HIPAA
7 min read

HIPAA Violation Examples: Real Cases, Fines & Lessons Learned

The Office for Civil Rights (OCR) has enforced hundreds of HIPAA violations since the law took effect, resulting in settlements and civil monetary penalties totaling billions of dollars. Understanding real violation cases helps organizations recognize where their own compliance gaps may exist. This guide examines the most significant HIPAA enforcement actions, categorizes violations by type, and provides actionable lessons to prevent similar breaches in your organization.

Table of Contents

Unauthorized Access and Disclosure Violations

Unauthorized access to protected health information (PHI) remains the most common category of HIPAA violations. The Anthem Inc. breach in 2015 stands as the largest healthcare data breach in U.S. history, affecting 78.8 million individuals. Anthem settled with OCR for $16 million in 2018, the largest HIPAA settlement ever recorded. Investigators found that Anthem failed to conduct an enterprise-wide risk analysis, lacked sufficient access controls, and did not implement adequate review mechanisms for information system activity. In another significant case, the University of California Los Angeles Health System paid $865,500 after employees repeatedly accessed celebrity medical records without authorization. Memorial Healthcare System paid $5.5 million after it was discovered that login credentials of a former employee were used to access PHI of 115,143 individuals over a period of more than a year. These cases demonstrate that unauthorized access can stem from both external attacks and insider threats, making comprehensive access controls and monitoring essential components of any HIPAA compliance program.
  • Anthem Inc. paid $16 million for the largest HIPAA settlement following a breach of 78.8 million records
  • UCLA Health paid $865,500 for employees accessing celebrity medical records without authorization
  • Memorial Healthcare paid $5.5 million after a former employee's credentials were used to access PHI for over a year
  • Unauthorized access violations often involve both external hackers and internal workforce members
  • Enterprise-wide risk analysis is critical to identifying unauthorized access vulnerabilities

Lost and Stolen Device Violations

Lost and stolen devices containing unencrypted PHI have resulted in some of the most easily preventable HIPAA settlements. Premera Blue Cross paid $6.85 million in 2020 after a breach affecting 10.4 million individuals that originated from a phishing attack on an unencrypted laptop. The Alaska Department of Health and Social Services paid $1.7 million after a USB drive containing PHI was stolen from an employee's vehicle. Concentra Health Services settled for $1.7 million when an unencrypted laptop was stolen from one of its facilities, and QCA Health Plan paid $250,000 for a similar stolen laptop incident. The pattern is clear: organizations that fail to encrypt portable devices face severe consequences when those devices are lost or stolen. OCR has consistently held that encryption is an addressable implementation specification under the Security Rule, meaning organizations must either implement it or document why an equivalent alternative measure is reasonable and appropriate. In practice, there is rarely an acceptable alternative to encrypting portable devices that store or access PHI, and OCR settlements reflect this expectation.
  • Premera Blue Cross paid $6.85 million following a breach traced to an unencrypted laptop
  • Alaska DHSS paid $1.7 million after a USB drive with PHI was stolen from an employee's car
  • Concentra Health settled for $1.7 million over a stolen unencrypted laptop
  • Encryption of portable devices is effectively mandatory despite being an addressable specification
  • Device encryption would have prevented most of these settlements entirely

Improper Disposal and Data Handling Violations

Improper disposal of PHI has led to significant enforcement actions when organizations fail to properly destroy records. Parkview Health System paid $800,000 after it left 71 boxes of medical records on the driveway of a retiring physician. FileFax Inc. was investigated when medical records were found in an unlocked dumpster behind the company's building. Cornell Prescription Pharmacy paid $125,000 when unsecured prescription records and pill bottles containing PHI were found in an accessible dumpster. New England Dermatology paid $300,640 for disposing of specimen containers with patient information in regular trash receptacles. These cases highlight that HIPAA requires covered entities and business associates to implement policies and procedures for the proper disposal of PHI in all forms, including paper records, electronic media, and even physical items like specimen containers. The disposal requirement extends to all media that contain PHI, and organizations must document their disposal methods and verify that business associates handling disposal comply with HIPAA requirements as well.
  • Parkview Health paid $800,000 for leaving 71 boxes of medical records on a driveway
  • Unsecured dumpster disposal of records has triggered multiple OCR investigations
  • Proper disposal requirements apply to paper, electronic media, and physical items containing PHI
  • Organizations must document disposal procedures and verify business associate compliance
  • Even small pharmacies face enforcement for improper disposal of prescription records

Risk Analysis and Risk Management Failures

Failure to conduct a thorough, enterprise-wide risk analysis is the single most common finding in HIPAA enforcement actions. Premera Blue Cross, Anthem, Banner Health ($200,000), and numerous other settled cases all cited inadequate risk analysis as a contributing factor. Oregon Health & Science University paid $2.7 million after multiple breaches that revealed a systemic failure to implement risk management across the organization. CardioNet paid $2.5 million after a laptop containing PHI was stolen from a parked car, and the investigation revealed that the company had insufficient risk analysis and risk management processes. The risk analysis requirement under 45 CFR 164.308(a)(1)(ii)(A) mandates that covered entities and business associates conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic PHI. This must be ongoing, not a one-time event. Organizations must update their risk analysis when they adopt new technologies, experience environmental or operational changes, or encounter security incidents. OCR has published guidance on risk analysis methodology that references NIST SP 800-30, and organizations that follow a structured methodology are far better positioned to defend their compliance posture during an investigation.
  • Inadequate risk analysis is the most frequently cited finding in HIPAA settlements
  • OHSU paid $2.7 million due to systemic risk management failures across the organization
  • Risk analysis must be enterprise-wide, thorough, and ongoing rather than a one-time event
  • OCR recommends following NIST SP 800-30 methodology for conducting risk assessments
  • Organizations must update risk analyses when technologies, operations, or environments change

Business Associate Violations

Business associates are directly liable for HIPAA compliance, and several major settlements have targeted these entities. Medical Informatics Engineering paid $900,000 after a breach of 3.5 million records where attackers exploited a vulnerability in a web application. Advanced Care Hospitalists was fined $500,000 after its business associate, a medical billing company, suffered a breach because patient records were accessible on the internet. CHSPSC LLC, a management company providing services to Community Health Systems hospitals, paid $2.3 million after Chinese hackers accessed PHI of 6.1 million individuals through its systems. These cases illustrate that covered entities cannot transfer their compliance obligations by outsourcing to business associates. Both parties share responsibility. Covered entities must ensure BAAs are in place, conduct due diligence on business associate security practices, and respond promptly when they learn of potential compliance issues. Business associates must independently meet the Security Rule requirements applicable to them and report breaches to their covered entity partners within the timeframes specified in their agreements.
  • Business associates face direct HIPAA enforcement and liability since the 2013 Omnibus Rule
  • CHSPSC paid $2.3 million after hackers accessed 6.1 million records through its systems
  • Covered entities must conduct due diligence on business associate security practices
  • BAAs must be in place before any PHI is shared with a business associate
  • Both covered entities and business associates share responsibility for PHI protection

How to Avoid HIPAA Violations

The patterns across hundreds of HIPAA enforcement actions reveal consistent themes that organizations can address proactively. First, conduct a comprehensive risk analysis annually and whenever significant changes occur, using a recognized methodology such as NIST SP 800-30. Second, encrypt all devices that store or access PHI, including laptops, smartphones, tablets, USB drives, and backup media. Third, implement robust access controls including unique user identification, automatic logoff, and audit logging, with regular review of access logs to detect unauthorized activity. Fourth, establish and enforce policies for the proper disposal of all media containing PHI. Fifth, execute business associate agreements with every vendor that creates, receives, maintains, or transmits PHI, and verify their compliance periodically. Sixth, train all workforce members on HIPAA requirements and document that training. Seventh, implement and test an incident response plan so your organization can respond quickly when breaches occur. Organizations that address these seven areas systematically will significantly reduce their risk of HIPAA violations and the severe financial penalties that accompany them.
  • Conduct comprehensive risk analysis annually using NIST SP 800-30 methodology
  • Encrypt all portable devices and media that store or access PHI
  • Implement access controls with unique user IDs, auto logoff, and audit logging
  • Establish documented policies for proper disposal of all PHI-containing media
  • Execute BAAs with every vendor handling PHI and verify their compliance regularly
  • Train all workforce members and maintain documentation of completed training

Key Takeaways

  • The largest HIPAA settlement is $16 million (Anthem), showing the severe financial risk of non-compliance
  • Failure to conduct enterprise-wide risk analysis is the most common finding in enforcement actions
  • Encrypting portable devices would have prevented millions of dollars in settlements
  • Business associates face direct liability and enforcement under HIPAA since the 2013 Omnibus Rule
  • Improper disposal of PHI in any form, including paper and physical items, triggers enforcement
  • Organizations must implement ongoing risk management, not just one-time assessments
  • Proactive investment in seven key areas dramatically reduces HIPAA violation risk

Related Resources

hipaa security rulehipaa privacy policyhipaa breach notificationhipaa risk assessmenthipaa sanctions policyhipaabreach notificationrisk assessmentencryption at restaccess control

Other Compliance Guides

HIPAA

HIPAA Business Associate Agreement (BAA) Guide

HIPAA

HIPAA Training Requirements

GDPR

GDPR Fines and Penalties

GDPR

GDPR Training Requirements

Frequently Asked Questions

What is the largest HIPAA fine ever imposed?

The largest HIPAA settlement is $16 million, paid by Anthem Inc. in 2018 following a data breach that affected 78.8 million individuals. The investigation found failures in risk analysis, access controls, and information system activity review.

What are the most common types of HIPAA violations?

The most common HIPAA violations include failure to conduct a risk analysis, unauthorized access or disclosure of PHI, lost or stolen unencrypted devices, improper disposal of PHI, and lack of business associate agreements. Failure to perform an enterprise-wide risk analysis appears in the majority of OCR settlements.

Can employees be personally fined for HIPAA violations?

While OCR enforcement actions typically target organizations, the Department of Justice can pursue criminal penalties against individuals who knowingly obtain or disclose PHI in violation of HIPAA. Criminal penalties can include fines up to $250,000 and imprisonment up to 10 years for offenses committed with intent to sell or use PHI for personal gain.

How long does OCR have to investigate a HIPAA violation?

There is no formal statute of limitations for HIPAA enforcement. OCR investigations can span several years from the date of the violation or discovery. However, OCR generally initiates investigations within 180 days of receiving a complaint or breach notification, and most settlements are reached within 2 to 4 years.

What triggers an OCR HIPAA investigation?

OCR investigations are most commonly triggered by breach notifications (mandatory for breaches affecting 500+ individuals), complaints filed by individuals, and periodic compliance audits. Breaches affecting 500 or more individuals are automatically reviewed by OCR, while smaller breaches are investigated on a case-by-case basis.

Can a HIPAA violation result in criminal charges?

Yes. The Department of Justice handles criminal HIPAA enforcement. Penalties range from a $50,000 fine and one year imprisonment for knowing violations, up to $250,000 and 10 years imprisonment when PHI is obtained or disclosed with intent to sell, transfer, or use it for commercial advantage or personal gain.

How can small healthcare practices avoid HIPAA violations?

Small practices should conduct a risk analysis using OCR's free Security Risk Assessment Tool, encrypt all devices, train staff annually, implement access controls with unique logins, establish proper disposal procedures, and execute BAAs with all vendors. Many settlements involve small practices, so size does not exempt organizations from compliance.

HIPAA OverviewRequirements GuidesCompliance GlossaryCompare Frameworks

Generate HIPAA policies automatically

PoliWriter creates all the policies you need for HIPAA compliance, customized to your organization. AI-powered, audit-ready, hours not months.

Get Started Free