The High Cost of HIPAA Violations: The Biggest Fines To Date

A while back we wrote about the horrible summer that healthcare had in 2017. Multiple phishing and ransomware attacks, as well as data breaches continue to cast a dark shadow on an industry that has already seen its fair share of difficulties.

While the overall cost of cyber attacks and data breaches themselves is concerning, 2017 also saw $20 million in fines levied under HIPAA against healthcare service providers. To date, the largest fine for a single organization has been against Advocate Health System at $5.55 million in 2016, for violations heading back to 2013. This will likely be surpassed by Anthem, which has already settled civil lawsuits to the tune of $115 million. There has been no word yet about any federal penalties (this does include their more recent 2017 breach).

This article looks at the biggest HIPAA fines to date. We’ve seen the pace and scope of data breaches in healthcare (and other industries) increase. Thus, even more concerning about the wild summer healthcare experienced in 2017 is that HIPAA fines tend to be levied are for breaches that occurred 3-4 years earlier. Given the size and scope of yet the un-penalized breaches, we could reasonably expect the sum of such fines to exceed $100 million per year in the near future.

We think of these examples as precautionary tales of the repercussions for HIPAA non-compliance, and probably one of the more useful top ten lists any healthcare organization should read. That said, here are the 10 biggest settlements to date.

Advocate Health System (Downers Grove, Ill.): $5.55 million

Breach Date: July – November 2013
Settled in: August 2016
Records Breached: ~ 4 million

This first HIPAA violation occurs in a way that seems to reoccur in many incidents – stolen computers. In July 2013, 4 computers with the records of nearly 4 million patients were stolen from Advocate property. The second incident, throughout the summer of 2013, involved unauthorized third party access. In the third incident, during November 2013, again, an unencrypted laptop was stolen from an employee’s car that contained further patient records. Two years on, their fine still stands as the largest-ever HIPAA fine. It is no longer the biggest breach of patient data however – that crown belongs to Anthem.

Details on The Advocate Health System Data Breach Settlement

Memorial Healthcare Systems (MHS): $5.5 million

Breach dates: April 2011 – April 2012
Settlement: February 2017
Records breached: ~ 195,000

It started off with the discovery that employees and staff had not only accessed PHI (Protected Health Information) without authorization, but that they had also used the data to file false tax returns. The investigation led to the discovery that patients’ records were being accessed without authorization since April 2011. There had been policies in place that could’ve protected this, but there had been a failure to properly implement and enforce them. It is interesting to note that, in this case, the HIPAA fine could’ve been a lot higher, but MHS settled and got off the “easy”. Fines could’ve been $1.5 million per violation per year, and the US Department of Health and Services (DHSS – responsible for HIPAA eforcement) found several violations going back over a period of 5 years.

Read more about the settlement, and proceedings on the Department of Health and Human Services website.

New York Presbyterian Hospital and Columbia University: $4.8 million

Breach dates: September 2010
Settlement: May 2014
Records breached: 6800

The biggest HIPAA fine the time, they were fined a combined $4.8 million after someone complained to the Hospital on finding their deceased partner’s confidential PHI online!!!

The breach was caused when a physician employed by the university, who had developed applications, “attempted to deactivate a personally owned computer server on the network.” Technical elements aside, it resulted in ePHI of 6800 research subjects showing up on Google. That’s pretty bad.

As an aside, a couple years later the Hospital was slapped with another HIPAA fine – this time for allowing a film crew to record a dying patient, and another in pain.

It should be very clear. It is not only about records and liability, it’s about protecting patients from real damage or distress.

Read the NYP and Columbia University settlement agreement.

Cignet Health: $4.351 million

Breach dates: September 2008 and October 2009
Settlement: Feb 2011
Records breached: 0

Another record fine at the time, this one was very different. As a part of protecting patients, HIPAA requires health providers provide patients their medical records upon request. This fine was issued as Cignet failed to produce records that 41 patients requested and then refused to cooperate properly with investigators.

Read more about the whole mess here, and why they were fined 4.3 million. 

The University of Texas MD Anderson Cancer Center: $4.348 Million

Breach dates: March 2011 – January 2013
Settlement: June 2018
Records breached: 33,500

Another example of stolen devices, this time an unencrypted laptop and 2 USB devices. Another case of having the policies in place that would have protected the data – but a failure to implement the policies proved very costly. In a 2010-2011 report, the University had clearly identified that encryption of confidential data and mobile media was a real risk. The next year, having not properly acted, it proved prophetic.

On the HHS website: “Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations“

Feinstein Research: $3.9 Millions

Breach dates: Feb 2012
Settlement: March 2016
Records breached: 13,000

Another stolen unencrypted laptop costed much more than the stolen laptop. This time it was the Feinstein Institute for Medical Research, in New York. To make a comparison, how would you feel if your employer left 200 pounds of your gold sitting in the backseat of your car? You wouldn’t have to. You would never let it happen. It would be in an armored truck. Yet laptops? And your customer’s data?

Read the agreement regarding the Feinstein HIPAA violation settlement and corrective action plan.

Triple-S: $3.5 million + TBD

Breach dates: Several
Settlement: 2015 + TBD
Records Breached: Over 36,000

While these were separate violations, with one yet to go through the courts, the latest is bigger than the first. If we revisit this list at a later date, the fine yet to be issue will be higher on this list. The gist of this violation: Don’t mail out confidential patient information to the wrong patients. That should be pretty basic. Right? Better tools and better safeguards should help. Then again, this case probably highlights how challenging it can be for a health providers to remain HIPAA compliant.

Read more about the complexity of Triple-S HIPAA violations. 

Fresenius Medical Care North America: $3.5 million

Breach incident Dates: February – June 2012
Settlement Date: January 2018
Records Breached: Unknown

The violations include 5 different violations, including; how security incidents were addressed, hardware movement and access to confidential information policies, safeguarding hardware from theft and tampering, and encryption policies.

The Extensive Fresenius Resolution Agreement and Corrective Action Plan

Children’s Medical Center of Dallas $3.2 million

(Breach) Incident Dates: 2007 – 2012
Settlement Date: January 2017
Records Breached: Unclear

It is unclear what the number of records breached here was. What is clear is that there were multiple of HIPAA violations going on, ranging from unencrypted Blackberries being given to employees, to unencrypted Blackberries being stolen, a lost iPod(!) with ePhi(!?), a stolen unencrypted laptop, and more.

Read the detailed Notice of Final Determination regarding the list of HIPAA Violations

(Un)Honorable Mention: Anthem Data Breach

Breach incident Dates: February 2015
Settlement Date: TBD (HIPAA)
Records Breached: Over 78 Million

While Anthem reached a $115 million settlement to settle lawsuits, no federal penalty has been handed down. A lot will depend on determinations as to whether proper safeguards were in place. It would be surprising if none was handed down, and if it is not the largest ever. By comparison, Advocate was a small 4 million records. When it comes to HIPAA penalties, it should be clear that the size of the breach matters less than how it happened. But yet, the size of this is too large to imagine it wouldn’t rank in the top ten biggest HIPAA penalties to date.

How To Not Find Your Name On This Or Any Similar List

If these HIPAA fines sound like they are a lot, they are a pittance compared to the costs these companies face as a result of the breaches. Anthem’s HHS penalty will be a small percent of the estimate to be over the $260 million it’s already cost them. The bigger hits generally come from civil lawsuits, completely overhauling security, lawyers for 3-4 yearlong  investigations, brand damage and so on.

HIPAA Violations tend to be symptomatic of a poor security culture. If you are a healthcare service provider looking at data security, mind those laptops, USB keys, and iPods – that PHI has some of the highest street values out there. Implement leading encryption for your PHI. Monitor and prevent unauthorized access.

Of course it is way more complex to ensure the security of a network with thousands of employees, outside partners, and many more patients. It’s evident from the difficulty many health organizations are experiencing in protecting their networks. This is true across the board for many industries. The point of this is to both highlight a small fraction of the downside risk (HIPAA might represent a small piece of the overall cost of the violation) and illustrate the difficulty of applying a foolproof cyber security system. In most cases here, there was a system that was inadequately implemented and enforced. No matter the industry, the same perhaps oversimplified mantra applies to cyber security.

Step 1: Determine the system of security that you need, based on your organizational structure, your industry needs, and the downside risk.

Step 2: Implement and enforce that system, only as painful and as inconvenient as is absolutely necessary. You’ll find the convenience of not getting fined, sued or other cumbersome task far more preferable.

All about HIPAA and protecting Health Information Privacy on the HHS website.

Explore more of the HIPAA Fines in this well organized directory.

Vircom provides a fully HIPAA compliant email security, encryption and archiving solution.

Consider working on a HIPAA Compliance Checklist