12 largest fines levied for HIPAA violations

Last week, the Department of Health and Human Services’ Office for Civil Rights levied the largest fine ever against a provider organization for violations of the Health Insurance Portability and Accountability Act, or HIPAA. The penalty totaled $5.55 million against Advocate Health Care. Monetary fines aren’t the only expenses faced by healthcare organizations, because they also enter into agreements to implement corrective action plans, taking a series of agreed-to steps to ensure that security and privacy problems are not repeated.

Here’s a list of the top 12 fines levied by OCR and the violations that precipitated the actions.

12 largest fines levied for HIPAA violations
Here’s a list of the top 12 fines levied by OCR and the violations that precipitated the actions.
Advocate Health Care
Fine: $5.55 million
Action announced: August 4, 2016
In 2013, Advocate submitted three breach notification reports involving separate incidents within its Advocate Medical Group subsidiary and affecting about 4 million individuals. OCR found substantial deficiencies in how Advocate conducted risk assessments of electronic protected health information; how it implemented policies, procedures and facility access controls to limit access to electronic health records; how it oversaw the safeguarding of ePHI by business associates; and how it safeguarded an unencrypted laptop left in an unlocked vehicle overnight.
Advocate Health Care response: Advocate released the following statement on the agreement with OCR: Protecting the privacy and confidentiality of our patients while delivering the highest level of care and service are our top priorities. As all industries deal with the ever-evolving digital landscape and the impact it has on security, we’ve enhanced our data encryption measures to prevent this type of incident from reoccurring. While there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients. We continue to cooperate fully with the government to advance our patient privacy protection efforts.
New York-Presbyterian Hospital and Columbia University
Fine: $4.8 million
Action announced: May 7, 2014
New York-Presbyterian Hospital and Columbia University collectively paid $4.8 million to settle charges of violating HIPAA privacy and security rules. The hospital paid $3.3 million and the university paid $1.5 million, with both agreeing to implement corrective action plans. On Sept. 27, 2010, the organizations submitted a joint breach report to OCR after learning that protected health information on 6,800 patients was accessible on Google and other Internet search engines. The compromised data included patient status, vital signs, medications and lab reports.
New York-Presbyterian Hospital and Columbia University response: In the OCR settlements and resolution agreements, neither covered entity admitted liability, and OCR said the resolution agreements were not a concession by the agency that the entities were not in violation of HIPAA and were not liable for civil money penalties.
Cignet Health
Fine: $4.3 million
Action announced: February 4, 2011
The fine was the first “civil money penalty” imposed on a healthcare organization under the privacy rule; the amount of the fine was based on increased penalty amounts authorized under the HITECH Act. OCR said Cignet did not cooperate in an investigation and did not agree to a corrective action plan. OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records. During the investigations, Cignet refused to respond to OCR’s repeated demands to produce the records and didn’t cooperate with OCR’s investigations of the complaints, the agency said.
Cignet Health response: Executives of the organization could not be reached for comment on the settlement.
Feinstein Institute for Medical Research
Fine: $3.9 million
Action announced: March 17, 2016
Feinstein Institute for Medical Research agreed to pay $3.9 million to settle potential HIPAA Privacy and Security Rule violations and undertake a substantial corrective action plan to bring its operations into compliance. Feinstein is a wholly controlled subsidiary of Northwell Health Inc., formerly known as North Shore Long Island Jewish Health System, a large organization headquartered in Manhasset, N.Y., that comprises 21 hospitals and more than 450 patient facilities and physician practices.
Feinstein Institute for Medical Research response: Feinstein Institute issued the following statement to HDM: “The Feinstein Institute greatly values the commitment of research participants to advance discoveries that improve the health of our community. As such, subsequent to the theft in 2012, we implemented corrective action—new policies and procedures—to ensure the Feinstein Institute is a safe and protective environment for research. To ensure privacy and confidentiality of our research participants, we conduct consistent reviews and updates to our security procedures.”
Triple-S Management Corp.
Fine: $3.5 million
Action announced: November 30, 2015
Triple-S Management Corp. is the Blue Cross and Blue Shield licensee in Puerto Rico. In the fall of 2010, employees of a competitor of Triple-S on multiple occasions downloaded PHI on 398,000 Blues members into the competitor’s information systems by using active user IDs and passwords specific to Triple-S’ database. The employees of the competitor previously worked at Triple-S, and their access rights had not been terminated upon leaving. The competitor upon learning of the breach informed Triple-S. On at least six other occasions from November 2013 to August 2015, Triple-S reported to OCR breaches that occurred when PHI, including names, address and health insurance claim numbers were printed on the outside of pamphlets mailed to beneficiaries.
Triple-S Management response: “Triple-S is committed to protecting the privacy and security of its beneficiaries’ health information and implementing the corrective action plan entered into with OCR,” Ramon Ruiz, president and CEO, said in a statement. “We are pleased with the agreement and regard it as an opportunity to strengthen our privacy policies. We have appreciated OCR’s technical assistance to date, and look forward to our collaboration in the future.”
University of Mississippi Medical Center
Fine: $2.75 million
Action announced: July 21, 2016
UMMC agreed to settle multiple alleged HIPAA violations, specifically a breach of unsecured electronic protected health information affecting approximately 10,000 individuals. During the investigation, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet no significant risk management activity occurred until after the breach. UMMC also adopted a corrective action plan to help assure future compliance with HIPAA Privacy, Security, and Breach Notification Rules.
University of Mississippi Medical Center response: In a statement, UMMC noted it has initiated substantial improvements in information security in recent years. Improvements include encryption of all laptops; restructuring of the role and reporting relationships of the chief information security officer; and implementing an outside assessment and overhaul of its IT security program. “We have learned from this experience and are working hard to ensure that our information security program meets or exceeds the highest standard,” says LouAnn Woodward, MD, vice chancellor for health affairs.
Oregon Health & Science University
Fine: $2.7 million
Action announced: July 18, 2016
Oregon Health & Science University signed a HIPAA resolution agreement and corrective action plan, which included a $2.7 million fine, following two breaches in 2013. The incidents involved a stolen laptop and use of cloud storage services without having a business associate agreement in place. After the incidents, OHSU offered identity theft protection services to more than 7,000 affected individuals and implemented a data encryption program.
Oregon Health & Science University response: In a statement, OHSU CIO Bridget Barnes said the university made significant security enhancements after the breaches and now is engaging an external consultant and creating a steering committee to oversee the corrective action plan, which includes identifying and assessing vulnerabilities and risks. “In the face of these challenges, OHSU is proactively working to ensure the creation of a sustainable gold standard for protected health information security and HIPAA compliance," Barnes said.
CVS Pharmacy
Fine: $2.25 million
Action announced: January 16, 2009
The Department of Health and Human Services reached an agreement with CVS Pharmacy Inc. to settle potential violations of the HIPAA Privacy Rule. To resolve the Department’s investigation of its privacy practices, CVS agreed to pay $2.25 million and implement a detailed corrective action plan to ensure the appropriate disposal of protected health information such as labels from prescription bottles and old prescriptions. In a coordinated action, CVS Caremark Corp., the parent company of the pharmacy chain, also signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act.
CVS Pharmacy response: Executives of CVS were not immediately available for a response to the OCR action.
New York Presbyterian Hospital
Fine: $2.2 million
Action announced: April 21, 2016
New York-Presbyterian Hospital was fined $2.2 million under sanctions handed down by the HHS Office for Civil Rights and entered into a corrective action plan for unauthorized filming of two patients while participating in the “NY Med” television series. OCR said the violation was a result of flaws in NYP’s judgment in allowing filming of the TV series. OCR found that NYP gave the network “virtually unfettered access to its healthcare facility,” which created an environment where PHI could not be protected.
New York Presbyterian Hospital response: In its statement on the sanctions, the facility said it reached an agreement with the Office for Civil Rights "in order to bring closure to OCR's review process. Our participation in the ABC News documentary program 'NY Med' was intended to educate the public and provide insight into the complexities of medical care and the daily challenges faced by our dedicated and compassionate medical professionals...The hospital continues to maintain that the filming of this documentary program did not violate the HIPAA Privacy Rule."
Concentra Health Services
Fine: $1.73 million
Action announced: April 22, 2014
OCR fined provider organization Concentra Health Services $1,725,220, contending it demonstrated long-time non-compliance with HIPAA. Concentra, a subsidiary of Humana, had an unencrypted laptop stolen from a physical therapy center in Springfield, Mo., on Nov. 30, 2011, with protected health information on 870 individuals. OCR found that Concentra failed to remediate an identified lack of encryption or to document why encryption was not reasonable and implement an alternative measure from October 27, 2008 until June 22, 2012.
Concentra Health Services response: In a statement, the company said that, "Since self-reporting a stolen company laptop in 2011, Concentra has worked closely with the U.S. Department of Health and Human Services Office for Civil Rights to ensure confidentiality of protected health information. We received no indication that any information on the laptop was accessed or used inappropriately. Concentra remains focused on serving the health and well-being needs of our employers and patients with the highest integrity and utmost respect.”
Fine: $1.7 million
Action announced: July 11, 2013
WellPoint agreed to pay $1.7 million to settle potential violations of HIPAA privacy and security rules. OCR’s investigation indicated that WellPoint did not: adequately implement policies and procedures for authorizing access to the on-line application database; perform an appropriate technical evaluation in response to a software upgrade to its information systems; or have technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database. The investigation indicated that WellPoint impermissibly disclosed the ePHI of 612,402 individuals.
Wellpoint response: Executives of Wellpoint, owned by Anthem Inc., were not immediately available for a response to the OCR action.
Alaska Department of Health and Social Services
Fine: $1.7 million
Action announced: June 26, 2012
Alaska Department of Health and Social Services reported that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHHS employee. Over the course of the investigation, OCR found that DHSS did not have adequate policies and procedures in place to safeguard ePHI. Further, DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.
Alaska Department of Health and Social Services response: Executives of the Alaska DHSS were not immediately available for a response to the OCR action.