When it comes to HIPAA, there have been quite a few violations in recent years that have led to many millions of dollars worth of fines being brought down onto unsuspecting companies. Whether it has been phishing schemes, ransomware attacks, or data breaches, all have led to major fines based on the violation of HIPAA laws.
If you are curious about the most considerable HIPAA fines to date, as well as which HIPAA laws were broken that led to such fines, then you have come to the right place.
Let’s break down the fines and then go over some of the most common infractions that take place when it comes to HIPAA law.
Advocate Health System
Amount: $5.55 million
The first HIPAA violation that we will discuss is also the largest. It first took place in a way that many other HIPAA violations seem to take place – stolen computers. In July 2013, four computers were stolen that held the records of nearly four million patients. In the end, 195,000 records were breached, which at the time was the largest ever.
While the dollar amount of fines connected to this incident is still the largest, the amount of records breached is no longer the largest ever; that record now is owned by the infamous Anthem Data Breach, which breached 78 million total records.
Memorial Healthcare Systems
Amount: $5.5 million
This historically massive breach began with the discovery that employees and staff had not only been accessing PHI (Protected Health Information) without necessary authorization but also using that data to file fraudulent tax returns. Investigation into the case led to the shocking discovery that the patients’ private and protected records were being accessed as far back as 2011 (when the settlement took place in 2017). Of course, there had been several rules, laws, and regulations in place that could have stopped this and protected the patients who fell victim, but there had been a catastrophic failure to actually correctly implement and enforce those HIPAA laws.
One thing that is interesting to note in this case is that it is widely believed that the HIPAA fine could have ultimately been a whole lot larger. In the end, MHS settled and got off easy. If they had not gotten off easy, they could have faced a $1.5 million fine per violation per year. It could have easily been the largest fine ever if the United States Department of Health and Services had applied those rules, as there were eventually found to be several violations going back over five years at the time of the final assessment.
New York-Presbyterian Hospital and Columbia University
Amount: $4.8 million
When this took place in September 2010, this was the largest fine for violation of HIPAA law of all time. The case all began when someone complained to the hospital after fining their deceased partner’s confidential PHI on the internet.
By the time the case was over, it had been discovered that the breach was caused after a physician who had been hired at Columbia University attempted to deactivate a personally-owned computer server on the network. Ultimately, it resulted in ePHI of 6800 research subjects showing up on Google.
On top of all that, the hospital itself was handed down another HIPAA fine, which was due to their decision to allow a film crew to record a dying patient and another patient in pain.
Most common HIPAA violations
Now that you know the three most expensive cases of violations of HIPAA law in history, you may also be interested in learning about the most common broken HIPPA laws. Here is a list that combines some of the most common violations that can lead to fines, lawsuits, destruction of company reputation, and more.
Keeping unsecured records
One of the most common violations out there is when employees do not take the necessary steps to ensure that the records kept on a company’s server are adequately secured. As part of every employee’s training, it should be abundantly clear who they should be, always keeping documents with PHI in a secure location.
Of course, this both applies to documents in paper form and documents that are held online or on the cloud.
While we always like to believe that a case of hacking could never happen to us, it is, in fact, becoming more and more common for companies and individuals to fall victim to it. Companies should never forget that people out there would like to use PHI for malicious purposes. Because medical information contains some of the most crucial personal information of a person, it can be precious in the hands of hackers. Of course, valuable for all the wrong reasons.
Thus, companies in the healthcare and medical industries must ensure that they have top-notch antivirus programs and keep them updated and running on all of their devices that have ePHI or are connected to servers that do.
Loss or theft of devices
Finally, another widespread violation of HIPAA laws occurs when devices with access to ePHI are lost or stolen and end up in the wrong hands. One way to ensure that the most private information is safe even if the device ends up in the wrong hands is to make sure that all of the information is only accessible through an encrypted key. That way, even if the device is stolen, no one without that key will be able to access it.
Without a doubt, companies that violate HIPAA laws come to regret it in significant ways. Whether it is paying out massive lawsuit settlements, dealing with fines, or seeing their company’s reputation crumble, it can be a big issue that everyone should do everything they can to avoid.