The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for safeguarding sensitive patient information. When covered entities and business associates fail to comply, the consequences can be severe, ranging from hefty financial penalties to reputational damage and legal action.
Let’s explore some recent HIPAA violation cases that showcase the high stakes of non-compliance and what we can learn from them.
HIPAA’s Privacy, Security, and Breach Notification Rules outline specific standards for handling protected health information (PHI). Covered entities, including healthcare providers, health plans, and healthcare clearinghouses, and their business associates, are legally obligated to ensure PHI is kept confidential and secure. Peter F. Edemekong, et al., in a study titled Health Insurance Portability and Accountability Act (HIPAA) Compliance identified the goals of HIPAA as:
HIPAA violations can result in civil monetary penalties, ranging from $141 to $571,162 per violation, with an annual maximum of $2,067,813 for violations. The severity of the penalty depends on the level of negligence involved. The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed millions of dollars in fines over the years.
In cases involving willful neglect, especially when violations are not corrected promptly, criminal charges may also be filed. Individuals, such as employees who access patient records without authorization, can face fines and jail time. For example:
While HIPAA itself does not provide a private right of action, individuals affected by data breaches may pursue legal recourse under state laws. Class-action lawsuits can result in substantial settlements or judgments against the offending organization.
An example of this is when a hacker breached New York University's website, exposing personal data of over three million applicants since 1989. The breach resulted in ten class-action lawsuits filed by the affected individuals, who claimed negligence, insufficient cybersecurity measures, excessive data retention practices, and inadequate notification.
Go deeper: NYU faces 10 lawsuits after breach exposes over 3 million applicants' data
A breach of patient data can result in financial penalties and also erode patient trust in healthcare providers. According to a survey by TransUnion Healthcare, 65% of patients indicated they would consider changing healthcare providers if their personal health information were compromised in a data breach. This sentiment is particularly strong among younger patients, with 73% of individuals aged 18–34 expressing willingness to switch providers under such circumstances.
Read more: What is the reputational damage caused by a data breach?
Given these risks, understanding real-world violations can be a powerful way to reinforce best practices.
What happened: In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group, suffered a ransomware attack attributed to the Russian group BlackCat. The breach potentially exposed private data of about one-third of the U.S. population, including health insurance member IDs, patient diagnoses, treatment information, Social Security numbers, and billing codes.
Outcome: UnitedHealth paid $22 million in Bitcoin to retrieve the data. The company began notifying affected individuals in June and offered two years of free credit monitoring. The breach disrupted operations, preventing providers from collecting payments and affecting patient services, including prescription processing.
Lessons learned:
Read more: Going deeper: The Change Healthcare attack
What happened: In late January 2024, Lurie Children’s Hospital experienced a major cyberattack that compromised the personal and medical information of approximately 790,000 individuals. The breach occurred between January 26–31, during which cybercriminals had unauthorized access to the hospital’s systems.
Outcome: The hospital faces multiple class action lawsuits alleging negligence in data security and delayed notification to affected individuals. The outcomes of these lawsuits have not been publicly disclosed yet.
Lessons learned:
Go deeper: Cyberattack strikes Chicago children's hospital, exposing data of over 790,000
What happened: Banner Health, one of the largest nonprofit health systems in the U.S., suffered a ransomware attack in 2016 that affected 2.9 million individuals. Although the breach occurred years earlier, the investigation concluded in 2023 with a $1.25 million settlement.
Findings: The Office for Civil Rights (OCR) determined that Banner Health had failed to conduct an accurate and thorough risk assessment and lacked proper monitoring tools to detect unauthorized access.
Lessons learned:
What happened: Yakima Valley Memorial Hospital in Washington faced a $240,000 settlement after an OCR investigation revealed that 23 security guards had accessed patient records without authorization over several years.
Findings: The hospital failed to implement adequate audit controls or take timely corrective action when unauthorized access was discovered.
Lessons learned:
Read more: Hospital security guards' snooping in medical records leads to $240,000 HIPAA settlement
While the specifics differ, these cases stress several recurring compliance failures:
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
HIPAA applies to covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates.
Read more: Who needs to be HIPAA compliant?
Examples include accessing patient records without authorization, failing to encrypt PHI, losing unencrypted devices containing PHI, or not providing patients with access to their own records within the required timeframe.
Read more: Understanding HIPAA violations and breaches
Organizations must follow the Breach Notification Rule, which includes: