List of Federal and State Actions Based on Data Breaches and other Privacy Violations

Since the passage of the HITECH Act in 2009, both the Office of Civil Rights (OCR), the primary regulator of HIPAA and States' Attorney's General have become more aggressive in enforcing the healthcare privacy rights of individuals. Similarly, the Federal Trade Commission (FTC) has become more aggressive in enforcing the privacy rights of all consumers.

This page is meant to serve as a resource to:
  • anyone interested in learning more about the actions that have been taken by regulators against companies who have lost or otherwise misused the information entrusted to them.
  • businesses who want to better understand their role and responsibilities in protecting consumer or client information and the types of incidents that may lead to action by regulators.

We have also included a selection and listing of data breach class action litigation (and settlement details as applicable) as well as other private actions where the privacy and security of PHI, ePHI, or other private information was an issue.

If you are aware of an incident that you do not see listed here, please contact us!


Actions based on the Health Insurance Portability and Accountability Act (HIPAA)

Because of a lack of technical safeguards, deactivation (from the network) of a personally-owned server containing the ePHI of 6,800 NYP patients resulted in the ePHI being accessible on internet search engines.  The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual's deceased partner, a former patient of NYP, on the internet.
Action by?
Action Against?
Incident - Problematic Activity
Incident Date
Date of Action
Grounds for Action
Fine - Amount
Resolution and Remediation
OCRCignet Health
Denying patients access to medical recordsPrior to 3/1/2009

Violation of the Privacy Rule; Willful Neglect under the HITECH Act
$4.3 M
2/4/2011 (not a settlement) Filed suit with the District Court

Notice of Final Determination
OCR
General Hospital Corp. & Physicians Org
Left documents on subway
3/9/2009

Violation of the Privacy Rule
$1 M
Settled: 2/14/2011

Resolution Agreement
OCR
UCLA Health System
Workers snooping on celebrity patients
Prior to 6/5/2009

Violation of the Privacy and Security Rules
$865,500
Settled: 7/5/2011

Resolution Agreement
OCR
Blue Cross Blue Shield TN
Unencrypted hard drives stolen from a leased facility
Prior to 11/3/2009 (self reported)

Violation of the Privacy and Security Rules
$1.5 M
Settled: 3/13/2012

Resolution Agreement
OCR
Phoenix Cardiac Surgery, P.C.
Posting clinical and surgical appointments for their patients on an Internet-based calendar that was publicly accessible
Prior to 2/19/2009
OCR notified Phoenix on 2/19/2009 that it would be investigating
Violation of the Privacy and Security Rules$100K
Settled:
4/13/2012

Resolution Agreement
OCR
Alaska Department of Health and Human Services
Portable electronic storage device potentially containing ePHI was stolen from the vehicle of a DHSS computer tech
Oct. 12, 2009; self report - notified OCR on Oct. 30, 2009
OCR notified DHSS on 1/8/2010 that it would be investigatingViolation of the Security Rule$1.7M
Settled:
6/25/2012

Resolution Agreement
OCR
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively, “MEEI”)
Theft of an unencrypted personal laptop containing the ePHI of MEEI patients and research subjects. (According to reports from Data Breach Today, "OCR launched its investigation of the Massachusetts hospital after it reported the February 2010 theft of a laptop computer belonging to neurologist Robert Levine, M.D., who was traveling in South Korea for a lecture.")
Prior to 4/21/2010 (which is the self-report date)
OCR notified MEEI on 10/5/2010 that it would be investigatingViolation of the Privacy and Security Rules$1.5MSettled:
9/17/2012 (announcement date)

Resolution Agreement
OCR
Hospice of Northern Idaho (HONI)
(first settlement involving fewer than 500 patients)
Theft of a laptop containing the ePHI of 441 individuals
Prior to 2/16/2011 (which is the self-report date)OCR notified HONI on 7/22/2011 that it would be investigatingViolation of the Security Rule$50K
Settled:
12/28/2012

Resolution Agreement
OCR
Idaho State University




$400K

OCR
Shasta Regional Medical Center




$275K

OCR
WellPoint Inc.




$1.7M

OCR
Affinity Health Plan, Inc.




$1,215,780

OCR
Adult & Pediatric Dermatology, P.C.




$150K

OCR
Skagit County, Washington




$215K

OCR
Concentra Health Services
Unencrypted laptop stolen from one of the company's facilities - Springfield Missouri Physical Therapy Center11/30/2011
Notified OCR on 12/28/2011
OCR notified that will investigate on 5/31/2012
Violation of the Privacy and Security Rules
$1,725,220
Settled: 4/21/2014

Resolution Agreement
OCRQCA Health Plan, Inc. of Arkansas
Unencrypted laptop computer containing the ePHI of 148 individuals stolen from a workforce member's carPrior to 2/21/2012

Notified OCR on
2/21/2012
OCR notified that will investigate on 5/3/2012Violation of the Privacy and Security Rules$250K
Settled: 4/14/2014

Resolution Agreement
OCR
New York and Presbyterian Hospital (NYP) and Columbia University (CU) - separate covered entities that participate in a joint arrangement; refer to their affiliation as "New York Presbyterian Hospital/Columbia University Medical Center."

Breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing the ePHI of 6,800 NYP patients. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual's deceased partner, a former patient of NYP, on the internet.
Prior to 9/10/2010

Notified OCR on 9/27/2014

OCR notified that will investigate on 11/5/2010Violation of the Privacy and Security Rules

For details, see blog post.
NYP: $3,000,000

CU: $1,500,000

Settled:
announced on 5/8/2014

Resolution Agreement with NYP

Resolution Agreement with CU

OCR
Parkview Health System, Inc.
Medical records dumping - In Sept. 2008, Parkview took custody of medical records for approx. 5,000 to 8,000 patients while assisting a retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice.  On June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue.
June 4, 2009
Doctor filed a report with OCR on 6/10/2009

OCR began investigation on 5/16/2011
Violation of the Privacy Rule
$800,000
Settled:
announced on 6/23/2014

Resolution Agreement
OCR
Anchorage Community Mental Health Services
"[B]reach of unsecured electronic protected health information (e-PHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources."
3/2/2012 (self report date)
OCR notified ACMH on 6/2/2012 that it would be investigatingViolation of the Security Rule

For details, see blog post.
$150K
Settled: 12/2/2014

Resolution Agreement
OCR
Cornell Prescription Pharmacy
Improper disposal of paper records (throwing them into regular trash bin)
Prior to 1/11/2012 (through media report)
OCR notified Cornell on 1/13/2012 that it would be investigatingViolation of the Security Rule$125K
Settled:
4/22/2015

Resolution Agreement


Action by the FTC under its Section 5 Authority

Actions based on State Law
  • Tabata v. Charleston Area Medical Center, Inc., Decision No. 13-0766, Civil Action No. 11-C-524 (Supreme Court of Appeals of West Virginia, May 28, 2014) (the Supreme Court of Appeals of West Virginia is the name of the Supreme Court in West Virginia)
    • Jurisdiction: West Virginia
    • Action against: Charleston Area Medical Center, Inc. and CAMC Health Education and Research Institute, Inc. (collectively, CAMC)
    • Action stems from: Data breach when a database operated by CAMC was placed online and the information could be found "if someone were to conduct an advanced internet search." The database "contained the names, contact details, Social Security numbers, and dates of birth of 3,655 patients, along with certain basic respiratory care information.”
    • Causes of action: (1) breach of duty of confidentiality; (2) invasion of privacy – intrusion upon the seclusion of the petitioners; (3) invasion of privacy – unreasonable publicity into the petitioners’ private lives; and (4) negligence. Also filed a motion for class certification pursuant to W.Va. RCP 23.
    • Injuries claimed: Increased risk of identity theft and/or fraud, etc.
    • While discovery revealed that the plaintiffs were not aware of any unauthorized or malicious uses
  • State of California v. Kaiser Foundation Health Plan, Case No. RG14711370 (Sup. Ct. Cal. Jan. 2014)
    • California Attorney General lawsuit stemming from allegedly delayed notification in a data breach.


Selected Data Breach and Privacy Class Actions

  • See also the Tabata v. Charleston Area Medical Center, Inc case noted above in the State Action section
  • Vides v. Advocate Health & Hosps. Corp., Ill. Cir. Ct., No. 13-ch-2701 (2014)
    • Case dismissed on May 27, 2014 (copy of Decision) on a number of grounds including lack of standing (citing Clapper v. Amnesty Intern'l USA, 133 S.Ct. 1138 (2012)) and for failure to state a claim (because cannot demonstrate damages)
      • Jurisdiction: Illinois
      • Action against: Advocate Health and Hospitals Corporation d/b/a Advocate Medical Group (i.e., the covered entities) ("Advocate is a network of affiliated doctors and hospitals that systematically and regularly conduct business in and throughout Lake County Illinois.")
      • Action stems from: Data breach where four (4) unencrypted laptops containing patients’ names, addresses, dates of birth, Social Security numbers, treating physician and/or departments for each individual, their medical diagnoses, medical record numbers, medical service codes, and health insurance information were stolen from one of Advocate's facilities
      • Causes of action: (1) Negligence; (2) Violation of Consumer Fraud and Deceptive Business Practices Act; (3) Invasion of Privacy by Public Disclosure of Private Facts; (4) Consumer Fraud Act; (5) Intentional Infliction of Emotional Distress; and (6) Injunctive Relief
      • Injuries claimed: Increased risk of identity theft and/or fraud, out-of-pocket expenses incurred to mitigate the increased risk of identity theft and/or fraud, time lost mitigating the increased risk of identity theft and/or fraud, loss of privacy, and anxiety and emotional distress
    • Springer v. Stanford Hospital and Clinics, Cal. Super. Ct., No. BC470522 (2014)
      • Settlement filed 3/13/14 (copy of Complaint)
      • Settlement terms:
        • $3.3M - paid by the business associate and subcontractor, see below, to affected patients (of which $1.3M are for attorneys' fee to three law firms)
        • $500,000 - paid by SHC to fund "the creation of an educational project aimed at helping to reinforce new federal regulations issued in 2013 that hold vendors directly responsible for privacy breaches" (BNA 23 HLR 440)
        • $250,000 - paid by SHC to cover the administrative costs of the settlement
      • Jurisdiction: California
      • Action against: Stanford Hospital & Clinics (SHC) and two business associates of SHC - Multi-Specialty Collection Services LLC (MSCS) and an MSCS contractor, Corcino & Associates (i.e., a subcontractor of a business associate)
      • Action stems from: Data breach where data from the emergency room visits of about 20,000 patients was left online and accessible to everyone for almost a year. An individual from the subcontractor posted live data to a homework help website in an effort to get assistance with creating a graph. The action was based on California's Confidentiality of Medical Information Act.