Whether the result of an innocent mistake or something more malicious, getting caught with a HIPAA violation can bring with it massive financial penalties. Fines and settlements routinely run into the mid-six figures and on several occasions have cost medical providers millions of dollars. Here are some of the largest HIPAA fines ever levied.
Affinity Health Plan
Penalty: $1.2 Million
At the center of a 2010 HIPAA complaint against Affinity, a managed care company based in New York, was a data leak stemming from PHI left on a copier that had been leased by the company and subsequently sold to a CBS affiliate. The discovery was made during an investigative report in which reporters purchases the copiers and had them examined by an outside firm. The firm would ultimately find the private data of 344,557 individuals.
Blue Cross Blue Shield
Penalty: $1.5 Million
Following the theft of 57 hard drives containing the private information of roughly a million members the company was fined for failing to physically secure the hard drives as well as a lack of encryption on all the files. The data included social security numbers, diagnosis codes. In addition to the fine Blue Cross would end up paying over 17 million dollars in investigations, notifying victims, settlements and installing encryption software.
Penalty: $1.7 million
WellPoint, one of the largest health insurers in the country was fined after exposing over 600,000 of their customers PHI by way of a security loophole on one of their online portals. WellPoint launched an investigation following a 2010 lawsuit filed by a California applicant. OCR found that WellPoint failed to “enact appropriate administrative, technical and physical safeguards for data.”
Alaska Department of Health and Social Services
Penalty: 1.7 Million
Not even state agencies are immune to the wrath of HIPAA. The Alaska DHSS filed a breach report (as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act) following the loss of a USB hard drive containing the PHI of nearly 2000 individuals. According to the investigation, the Alaska DHSS not only failed to secure the hard drive but also was negligent in a number of areas including failing to perform risk analyses, and training its workforce to properly handle sensitive patient information.
Penalty: $2.25 Million
CVS, one of the largest pharmacy chains in the country, paid 2.25 million in HIPAA fines after investigations by a number of federal organizations including Health and Human Services and the Fair Trade Commission found that workers were improperly disposing materials containing PHI. The investigation stemmed from a 2006 media report showing employees disposing of prescription drug bottles and pharmacy drug orders that contained private patient information in open dumpsters. In addition CVS would enter a three year CAP agreement.
Stanford Hospitals and Clinics
Penalty: $4 million
Stanford found itself in violation of HIPAA law by way of the negligence of subcontractors. negligence. The contractor in question exposed the private information of nearly 20,000 patients treated at Stanford’s hospitals for roughly a year. In addition to the fine Stanford also settled a class action lawsuit for an additional 3 million. Because the majority of fault fell with two of Stanford’s subcontractors the majority of the fines.
Penalty: $4.3 Million
File this one under the malicious category. Cignet Health was found in violation HIPAA regulations for failing to provide patients with health records and refusing to cooperate with Federal authorities to resolve the complaint. According to Health and Human Services, Cignet failed to get 41 patients their medical records within the allotted 30-60 days between the years 2998 and 2009. The fine included a 1.3 million civil money penalty. It’s the first one levied as part of a HIPAA fine.
As we have said before, even the smallest HIPAA violation can be devastating to a medical practice or business. More importantly data breaches can result in thousands of stolen identities. Employing safeguards like Paubox and other encryption tools to protect your client’s sensitive data is key to running a successful healthcare practice by avoiding fines and having patients feel safe.