750,000 HIPAA Settlement Emphasizes the Importance of Risk Analysis and Device and Media Control Policies
November 24, 2015 Lahey Hospital and Medical Center $850,000 HIPAA Settlement Reinforces Lessons for Users of Medical Devices
November 30, 2015 Triple-S Management $3,500,000 Triple-S Management Corporation Settles HHS Charges by Agreeing to $3.5 Million HIPAA Settlement
December 14, 2015 University of Washington Medicine $750,000 $750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis
2015 TOTAL: $6,193,000

What is the Penalty for a HIPAA Violation?

HIPAA violations, like violation of the HIPAA privacy rule, cost your practice. The federal fines for noncompliance are based on the level of perceived negligence found within your organization at the time of the HIPAA violation. These fines and consequences can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation. View our HIPAA fines chart below for the full HIPAA fines list.

OCR has also levied criminal charges for HIPAA violations in the past. Director of OCR, Jocelyn Samuels, went on record in February of 2016, saying that:

“While OCR prefers to resolve issues through voluntary compliance, […] we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules.”

HIPAA Violation Fine Tiers

Source: HHS, Federal Register.gov

Avoid HIPAA Fines and Get Compliant Today