Top 11 Largest HIPAA Violation Lawsuits and Settlements

The key law governing healthcare privacy is the Health Insurance Portability and Accountability Act (HIPAA) known to protect citizens’ data all over the world. HIPAA makes sure that doctors, insurance companies, and others can't share your medical info without your say-so. A specific acknowledgment must come from the patient to share protected health information. 

Let’s look at how much the HIPPA lawsuit is worth and the top 11 HIPAA Violation Lawsuits within the past couple of years. 

Firstly, it is important to know that any minor case can trigger legal action, including fines, but the legal concept of "willful neglect" is important in proving the guilt of the medical provider. Many healthcare organizations face similar security problems. Not doing thorough risk assessments, lacking proper risk management, neglecting system activity reviews, and not handling data access and device security well will lead to HIPAA violations and big fines.

During the past decade, HIPAA has had huge financial penalties that are costly. The fines range from a minimum of $100 per violation, with an annual maximum of $25,000 for repeat violations, to up to $50,000 per violation, with an annual maximum of $1.5 million for identical violations. Violations can also carry criminal charges that can result in jail time.

We have gathered the 11 highest settlements brought by the Office for Civil Rights (OCR) in the U.S. Department of Health and Human Services (HHS) to consider for anyone who regularly deals with the healthcare industry. 

1. 2018 Anthem, $16 million

In 2018, Anthem, one of the nation's largest health benefits companies, had the largest health data breach, followed by the largest HIPAA settlement in history. The breach occurred due to cyber attackers gaining access through a malicious email responded to by an employee of an Anthem subsidiary.

The attackers had access from December 2, 2014, to the end of January 2015. The Office for Civil Rights (OCR) determined that Anthem didn't take appropriate measures to detect hackers, failed to conduct an enterprise-wide risk analysis, and didn't have procedures to review system activity, among other violations. 

2. 2020 Premera Blue Cross, $6.85 million

Premera Blue Cross, the largest health plan in the Pacific Northwest, paid more than $6.85 million in fines in 2020 to settle HIPAA violations related to a breach affecting over 10.4 million people. The second-largest payment to resolve a HIPAA investigation in history included fines, corrective action, and two years of monitoring.

The breach occurred due to a phishing email in May 2014, allowing hackers to install malware in Premera Blue Cross’s IT system. Surprisingly, the malware went undetected for nearly nine months until January 2015. The investigation found systemic noncompliance with the HIPAA rules, including failure to conduct an enterprise-wide risk analysis and implement risk management and audit controls.  

3. 2016 Advocate Health Care, $5.5 million 

Advocate Health Care in Illinois is one of the largest private hospital networks in the country. In 2016, the $5.5 million fine they were given was the largest HIPAA fine to that point. The fine stemmed from multiple incidents, including the theft of four unencrypted laptops and breaches of the company's network. During the investigation, violations were discovered dating back to the inception of HIPAA regulations. The organization adopted a corrective action plan and the largest single fine for an entity at the time.

4. 2017 Memorial Healthcare Systems, $5.5 million 

Memorial Healthcare Systems (MHS) is a nonprofit corporation operating six hospitals, an urgent care center, a nursing home, and various ancillary healthcare facilities throughout the South Florida area. The fine amounted to $5.5 million, resulting from a breach where a former employee's login credentials were used without authorization for nearly a year.

Protected information was accessed between 2011 and 2012 due to this unauthorized access. HIPAA requires termination or modification of user access, and MHS failed to follow its own policies and procedures. Also, a lack of regular review of audit logs and a lack of access controls were identified as concerns during risk analyses over several years, making the breach highly preventable.

5. 2021 Lifetime Healthcare Companies, $5.1 Million

In 2021, Excellus Health Plan, a lifetime healthcare companies affiliate health insurance coverage provider, was required to pay $5.1 million, take corrective action, and be monitored for two years. Cyber-attackers gained access to IT systems, installed malware, and conducted recon activities exposing the data of more than 9.3 million people for more than a year. Failure to perform enterprise-wide risk analysis and implement risk management actions like IT system activity review were among the issues cited.

6. 2018 University of Texas MD Anderson Cancer Center, $4.3 million

The University of Texas MD Anderson Cancer Center (MD Anderson) was fined $4.3 million in 2018 after investigations of data breaches related to three unencrypted items reported by the hospital in 2013 and 2014. Internal assessments had pointed out that the lack of device-level encryption posed a high security risk. 

However, in January 2021, the financial penalty was overturned by the 5th U.S. Circuit Court of Appeals which determined that M.D Anderson had implemented various mechanisms to encrypt information following HIPAA requirements, even if some employees didn't correctly use them. In addition to other factors, this good-faith security action by the organization played a key role in the new ruling.

7. 2013 Columbia and New York Presbyterian Hospitals, $4.8 million

In 2013, two New York hospitals, Columbia and New York Presbyterian were jointly fined $4.8 million after a botched server deactivation caused protected health data to appear on search engines. The OCR found that the hospitals did not do a proper risk assessment and did not have enough protections in place to prevent the data breach. In addition to the fine, they were required to upgrade systems and create appropriate policies and defenses for future cyber attacks.

8. 2016 Feinstein Research, $3.9 million

Feinstein Research, a biomedical research nonprofit sponsored by Northwell Health, reported a laptop containing research had been stolen from an employee's car in 2012. The OCR determined in 2016 that Feinstein failed to safeguard and protect health data as required. Security management was incomplete and limited in scope. There were insufficient safeguards for limiting access to unauthorized users. The organization agreed to pay a settlement of $3.9 million and undertake corrective action. 

9. 2015 Triple-S Management $3.5 million

Triple-S Management settled its HIPAA violations in 2015 with a $3.5 million settlement and a corrective action plan after repeatedly failing to put safeguards in place after an investigation discovered widespread noncompliance with regulations throughout the organization. Issues included failures to implement security measures, lack of physical and technical safeguards, and inappropriate disclosure to outside vendors without appropriate business agreements, in addition to other violations. Their compliance requirements included risk analysis and management plans, policies and procedures to facilitate HIPAA compliance, and a training program for all workforce and business associates.

10. 2018 Fresenius Medical Care North America (FMCNA) $3.5 million

In 2018, Fresenius Medical Care North America (FMCNA) agreed to pay $3.5 million and adopt a comprehensive corrective action plan to settle potential HIPAA violations. Their issues ranged from failure to implement security policies, encrypt information, and safeguard facilities and equipment from unauthorized access and theft. This case highlighted the need for security across multiple organizations.

11. 2017 Children’s Medical Center of Dallas, $3.2 million

The theft of devices that were neither password-protected nor encrypted was the cause of the Children's Medical Center of Dallas 2017 fine of $3.2 million. The organization failed to implement a "high priority" recommendation to add encryption on portable devices to protect health information if a device is lost or stolen. The breach could have been avoided had the Children's Medical Center acted on the recommendations. Fortunately, the OCR determined that the loss did no apparent harm and the breaches were not the result of willful negligence, so they were given the minimum possible penalty of $3.2 million.

Want to Keep Your Company Safe From HIPAA Violations?

SecureNetMD® is the leading software and solutions provider helping healthcare providers with communication technologies. Our award-winning, custom-tailored system can help you steer clear of HIPAA violations. With over 10 years in the industry and with a 98% retention rate, our product has been helping healthcare providers communicate clearly and securely. Our custom-tailored, advanced systems can help you steer clear of HIPAA violations. For more information, please contact us.