HIPAA Fines Listed by Year
HIPAA Settlements, Fines, and Penalties
HIPAA settlements are hard to keep track of–that’s why we’ve created this simple directory of large-scale HIPAA fines listed by year. All information on HIPAA violation cases is provided by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on their HIPAA Resolution Agreements overview.
For the full list of HIPAA breaches and fines, you can visit OCR’s Breach Portal, or “Wall of Shame“. This is where OCR lists the countless other small-scale HIPAA breaches and fines. View our HIPAA fines chart below for the full HIPAA settlements list.
Remember that large-scale settlements are only a fraction of the fines levied by federal investigators every year. Once you’ve had a HIPAA breach, one of the consequences of violating HIPAA is that the name of your practice is permanently listed on The Wall of Shame for violating HIPAA–including the offense, date, and number of individuals affected. Look through this chart for HIPAA violation case examples.
Get Compliant. Avoid Fines.
See how our software helps you avoid fines likes the ones listed below
2025 HIPAA Fines $3,557,750
The patient first sought his records from Memorial Healthcare System on December 30, 2020. The requests he made included requests by mail, by phone, and through Memorial’s patient portal. Read more here.
In March 2023, OCR received a breach report concerning a ransomware incident that had affected NESG’s information system. NESG concluded that the protected health information of 15,298 patients (NESG’s entire patient population) had been encrypted and exfiltrated from its network. Read more here.
A phishing attack targeting Solara employee email accounts, a malactor was able to access their accounts from April to June 2019. Read more here.
USR noted that from August through December of 2018, a database containing the names of 2,903 individuals was accessed by an unauthorized third party. Read the details here.
In late December of 2021, CSP business associate VPN Solutions filed a notice of breach with HHS. VPN filed the notice on behalf of twelve covered entities, each of which had delegated their regulatory responsibility to report PHI breaches to VPN. Read more here.
Back in March of 2023, an unknown actor gained access to a server on HIPAA business associate Elgon’s information system. The access was made possible because Elgon’s firewall had open ports. Read more here.
2024 HIPAA Fines $9,224,206
A database of 1.5 million patients was left unsecured on the Internet –findable through search engines like Google. See the full details here.
In two separate incidents, employees fell prey to phishing incidents, allowing hackers to access their accounts. See the full details here.
A terminated contractor accessed the ePHI of 34,310 individuals. The contractor then filed medical claims for services that were not actually rendered, resulting in approximately 6,500 false Medicare claims. See the full details here.
In September of 2023, OCR received a complaint that alleged Holy Redeemer impermissibly (without authorization) disclosed a female patient’s PHI to her prospective employer. See the full details here.
OCR imposed the penalty because Rio Hondo failed to provide a patent with her medical records – for a full seven months – despite the patient’s repeated requests for access to the records. See the full details here.
14,273 patient records were encrypted in a ransomware incident. See the full details here.
Nine workstations and two servers were infected with ransomware. They paid hackers 2 Bitcoin for the return of patient files. See the full details here.
In 2019, a patient filed a complaint with OCR, alleging Gums failed to provide her with timely access to her medical records after she requested them in writing. See the full details here.
Three separate ransomware attacks left 85,000 patient records encrypted and inaccessible by the institute. See the full details here.
The investigation begun from a complaint involving 291,000 files containing PHI. The investigation found multiple violations stemming from the failure to conduct a risk analysis and insufficient monitoring against cyber attacks. See the full details here!
A patient requested a copy of their medical records from American Medical Response (AMR). After several attempts, and AMR’s failure to provide the records, the patient issued a complaint with OCR. See the full details here!
OCR initiated a compliance review after the media reported that HVHS had experienced a ransomware attack. See the full details here.
In May 2020, a complaint was filed against Hackensack Meridian Health alleging that the skilled nursing facility failed to provide a patient’s personal representative with a copy of requested medical records. As a result of an OCR investigation, the records were provided in November 2020. See the full details here!
The Complainant, the personal representative of a Phoenix patient, made multiple requests for her mother’s medical records in 2019. Only after OCR acted did Phoenix produce the requested records – 323 days after the first request was made. See the full details here.
submitted a breach report to OCR, informing the HIPAA enforcers that it had suffered an attack on its network server, compromising the PHI of more than 14,000 patients. See the full details here!
The NYPD informed Montefiore Medical Center that there was evidence that patient information had been stolen from the hospital’s database. It turns out, the culprit was an employee.
For six months, the employee in question stole patient PHI and sold it to an identity theft ring. What’s worse is, the incident occurred two years prior to the NYPD informing them, putting into question the data security practices of Montefiore.
| Date | Organization | Fine Total | OCR Settlement Announcement |
| 3/28/2022 |
Dr. Donald Brockley, D.D.M |
$30,000 | |
| 3/28/2022 | Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. | $50,000 | |
| 3/28/2022 | Jacob and Associates | $28,000 | |
| 3/28/2022 | Northcutt Dental | $62,500 | |
| 7/14/2022 | Oklahoma State University | $875,000 | Oklahoma State University – Center for Health Services Pays $875,000 to Settle Hacking Breach |
| 7/15/2022 | ACPM Podiatry | $100,000 | ACPM Podiatry HIPAA Enforcement Action |
| 7/15/2022 | Associated Retina Specialists | $22,500 | Associated Retina Specialists HIPAA Enforcement Action |
| 7/15/2022 | Dr. Lawrence Bell, D.D.S. | $5,000 | Dr. Lawrence Bell, D.D.S. HIPAA Enforcement Action |
| 7/15/2022 | Coastal Ear, Nose, and Throat | $20,000 | Coastal Ear, Nose, and Throat HIPAA Enforcement Action |
| 7/15/2022 | Danbury Psychiatric Consultants, LLC | $3,500 | |
| 7/15/2022 | Erie County Medical Center Corporation | $50,000 | Erie County Medical Center Corporation HIPAA Enforcement Action |
| 7/15/2022 | Fallbrook Family Health Center | $30,000 | Fallbrook Family Health Center HIPAA Enforcement Action |
| 7/15/2022 | Hillcrest Commons Nursing and Rehabilitation | $55,000 | Hillcrest Commons Nursing and Rehabilitation HIPAA Enforcement Action |
| 7/15/2022 | Melrose Walkefield Healthcare | $55,000 | Melrose Walkefield Healthcare HIPAA Enforcement Action |
| 7/15/2022 | Memorial Hermann Health System | $240,000 | Memorial Hermann Health System HIPAA Enforcement Action |
| 7/15/2022 | Southwest Surgical Associates, LLP | $65,000 | Southwest Surgical Associates, LLP HIPAA Enforcement Action |
| 8/23/2022 | New England Dermatology and Laser Center | $300,640 | Investigation Leads to $300,640 HIPAA Settlement and Corrective Action Plan |
| 9/20/2022 | Family Dental Care | $30,000 | Trio of Dentist HIPAA Violations Leads to $135,000 in Settlements |
| 9/20/2022 | B. Steven L. Hardy, D.D.S. | $25,000 | Trio of Dentist HIPAA Violations Leads to $135,000 in Settlements |
| 9/20/2022 | Great Expressions Dental Center of Georgia | $80,000 | Trio of Dentist HIPAA Violations Leads to $135,000 in Settlements |
| 12/14/2022 | Dr. Brandon Au | $23,000 | Impermissible disclosure of PHI |
| 12/15/2022 | Health Specialists of Central Florida Inc | $20,000 | HHS Civil Rights Office Resolves HIPAA Right of Access Investigation with $20,000 Settlement |
| 2022 TOTAL: | $2,170,140 |
| Date | Organization | Fine Total | OCR Settlement Announcement |
| 1/12/2021 |
Banner Health |
$200,000 | OCR Settles Fourteenth Investigation in HIPAA Right of Access Initiative |
| 1/15/2021 | Lifetime Healthcare Companies | $5,100,000 | Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People |
| 2/10/2021 | Renown Health, P.C | $75,000 | OCR Settles Fifteenth Investigation in HIPAA Right of Access Initiative |
| 2/12/2021 | Sharp HealthCare | $70,000 | OCR Settles Sixteenth Investigation in HIPAA Right of Access Initiative |
| 3/24/2021 | Arbour Hospital | $65,000 | OCR Settles Seventeenth Investigation in HIPAA Right of Access Initiative |
| 3/26/2021 | Village Plastic Surgery | $30,000 | OCR Settles Eighteenth Investigation in HIPAA Right of Access Initiative |
| 5/25/2021 | AEON Clinical Laboratories | $25,000 | Clinical Laboratory Pays $25,000 to Settle Potential HIPAA Security Rule Violations |
| 6/2/2021 | The Diabetes, Endocrinology & Lipidology Center | $5,000 | OCR Settles Nineteenth Investigation in HIPAA Right of Access Initiative |
| 9/10/2021 | Children’s Hospital & Medical Center | $80,000 | OCR Resolves Twentieth Investigation in HIPAA Right of Access Initiative with $80,000 Settlement |
| 11/30/2021 | Advanced Spine & Pain Management (ASPM) | $32,150 |
Five enforcement actions hold healthcare providers accountable for HIPAA Right of Access
|
| 11/30/2021 | Denver Retina Center | $30,000 | Five enforcement actions hold healthcare providers accountable for HIPAA Right of Access |
| 11/30/2021 | Dr. Robert Glaser | $100,000 | Five enforcement actions hold healthcare providers accountable for HIPAA Right of Access |
| 11/30/2021 | Rainrock Treatment Center, LLC dba Monte Nido Rainrock (“Monte Nido | $160,000 | Five enforcement actions hold healthcare providers accountable for HIPAA Right of Access |
| 11/30/2021 | Wake Health Medical Group | $10,000 | Five enforcement actions hold healthcare providers accountable for HIPAA Right of Access |
| 2021 TOTAL: | $5,980,000 |
| Date | Organization | Fine Total | Link to OCR Settlement |
| April 22, 2015 | Cornell Prescription Pharmacy | $125,000 | HIPAA Settlement Highlights the Continuing Importance of Secure Disposal of Paper Medical Records |
| June 10, 2015 | St. Elizabeth’s Medical Center | $218,000 | HIPAA Settlement Highlights Importance of Safeguards When Using Internet Applications |
| August 31, 2015 | Cancer Care Group, P.C. | $750,000 | 750,000 HIPAA Settlement Emphasizes the Importance of Risk Analysis and Device and Media Control Policies |
| November 24, 2015 | Lahey Hospital and Medical Center | $850,000 | HIPAA Settlement Reinforces Lessons for Users of Medical Devices |
| November 30, 2015 | Triple-S Management | $3,500,000 | Triple-S Management Corporation Settles HHS Charges by Agreeing to $3.5 Million HIPAA Settlement |
| December 14, 2015 | University of Washington Medicine | $750,000 | $750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis |
| 2015 TOTAL: | $6,193,000 |
What is the Penalty for a HIPAA Violation?
HIPAA violations, like violation of the HIPAA privacy rule, cost your practice. The federal fines for noncompliance are based on the level of perceived negligence found within your organization at the time of the HIPAA violation. These fines and consequences can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation. View our HIPAA fines chart below for the full HIPAA fines list.
OCR has also levied criminal charges for HIPAA violations in the past. Director of OCR, Jocelyn Samuels, went on record in February of 2016, saying that:
“While OCR prefers to resolve issues through voluntary compliance, […] we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules.”
Source: HHS, Federal Register.gov
