HIPAA Violation Examples: Real Cases and Lessons for Healthcare Organizations

Posted: December 31, 1969 to Cybersecurity.

HIPAA Violation Examples: Real Cases and Lessons for Healthcare Organizations

The Health Insurance Portability and Accountability Act has been federal law since 1996, yet healthcare organizations continue to make the same preventable mistakes that lead to devastating enforcement actions. The Office for Civil Rights at the U.S. Department of Health and Human Services does not just issue warnings. It imposes fines that can reach into the millions of dollars, publishes the details of every resolution agreement for the world to see, and has the authority to refer cases for criminal prosecution.

At Petronella Technology Group, we have spent over 23 years helping healthcare organizations across North Carolina and beyond build compliant IT environments. Our CEO Craig Petronella has authored 15 books on cybersecurity and compliance topics and has served as an expert witness in cases where HIPAA failures contributed directly to patient data breaches. That experience has given us an unfiltered view of how violations happen, what triggers investigations, and what separates organizations that survive enforcement actions from those that do not.

This guide walks through ten real OCR enforcement actions, breaks down the violation categories that appear most frequently, and provides concrete steps you can take to avoid becoming the next cautionary tale on the HHS breach portal.

Understanding HIPAA Violation Categories

Before examining specific cases, it helps to understand the three main categories of HIPAA rules that organizations violate. Each carries its own requirements and its own set of common failures.

Privacy Rule Violations

The Privacy Rule governs how protected health information is used and disclosed. Violations in this category include sharing patient records without authorization, failing to provide patients with access to their own records, lacking a designated privacy officer, and not having adequate notice of privacy practices. Privacy Rule violations often stem from operational failures rather than technical ones. Staff share information they should not, policies exist on paper but are not followed, and organizations fail to recognize that even well-intentioned disclosures can violate the rule.

Security Rule Violations

The Security Rule establishes standards for protecting electronic protected health information. It requires administrative safeguards like risk assessments and workforce training, physical safeguards like facility access controls and workstation security, and technical safeguards like access controls, encryption, and audit logging. Security Rule violations are the most common trigger for large fines because they represent systematic failures in how organizations protect data. Missing or incomplete risk assessments appear in nearly every major enforcement action.

Breach Notification Rule Violations

The Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases the media when a breach of unsecured PHI occurs. Notifications must happen within 60 days of discovery. Violations here typically involve delayed notification, incomplete notification, or failure to notify at all. Organizations sometimes do not realize a breach has occurred because they lack the monitoring systems to detect unauthorized access in the first place.

Ten Real OCR Enforcement Actions and What They Teach

Case 1: Anthem Inc. -- $16 Million (2018)

The largest HIPAA settlement in history resulted from a series of spear phishing emails that gave attackers access to the records of nearly 79 million individuals. The OCR investigation found that Anthem had failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, had failed to identify and respond to suspected or known security incidents, and had not implemented adequate minimum access controls to prevent unauthorized access to ePHI.

Lesson: Size does not equal security. Even the largest organizations in healthcare can fail at fundamental security practices. A comprehensive risk assessment would have identified the gaps that attackers exploited. The absence of that assessment was itself a violation, independent of the breach.

Case 2: Premera Blue Cross -- $6.85 Million (2020)

Attackers accessed Premera's systems for nearly nine months before being detected, compromising the records of 10.4 million individuals. The OCR found failures in risk analysis, risk management, and information system activity review. Premera had conducted a risk assessment but had not addressed the vulnerabilities it identified. The settlement included a corrective action plan requiring two years of monitoring.

Lesson: Conducting a risk assessment is only the first step. Organizations must actually remediate the findings. An assessment that sits in a drawer is worse than useless because it proves you knew about vulnerabilities and chose not to fix them.

Case 3: Banner Health -- $1.25 Million (2023)

A 2016 cyberattack compromised the records of 2.81 million individuals after attackers gained access through food and beverage payment processing systems before pivoting to healthcare data. The OCR found that Banner Health had not conducted a sufficient risk analysis and had failed to implement audit controls or adequate authentication mechanisms.

Lesson: Network segmentation matters. When payment processing systems and healthcare data systems share network access without proper segmentation, a breach in one area becomes a breach in all areas. This is exactly the kind of finding that a thorough HIPAA security assessment would surface before attackers do.

Case 4: Advocate Medical Group -- $5.55 Million (2016)

Three separate incidents contributed to this settlement. An unencrypted laptop was stolen from a vehicle, desktop computers were stolen during an office burglary, and an unauthorized third party accessed the electronic medical records of 2,000 patients. The combined incidents affected approximately 4 million patients. The OCR found failures in risk analysis, physical safeguards for electronic devices, and encryption implementation.

Lesson: Encryption is not optional. If the stolen laptop had been encrypted, the theft would not have constituted a breach under HIPAA because the data would have been rendered unusable. The cost of encrypting every device is trivial compared to a $5.55 million settlement.

Case 5: Memorial Healthcare System -- $5.5 Million (2017)

This case involved employees at an affiliated physician practice accessing the records of 115,143 patients without authorization over a period of more than a year. The OCR found that Memorial Healthcare had failed to implement audit controls, failed to regularly review information system activity, and had not established proper access controls to limit who could view patient records.

Lesson: Insider threats are HIPAA threats. Technical controls like role-based access, audit logging, and automated anomaly detection are necessary to catch unauthorized internal access. You cannot rely on policies alone when employees have unrestricted access to systems containing PHI.

Case 6: New York-Presbyterian Hospital and Columbia University -- $4.8 Million Combined (2014)

A physician attempting to deactivate a personal computer inadvertently made ePHI accessible on internet search engines, affecting 6,800 patients. The investigation revealed that neither organization had conducted an accurate and thorough risk analysis, technical safeguards were inadequate, and device and media controls were lacking.

Lesson: Shared IT environments between institutions create shared liability. When two organizations operate on the same network without clearly defined responsibilities and adequate technical controls, both are exposed when something goes wrong.

Case 7: Cignet Health of Prince George's County -- $4.3 Million (2011)

This was the first civil money penalty issued by OCR. Cignet denied 41 patients access to their own medical records and then refused to cooperate with the OCR investigation. The penalty included $1.3 million for the access denial and $3 million for the willful neglect of cooperating with the investigation.

Lesson: Patient access rights are enforceable. The right of patients to access their own records is not a suggestion. Equally important, refusing to cooperate with an OCR investigation dramatically increases the penalties. Cooperation and good faith remediation efforts consistently result in lower settlements.

Case 8: Children's Medical Center of Dallas -- $3.2 Million (2017)

An unencrypted BlackBerry device was lost in 2009, and an unencrypted laptop was stolen in 2013. Despite being warned about encryption deficiencies after the first incident, the organization failed to implement encryption across its device fleet for four additional years. The OCR found that the organization had been aware of the risk since 2007 and had repeatedly failed to act.

Lesson: Repeated failure to address known vulnerabilities is treated as willful neglect. OCR demonstrated through this case that it tracks organizational history. Being warned about a problem and failing to fix it over multiple years converts a correctable issue into an aggravating factor.

Case 9: University of Mississippi Medical Center -- $2.75 Million (2016)

A password-protected laptop was stolen from an intensive care unit, exposing 10,000 patient records. The investigation revealed broader systemic issues including no risk analysis, no risk management plan, and a failure to implement policies and procedures for safeguarding ePHI on mobile devices despite the organization being aware of risks since at least 2005.

Lesson: Password protection alone does not constitute adequate security for PHI on mobile devices. HIPAA requires encryption of ePHI in transit and at rest. Organizations must have formal mobile device management policies that are actually enforced.

Case 10: Presence Health -- $475,000 (2017)

Presence Health reported a breach involving paper-based operating room schedules containing PHI for 836 individuals. The issue was not the breach itself but the timing of the notification. Presence Health did not notify affected individuals until 104 days after discovering the breach, exceeding the 60-day notification requirement by 44 days.

Lesson: Breach notification timelines are strict. Even relatively small breaches involving paper records can result in enforcement actions if notification requirements are not met. Organizations need documented breach response procedures with clear timelines and assigned responsibilities. A well-prepared incident response plan eliminates the confusion that causes notification delays.

The Most Common HIPAA Violations

Across hundreds of OCR enforcement actions and thousands of complaint investigations, certain violations appear with striking regularity. Understanding these patterns helps organizations prioritize their compliance efforts.

Failure to conduct a comprehensive risk analysis is the single most common finding in major enforcement actions. It appears in virtually every settlement above $1 million. The risk analysis requirement is not satisfied by a checklist or a one-time assessment. It requires an ongoing, enterprise-wide evaluation of all systems that create, receive, maintain, or transmit ePHI.

Lack of encryption on portable devices continues to generate enforcement actions despite years of public awareness. Laptops, smartphones, USB drives, and tablets that contain or access ePHI must be encrypted. Full disk encryption is inexpensive and widely available. There is no justifiable reason for any healthcare organization to operate unencrypted devices in 2026.

Insufficient access controls enable both insider threats and external attacks. Role-based access, unique user identification, automatic logoff, and emergency access procedures are all Security Rule requirements that organizations frequently implement inadequately or not at all.

Inadequate audit logging and monitoring prevents organizations from detecting breaches when they occur and from demonstrating compliance during investigations. If you cannot show who accessed what data and when, you cannot demonstrate that access was appropriate.

Failure to manage business associate agreements exposes organizations to liability for the actions of their vendors. Every entity that handles PHI on your behalf must have a signed BAA, and those agreements must be reviewed and updated regularly.

HIPAA Penalty Tiers

HIPAA penalties follow a tiered structure based on the level of culpability. Understanding these tiers helps organizations appreciate the financial risk of noncompliance.

Tier 1 applies when the covered entity was unaware of the violation and could not have reasonably avoided it. Penalties range from $137 to $68,928 per violation, with an annual maximum of $2,067,813.

Tier 2 applies when the violation was due to reasonable cause rather than willful neglect. Penalties range from $1,379 to $68,928 per violation, with the same annual maximum.

Tier 3 applies when the violation resulted from willful neglect that was corrected within 30 days. Penalties range from $13,785 to $68,928 per violation.

Tier 4 is the most severe and applies when the violation resulted from willful neglect that was not corrected within 30 days. Penalties range from $68,928 to $2,067,813 per violation, with an annual maximum of $2,067,813 per violation category.

It is important to note that each record affected can constitute a separate violation. A breach affecting 10,000 records at Tier 4 represents a theoretical maximum exposure of over $20 billion. While actual penalties never reach theoretical maximums, the per-record calculation explains how settlements routinely reach millions of dollars.

Voluntary Compliance vs. Investigated Violations

OCR enforcement actions originate from two primary sources. Complaint-driven investigations begin when individuals file complaints about potential HIPAA violations. Compliance reviews are initiated by OCR based on breach reports, audit findings, or targeted enforcement priorities.

Organizations that self-identify violations and voluntarily report them consistently receive more favorable treatment. Self-reporting demonstrates good faith and organizational maturity. It also gives the organization control over the narrative and the remediation timeline. Organizations that are discovered through complaints or breach investigations face a more adversarial process and typically receive higher penalties.

This is precisely why regular self-audits matter. When you conduct internal assessments, you have the opportunity to identify and correct violations before OCR finds them. Our platform ComplianceArmor provides healthcare organizations with the documentation framework to conduct thorough self-assessments, track remediation efforts, and maintain the evidence trail that demonstrates ongoing compliance to investigators.

How to Avoid HIPAA Violations

Prevention is not complicated. It requires consistent execution of fundamental practices that many organizations know they should follow but fail to prioritize until enforcement action forces their hand.

Conduct annual risk assessments. Not a checklist. Not a questionnaire. A genuine, enterprise-wide evaluation of how ePHI flows through your organization, where it is stored, who has access, and what could go wrong. Document everything.

Encrypt everything. Every device, every transmission, every backup. Use AES-256 encryption at rest and TLS 1.2 or higher in transit. Eliminate unencrypted portable media entirely from your environment.

Implement and enforce access controls. Apply the principle of least privilege. Every user should have access to only the PHI they need to perform their specific job function. Review access rights quarterly and revoke access immediately when roles change or employment ends.

Train your workforce. Annual HIPAA training is the minimum. Regular phishing simulations, role-specific training for staff who handle PHI, and documented training records are essential. Craig Petronella discusses these workforce security fundamentals regularly on the Encrypted Ambition podcast, providing practical guidance that translates directly to organizational security programs.

Deploy audit logging and monitoring. Log every access to systems containing PHI. Review logs regularly using automated tools that flag anomalous access patterns. When you detect a potential issue, investigate it immediately and document your findings.

Manage your business associates. Inventory every vendor that touches PHI, ensure BAAs are current and comprehensive, and include the right to audit in your agreements. Your compliance is only as strong as the weakest link in your vendor chain.

Prepare for breaches. Develop and test your incident response plan. Define who makes decisions, who handles notifications, who manages communications, and how you preserve evidence. Time lost figuring out what to do after a breach is time that counts against your 60-day notification window.

The Self-Audit Imperative

Every enforcement action described in this guide shares a common thread: the violations existed for months or years before they were discovered, and in most cases the organizations had the resources to identify and fix them. What they lacked was not money or technology but a systematic approach to finding their own weaknesses before regulators or attackers did.

Self-auditing is not a luxury. It is the most cost-effective compliance strategy available. The expense of a thorough annual self-audit is measured in thousands of dollars. The cost of an OCR enforcement action is measured in millions. Beyond the direct financial penalties, enforcement actions carry reputational damage, mandatory corrective action plans with years of external monitoring, and the operational disruption that comes with having federal investigators examining every aspect of your compliance program.

With over 23 years of experience serving healthcare organizations, we help our clients build compliance programs that withstand scrutiny. Our managed IT services include continuous monitoring, regular assessments, and the kind of proactive management that prevents the conditions that lead to violations. If your organization handles PHI and you are not confident in your current compliance posture, the time to act is before OCR comes calling. Contact our team to start the conversation.