6 biggest HIPAA breach fines #hipaa #fines


5. $1.7 million – Alaska Department of Health and Human Services – June 2012

Individuals affected: 501 – An unencrypted USB hard drive containing patient information was stolen from a DHSS employee’s car. After conducting an investigation, OCR officials discovered that DHSS had failed to complete a risk analysis, implement adequate security measures and neglected to have security training for its employees and address device encryption.

5. $1.7 million – WellPoint – July 2013

Individuals affected: 612,402 – The protected health information, Social Security numbers and demographic data of patients were made accessible to unauthorized users over the Internet for a period of nearly five months. An OCR investigation determined WellPoint failed to perform an adequate technical evaluation in response to a software upgrade. The managed care company also neglected to implement user verification technology to the Web-based patient database. Photo: Plurimus, 2009

4. $1.73 million – Concentra Health Services – April 2014

Individuals affected: 870 – A Concentra unencrypted laptop was stolen in November 2011, and according to OCR officials, the healthcare company from 2008 to 2012 failed to manage encryption policies, identify which assets needed to be encrypted and document why encryption was not reasonable for certain cases. In 2008, almost 28 percent of Concentra laptops were not encrypted, and a complete inventory assessment to assess this did not occur until four years later. Photo: M.O. Stevens, via Wikimedia Commons

3. $2.25 million – CVS Pharmacy – January 2009

Individuals affected: NA – A 2007 OCR investigation, launched in response to media reports on the topic, found several CVS pharmacies were disposing of protected health information in public dumpsters. In collaboration with OCR, the Federal Trade Commission also launched an investigation into CVS. Officials determined the pharmacy chain did not have adequate policies and safeguards in place to protect patient data and dispose of it in the proper way. Photo: Ron Cogswell, 2011

2. $4.3 million – Cignet Health Center – October 2010

Individuals affected: 41 – The Maryland-based health center from 2008 to 2009 denied 41 patient requests for their medical records, for which the medical group practice was fined $1.3 million. Moreover, during the investigation into Cignet allegations, the practice subsequently refused to respond to several of OCR’s demands to produce the records and failed to cooperate with investigation requests, OCR officials said. For this, the practice was fined $3 million. Photo: Google, 2013

1. $4.8 million – New York Presbyterian Hospital and Columbia University – May 2014

Individuals affected: 6,800 – An OCR investigation discovered the HIPAA breach transpired when a CU physician, who developed applications for NYP and CU, attempted to deactivate a personally owned computer server on the network containing ePHI. Due to lack of technical safeguards, server deactivation resulted in ePHI being accessible on Google. The data was so widely accessible online that the entities learned of the breach after receiving a complaint by an individual who saw the ePHI of their deceased partner, a former NYP patient, online. Photo: Paul VanDerWerf, 2014

Leave a Comment

Your email address will not be published. Required fields are marked *