© 2013 by  JA Brown Consultants. Proudly created with Wix.com

2018 HIPAA Violation Fines

   Covered Entity                                          Amount           Settlement/CMP                Reason
  Filefax, Inc.                                              $   100,000      Settlement                Impermissible disclosure of PHI
  Fresenius Medical Care North America  $3,500,000       Settlement                Multiple HIPAA Violations + Risk Anal.
  Univ. of Texas MD                                   $4,300,000       Settlement                Theft of laptop + 2 unencrypted USB
  Licensee of Blue Cross/Blue Shield      $16,000,000       Agreement               series of cyber-attacks
  Allergy Assoc of Hartford                        $    125,000       Agreement               disclosure of PHI to reporter
  Advanced Care Hospitals                       $    500,000       Agreement               shares PHI with unknown vendor
  Pagosa Springs Medical Center             $    111,400       Agreement                failed to terminate employee's access PHI
  Cottage Health                                        $ 3,000,000      Settlement                Violations of HIPAA Rules

2017 HIPAA Violation Fines

Year   Covered Entity                                           Amount            Settlement/CMP                Reason
2017  21st Century Oncology                                $ 2,300,000    Settlement                 Multiple HIPAA Violations
2017  Memorial Hermann Health System              $ 2,400,000    Settlement                 Careless Handling of PHI
2017  St. Luke’s-Roosevelt Hospital Center Inc.    $   387,000    Settlement                 Unauthorized Disclosure of PHI
2017  The Center for Children’s Digestive Health  $     31,000    Settlement       Lack of a Business Associate Agreement
2017  Cardionet                                                     $ 2,500,000    Settlement              Impermissible Disclosure of PHI
2017  Metro Community Provider Network                $400,000    Settlement       Lack of Security Management Process
2017  Memorial Healthcare System                       $ 5,500,000    Settlement            Insufficient ePHI Access Controls
2017  Children’s Medical Center of Dallas             $ 3,200,000   Civil Monetary Penalty   Impermissible Disclosure of ePHI
2017  MAPFRE Life Insurance Co of Puerto Rico $ 2,200,000    Settlement              Impermissible Disclosure of ePHI
2017  Presense Health                                          $     475,000   Settlement                    Delayed Breach Notifications

Site Title

Source: HHS, Federal Register.gov

2017 HIPAA Fines

Date                             Organization                                            Fine                   Link to OCR Settlement

January 9, 2017           Presence Health                                   $475,000       First HIPAA enforcement action for lack of timely breach notification settles for $475,000

January 18, 2017         MAPFRE                                            $2,200,000       HIPAA settlement demonstrates importance of implementing safeguards for ePHI

February 1, 2017         Children’s Medical Center of Dallas   $3,200,000       Lack of timely action risks security and costs money

February 16, 2017       Memorial Healthcare Systems           $5,500,000       $5.5 million HIPAA settlement shines light on the importance of audit controls

April 12, 2017              Metro Community Provider Network     $400,000       Overlooking risks leads to breach, $400,000 settlement

April 20, 2017              Center for Children’s Digestive Health    $31,000       No Business Associate Agreement?  $31K Mistake

April 24, 2017              CardioNet                                           $2,500,000       $2.5 million settlement shows that not understanding HIPAA requirements creates risk

May 10, 2017              Memorial Hermann Health System     $2,400,000       Texas health system settles potential HIPAA violations for disclosing patient info

May, 23 2017              St. Luke’s Roosevelt Hospital System   $387,200       Careless handling of HIV information jeopardizes patient’s privacy, costs entity $387k



 TOTAL:    $17,093,200   Just for the first 5 months of the year

The Average BA breach is more than $1 million

But it dosn't stop there!!

You have to start your own Anti-Marketing Campaign that can cost you dearly in time and money!
     You have to promote the breach on your website.
     You have to advertise in the press.
     You have to direct mail each individual whose health data was disclosed.
     You have to notify the HIPAA authorities.
Financial penalties under HIPAA are only a portion of the total cost of a breach.  Additional legal fees, consultant fees, and the cost of resolving security vulnerabilities also pile on.