Case studies: HIPAA violations and their consequences

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for safeguarding sensitive patient information. When covered entities and business associates fail to comply, the consequences can be severe, ranging from hefty financial penalties to reputational damage and legal action.

Let’s explore some recent HIPAA violation cases that showcase the high stakes of non-compliance and what we can learn from them.

Why HIPAA compliance matters

HIPAA’s Privacy, Security, and Breach Notification Rules outline specific standards for handling protected health information (PHI). Covered entities, including healthcare providers, health plans, and healthcare clearinghouses, and their business associates, are legally obligated to ensure PHI is kept confidential and secure. Peter F. Edemekong, et al., in a study titled Health Insurance Portability and Accountability Act (HIPAA) Compliance identified the goals of HIPAA as: 

• To limit the use of PHI to individuals with a "need to know."
• To impose penalties on those who fail to comply with confidentiality regulations.

Failure to comply can lead to…

Civil and criminal penalties

HIPAA violations can result in civil monetary penalties, ranging from $141 to $571,162 per violation, with an annual maximum of $2,067,813 for violations. The severity of the penalty depends on the level of negligence involved. The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed millions of dollars in fines over the years.

In cases involving willful neglect, especially when violations are not corrected promptly, criminal charges may also be filed. Individuals, such as employees who access patient records without authorization, can face fines and jail time. For example:

• Tier 1 (Unknowing) 
  • The covered entity was unaware and could not have reasonably known of the violation.
  • Penalty: $141 to $50,000 per violation
• Tier 2 (Reasonable cause)
  • The violation was due to reasonable cause, not willful neglect.
  • Penalty: $1,412 to $56,903 per violation
• Tier 3 (Willful neglect (Corrected))
  • The violation was due to willful neglect but corrected within the required time frame.
  • Penalty: $14,142 to $141,337 per violation
• Tier 4 (Willful neglect (Not Corrected))
  • The violation was due to willful neglect and not corrected in a timely manner.
  • Penalty: Up to $1.5 million annually per violation, with potential for criminal prosecution

Legal action from affected individuals

While HIPAA itself does not provide a private right of action, individuals affected by data breaches may pursue legal recourse under state laws. Class-action lawsuits can result in substantial settlements or judgments against the offending organization.

An example of this is when a hacker breached New York University's website, exposing personal data of over three million applicants since 1989. The breach resulted in ten class-action lawsuits filed by the affected individuals, who claimed negligence, insufficient cybersecurity measures, excessive data retention practices, and inadequate notification.

Go deeper: NYU faces 10 lawsuits after breach exposes over 3 million applicants' data

Reputational harm and loss of patient trust

A breach of patient data can result in financial penalties and also erode patient trust in healthcare providers. According to a survey by TransUnion Healthcare, 65% of patients indicated they would consider changing healthcare providers if their personal health information were compromised in a data breach. This sentiment is particularly strong among younger patients, with 73% of individuals aged 18–34 expressing willingness to switch providers under such circumstances.

Read more: What is the reputational damage caused by a data breach?

Given these risks, understanding real-world violations can be a powerful way to reinforce best practices.

Real-world examples

Change Healthcare

What happened: In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group, suffered a ransomware attack attributed to the Russian group BlackCat. The breach potentially exposed private data of about one-third of the U.S. population, including health insurance member IDs, patient diagnoses, treatment information, Social Security numbers, and billing codes.

Outcome: UnitedHealth paid $22 million in Bitcoin to retrieve the data. The company began notifying affected individuals in June and offered two years of free credit monitoring. The breach disrupted operations, preventing providers from collecting payments and affecting patient services, including prescription processing.

Lessons learned:

• Third-party vulnerabilities: Organizations must ensure that their partners and subsidiaries maintain robust cybersecurity measures.
• Prompt notification: Timely communication with affected individuals and regulators is crucial to maintain trust and comply with legal obligations.

Read more: Going deeper: The Change Healthcare attack

Lurie Children’s Hospital

What happened: In late January 2024, Lurie Children’s Hospital experienced a major cyberattack that compromised the personal and medical information of approximately 790,000 individuals. The breach occurred between January 26–31, during which cybercriminals had unauthorized access to the hospital’s systems.

Outcome: The hospital faces multiple class action lawsuits alleging negligence in data security and delayed notification to affected individuals. The outcomes of these lawsuits have not been publicly disclosed yet.

Lessons learned:

• Timely notification is important: HIPAA mandates that affected individuals must be notified within 60 days of a breach. Delays, even if due to complex investigations, open organizations to legal risks and erode trust.
• Legal and financial preparedness is a must: With the hospital facing several class action lawsuits, this serves as a reminder that HIPAA violations and data breaches can lead to costly legal consequences. Organizations should consider cyber insurance and legal counsel as part of their risk management strategy.

Go deeper: Cyberattack strikes Chicago children's hospital, exposing data of over 790,000

Banner Health 

What happened: Banner Health, one of the largest nonprofit health systems in the U.S., suffered a ransomware attack in 2016 that affected 2.9 million individuals. Although the breach occurred years earlier, the investigation concluded in 2023 with a $1.25 million settlement.

Findings: The Office for Civil Rights (OCR) determined that Banner Health had failed to conduct an accurate and thorough risk assessment and lacked proper monitoring tools to detect unauthorized access.

Lessons learned:

• Risk assessments are foundational: HIPAA mandates regular and comprehensive risk analyses. Skipping or delaying them creates vulnerabilities that hackers can exploit.
• Incident response must be proactive: A robust breach response plan—including real-time detection and prompt mitigation—can reduce exposure and demonstrate due diligence.

Go deeper: HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking

Yakima Valley Memorial Hospital 

What happened: Yakima Valley Memorial Hospital in Washington faced a $240,000 settlement after an OCR investigation revealed that 23 security guards had accessed patient records without authorization over several years.

Findings: The hospital failed to implement adequate audit controls or take timely corrective action when unauthorized access was discovered.

Lessons learned: 

• Access must be need-based: Role-based access controls ensure that employees can only view the information necessary for their job.
• Audit trails matter: Monitoring who accesses what data, and when, ensures that only authorized individuals view protected health information (PHI), helping detect unauthorized access and maintain HIPAA compliance. Without audit logs, improper access can go undetected for years.

Read more: Hospital security guards' snooping in medical records leads to $240,000 HIPAA settlement

Common themes across cases

While the specifics differ, these cases stress several recurring compliance failures:

• Inadequate risk assessments: Most penalties are followed by the failure to conduct or act on thorough risk assessments. These assessments are required under HIPAA’s Security Rule and must be updated regularly.
• Poor access controls: Whether physical or digital, access to PHI should be limited and monitored. Role-based access, audit logs, and access revocation protocols help minimize risk.
• Human error or misconduct: A significant portion of HIPAA violations stems from employee actions, either accidental or intentional.
• Lack of incident response planning: Organizations that were slow to respond to breaches often faced steeper penalties. A detailed incident response plan can help mitigate harm and demonstrate compliance efforts.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

Who must comply with HIPAA?

HIPAA applies to covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates.

Read more: Who needs to be HIPAA compliant?

What is considered a HIPAA violation?

Examples include accessing patient records without authorization, failing to encrypt PHI, losing unencrypted devices containing PHI, or not providing patients with access to their own records within the required timeframe.

Read more: Understanding HIPAA violations and breaches

What should an organization do after a data breach?

Organizations must follow the Breach Notification Rule, which includes:

• Notifying affected individuals within 60 days.
• Informing the Department of Health and Human Services (HHS).
• In some cases, notifying the media if the breach affects more than 500 individuals.