Penalties for HIPAA violations have the right to be authorize by the room of Health and Human Services’ Office because that Civil rights (OCR) and state attorneys general. In addition to jae won penalties, spanned entities are required to embrace a corrective activity plan to bring policies and procedures up to the criter demanded by HIPAA. 

The health Insurance Portability and Accountability act of 1996 placed a variety of requirements ~ above HIPAA-covered reality to safeguard the protected Health information (PHI) of patients, and also to strictly regulate when PHI can be divulged, and to whom.

You are watching: What of the following are categories for punishing violations of federal health care laws?

Since the Enforcement Final preeminence of 2006, OCR has had actually the power to concern financial penalties (and/or corrective activity plans) to spanned entities that fail to comply through HIPAA Rules.

Financial penalties because that HIPAA violations to be updated by the HIPAA Omnibus Rule, which introduced charges in line with the health Information technology for Economic and also Clinical wellness Act (HITECH). The Omnibus dominance took impact from march 26, 2013.

Since the introduction of the Omnibus Rule, the new penalties for HIPAA violations use to healthcare providers, health plans, medical care clearinghouses and all other covered entities, as well as business associates (BAs) of covered entities that are found to have violated HIPAA Rules.

Financial penalties room intended to act as a deterrent to prevent the violation of HIPAA laws, while also ensuring covered reality are hosted accountable for their actions – or absence of them – as soon as it comes to protecting the privacy the patients and also the confidentiality of wellness data, and also providing patient with accessibility to their wellness records ~ above request.

The penalty framework for a violation that HIPAA laws is tiered, based on the knowledge a covered entity had actually of the violation. The OCR to adjust the penalty based on a number of “general factors” and the seriousness of the HIPAA violation.

Ignorance that HIPAA rule is no excuse for failing come comply through HIPAA Rules. The is the responsibility of each covered entity to ensure the HIPAA Rules room understood and also followed. In instances when a covered entity is discovered to committed a willful violation that HIPAA laws, the preferably fines apply.

What Constitutes a HIPAA Violation?

There is much talk of HIPAA violate in the media, yet what constitutes a HIPAA violation? A HIPAA violation is as soon as a HIPAA extended entity – or a company associate – stops working to comply through one or more of the provisions of the HIPAA Privacy, Security, or Breach an alert Rules.


A violation might be deliberate or unintentional. An example of an unintentional HIPAA violation is when too much PHI is disclosed and also the minimum essential information traditional is violated. As soon as PHI is disclosed, it should be limited to the minimum important information to attain the function for which the is disclosed. Jae won penalties because that HIPAA violations can be issued for unintentional HIPAA violations, although the penalties will be at a lower rate to willful hurt of HIPAA Rules.

An instance of a intended violation is unnecessarily delaying the issuing that breach notification letters to patients and also exceeding the maximum timeframe the 60 days complying with the exploration of a breach to concern notifications – A violation of the HIPAA Breach notice Rule.

Many HIPAA violations are the an outcome of negligence, such together the failure to execute an organization-wide threat assessment. Gaue won penalties for HIPAA hurt have frequently been approve for danger assessment failures.

Penalties because that HIPAA violations have the right to potentially it is in issued for all HIPAA violations, although OCR generally resolves most instances through voluntary compliance, issuing technical guidance, or accepting a spanned entity or company associate’s plan to deal with the violations and readjust policies and procedures to protect against future violations indigenous occurring. Jae won penalties for HIPAA violations are booked for the most serious violate of HIPAA Rules.

What happens if you violate HIPAA? – HIPAA Violation Classifications

What wake up if you hurt HIPAA? That relies of the severity the the violation. OCR prefers to fix HIPAA violations making use of non-punitive measures, such similar to voluntary compliance or issuing technological guidance to aid covered entities address areas that non-compliance. However, if the violations are serious, have been allowed to persist for a long time, or if there space multiple areas of noncompliance, gaue won penalties may be appropriate.

The four categories used for the punish structure space as follows:

Tier 1: A violation that the spanned entity to be unaware of and could not have actually realistically avoided, had actually a reasonable lot of care had been required to abide by HIPAA RulesTier 2: A violation the the extended entity should have actually been conscious of but could not have avoided also with a reasonable lot of care. (but falling quick of willful ignore of HIPAA Rules)Tier 3: A violation suffered as a direct result of “willful neglect” that HIPAA Rules, in situations where an attempt has been made to exactly the violationTier 4: A violation that HIPAA rule constituting willful neglect, wherein no attempt has been do to correct the violation

In the case of unknown violations, whereby the covered entity can not have been intended to prevent a data breach, it might seem unreasonable because that a extended entities to it is in issued with a fine. OCR appreciates this, and has the discretion to waive a jae won penalty. The penalty cannot be waived if the violation associated willful disregard of Privacy, Security and Breach notification Rules.

HIPAA Violation punish Structure

Each classification of violation carries a separate HIPAA penalty. It is approximately OCR to recognize a jae won penalty within the ideal range. OCR considers a variety of factors once determining penalties, such as the size of time a violation was enabled to persist, the number of people affected and the nature that the data exposed. An organization´s willingness to help with one OCR examination is additionally taken right into account. The general determinants that can influence the level of financial penalty likewise include front history, the organization financial condition and the level of harm caused through the violation.

Tier 1: Minimum well of $100 every violation up to $50,000Tier 2: Minimum fine of $1,000 every violation as much as $50,000Tier 3: Minimum well of $10,000 every violation approximately $50,000Tier 4: Minimum fine of $50,000 every violation

The over fines because that HIPAA violations room those regulation by the HITECH Act. It must be detailed that this are readjusted annually to take it inflation right into account. The civil monetary penalties because that 2018 and also 2019, changed for inflation, can be perceived on this link. 

The HITECH Act enhanced the possible penalties for HIPAA violations to combine enforcement the HIPAA compliance and to give HIPAA spanned entities a greater incentive to press forward v their compliance programs. OCR understood the text of the HITECH act to median that maximum and also minimum penalties need to be collection in each of the 4 penalty tiers based on the level the culpability. However, there were some ambiguities with respect come the maximum feasible annual fines in each of the violation tiers. OCR understood HITECH requirements to typical that the maximum punish in each violation classification should be $1,500,000 every year for violations the an identical provision. However, in April 2019, OCR re-evaluated the HITECH action text and interpreted the maximum fines differently. From April 2019 onward, the best fines that deserve to be applied for violations of an identical provision in a calendar year are different in each penalty tier. The maximum fine every violation category, per year, is quiet $1,500,000 because that a Tier 4 violation. The maximum yearly fine has actually been reduced in each of the other tiers, as thorough in the infographic below.


A data breach or security occurrence that results from any kind of violation might see separate fines issued because that different aspects of the breach under lot of security and privacy standards. A well of $50,000 could, in theory, be issued for any violation that HIPAA rules; but minor.

A well may additionally be used on a everyday basis. For example, if a covered entity has actually been denying patients the ideal to attain copies the their clinical records, and also had to be doing so for a period of one year, the OCR may decide to use a penalty every day the the covered entity has remained in violation the the law. The penalty would be multiplied by 365, no by the variety of patients that have been refused accessibility to their medical records.

Attorneys basic Can additionally Issue HIPAA Violation Fines

Since the introduction of the HITECH act (Section 13410(e) (1)) in February 2009, state attorneys general have the government to hold HIPAA-covered entities accountable for the exposure that the PHI that state residents and also can paper civil actions through the federal district courts. HIPAA violation fines have the right to be issued as much as a maximum level that $25,000 every violation category, per calendar year. The minimum fine applicable is $100 per violation.

A spanned entity experiencing a data breach affecting residents in many states might be ordered to pay HIPAA violation fines to attorneys basic in many states. At existing only a few U.S states – Connecticut, Massachusetts, Indiana, Vermont and also Minnesota – have so far taken activity against HIPAA offenders, but because attorneys basic offices room able to retain a portion of the fines issued, an ext attorneys general may decide to worry penalties for HIPAA violations.

Can HIPAA Violations it is in Criminal?

When a HIPAA-covered reality of business associate violates HIPAA Rules, civil penalties deserve to be imposed. As soon as healthcare experts violate HIPAA, it is generally their employer that receives the penalty, but not always. If healthcare specialists knowingly acquire or use safeguarded health information for factors that room not permitted by the HIPAA Privacy Rule, they might be uncovered to be criminally liable for the HIPAA violation under the criminal enforcement delivery of the governmental Simplification subtitle of HIPAA.

Criminal HIPAA violations room prosecuted by the room of Justice, i m sorry is increasingly taking activity against individuals that have actually knowingly violated HIPAA Rules. There have actually been several cases that have resulted in an extensive fines and also prison sentences.

Criminal HIPAA violations include theft of patient details for jae won gain and also wrongful disclosures with intent to reason harm. A absence of understanding of HIPAA requirements may not it is in a valid defense. As soon as an individual “knowingly” violates HIPAA, knowingly means that they have some understanding of the facts that constitute the offense, not that they absolutely know that they are violating HIPAA Rules.

Criminal Penalties because that HIPAA Violations

Criminal penalties because that HIPAA violate are divided into three separate tiers, through the ax – and also an accompanying well – chose by a judge based upon the truth of every individual case. Similar to OCR, a variety of general factors are considered which will impact the punish issued. If an individual has profited indigenous the theft, access or disclosure of PHI, it may be important for every moneys obtained to it is in refunded, in enhancement to the payment the a fine.

The tiers of criminal penalties for HIPAA hurt are:

Tier 1: Reasonable reason or no expertise of violation – up to 1 year in jail

Tier 2: Obtaining PHI under false ~ do so – up to 5 year in jail

Tier 3: Obtaining PHI for personal gain or v malicious intent – up to 10 year in jail

In current months, the variety of employees found to it is in accessing or steal PHI – for assorted reasons – has actually increased. The worth of PHI ~ above the black market is considerable, and also this can be a huge temptation for some individuals. That is as such essential the controls are placed in place to limit the opportunity for individuals to steal patient data, and for systems and policies come be put in place to ensure improper accessibility and theft that PHI is established promptly.

All staff most likely to come into call with PHI as component of their work duties need to be informed of the HIPAA criminal penalties and that violations will not only result in ns of employment, yet potentially likewise a an extensive jail term and a hefty fine.

State attorneys basic are cracking down on data theft and are keen to make instances out that individuals found to have violated HIPAA Privacy Rules. A jail term because that the theft the HIPAA data is therefore highly likely.

Convictions and also Jail Time for HIPAA Violations

Florida clinical Clinic Worker Sentenced to 48 months in Jail end Theft of PHI

3-Year jail Term for VA Employee that Stole patience Data

Former brand-new York Dental practice Receptionist Sentenced to 2-6 years for HIPAA Violation

UPMC Patient care Coordinator it s okay 1 Year prison Term because that HIPAA Violation

Employee Sanctions for HIPAA Violations

Not all HIPAA violations room as a result of insider theft, and many spanned Entities and also Business Associates apply a scale of employee sanctions because that HIPAA violations depending upon factors such together whether the violation was intentional or accidental, even if it is it to be reported through the employee as shortly as the violation was realized, and also the magnitude of the breach. Some spanned Entities also apply employee sanctions for HIPAA violate on employees who were aware a violation (by another employee) had actually occurred, however failed come report it.

Employee sanctions for HIPAA Violations vary in heaviness from additional training come dismissal. The decision have to be bring away in consultation with HIPAA Privacy and Security Officers, that may need to conduct interviews v the employee, inspection audit trails and review telephone logs – including the phone call logs the the employee´s cell phone phone. Due to the fact that of the expense and disruption attributable to using employee sanctions for HIPAA violations, it is worthwhile dedicating much more resources to initial employee cultivate in bespeak to prevent HIPAA violate – even if it is intentional or inadvertently – from occurring.

Receiving a polite Penalty for Unknowingly Violating HIPAA

Although it to be mentioned over that OCR has actually the discretion come waive a polite penalty for unknowingly violating HIPAA, ignorance the the HIPAA regulations is not related to as a justifiable excuse for failing to implement the suitable safeguards. In April 2017, the far cardiac monitoring business CardioNet to be fined $2.5 million because that failing to fully understand the HIPAA requirements and also subsequently failing to conduct a finish risk assessment.

As a an outcome of the incomplete threat assessment, the PHI the 1,391 individuals was possibly disclosed there is no authorization once a laptop include the data was stolen from a automobile parked outside an employee´s home. Speaking after details that the fine had actually been announced, OCR Director roger Severino described the polite penalty because that unknowingly violating HIPAA as a penalty for disregarding security.

It may likewise be possible for a CE or BA to obtain a polite penalty for unknowingly violating HIPAA if the state in i m sorry the violation occurs allows individuals to lug legal activity against the person(s) responsible for the violation. Return HIPAA lacks a personal right the action, individuals deserve to still usage the regulations to create a conventional of treatment under common law. Several situations of this nature are currently in progress.

HIPAA Compliance Audits are likely to result in Penalties because that HIPAA Violations

If a CE or BA is found not to have complied with HIPAA regulations, OCR has the government to concern penalties because that HIPAA noncompliance – even if there has been no breach the PHI or no complaint.

After much delay, OCR is currently conducting the second phase of HIPAA compliance audits. The audits are not being carried out specifically to uncover HIPAA violations and also to problem financial penalties, return if major violations that HIPAA Rules room discovered, gaue won penalties may be understood appropriate.

The very first phase of HIPAA compliance audits was performed in 2011/2012 and also revealed numerous covered entities were struggling through compliance. OCR detailed technical help to help those reality correct areas of noncompliance and also no penalties because that HIPAA violations to be issued.

Now, 5 year on, spanned entities have had ample time to develop their compliance programs. This time around, OCR is not supposed to be so lenient.

One that the biggest areas of noncompliance through HIPAA Rules found during the very first phase the compliance audits was the failure to command a comprehensive, organization-wide risk assessment.

The threat assessment is basic to developing a great security posture. If a threat assessment is not conducted, a covered entity will certainly be unaware whether any kind of security vulnerabilities exist that pose a danger to the confidentiality, integrity, and availability of ePHI. Those threats will because of this not it is in managed and also reduced to an agree level.

A look in ~ the penalties for HIPAA violations authorize by OCR shows just how usual risk evaluate violations occur. Threat assessment failures commonly attract gaue won penalties.

The failure to complete service Associate Agreements (BAAs) with third-party service providers can attract penalties for HIPAA noncompliance. Several covered entities have actually been fined because that failing to review BAAs written prior to September 2014, as soon as all currently contracts were invalidated through the last Omnibus Rule. In September 2016, the Care new England wellness System was fined $400,000 because that HIPAA noncompliance that included the fail to review a BAA initially signed in in march 2005.

BAAs space a vital area that OCR will certainly be keeping an eye on throughout its audit program. BAAs – contracts the lay the end the permitted uses and also allowable disclosures the PHI – need to be signed with every 3rd party service provider through whom PHI is disclosed (including lawyers).

Penalties for HIPAA Violations


When deciding on an appropriate settlement, OCR considers the severity of the violation, the degree of noncompliance through HIPAA Rules, the number of individuals affected and the affect a breach has had on those individuals. OCR likewise considers the financial place of the extended entity. Punitive measures may be necessary, but penalties because that HIPAA violations need to not an outcome in a covered entity being forced out of business.

The objective of these penalties for HIPAA violate is in component to punish spanned entities for major violations that HIPAA Rules, but additionally to send a article to other healthcare organizations the noncompliance v HIPAA rule is no acceptable.


OCR HIPAA Fines 2020

2020 saw much more financial penalties applied on HIPAA spanned entities and also business associates 보다 in any type of other year because OCR started enforcing HIPAA compliance. 19 negotiations were reached to deal with potential violate of the HIPAA Rules. OCR ongoing with that is HIPAA appropriate of access enforcement initiative that commenced in so late 2019 and by year finish had settled 11 instances where patients had not been provided with timely access to their medical records because that a reasonable cost-based fee.

2020 witnessed the 2nd largest settlement to solve HIPAA violations. The wellness insurer Premera Blue Cross payment OCR $6,850,000 to settle potential HIPAA violations found during the investigation of that 2015 breach of the ePHI the 10,466,692 individuals.

2020 OCR HIPAA Settlements

Covered EntityReasonIndividuals ImpactedAmount
Peter Wrobel, M.D., P.C., dba Elite main CareHIPAA appropriate of access failure2$36,000
University that Cincinnati medical CenterHIPAA best of access failure1$65,000
Dr. Rajendra BhayaniHIPAA right of access failure1$15,000
Riverside Psychiatric clinical GroupHIPAA best of access failure1$25,000
City of new Haven, CTFailure come terminate accessibility rights; risk analysis failure; fail to perform Privacy ascendancy policies; failure to worry unique IDs to enable system activity to it is in tracked; impermissible disclosure the PHI that 498 individuals498$202,400
AetnaLack of technical and also nontechnical evaluation in response to ecological or work changes; identity examine failure; minimum crucial information failure; impermissible disclosure the 18,849 records; lack of administrative, technical, and also physical safeguards18,849$1,000,000
NY SpineHIPAA best of accessibility failure1$100,000
Dignity Health, dba St. Joseph’s Hospital and Medical CenterHIPAA appropriate of accessibility failure1$160,000
Premera Blue CrossRisk assessment failure; risk management failure; inadequate hardware and also software controls; unauthorized access to the PHI that 10,466,692 individuals10,466,692$6,850,000
CHSPSC LLCFailure to conduct a threat analysis; failures come implement info system activity reviews, security event procedures, and accessibility controls, and a breach of the ePHI of an ext than 6 million individuals6,121,158$2,300,000
Athens Orthopedic Clinic PAFailure to command a risk analysis; absence of threat management and audit controls; fail to keep HIPAA policies and also procedures; service associate covenant failure; and the fail to administer HIPAA Privacy ascendancy training come the workforce.208,557$1,500,000
Housing Works, Inc.HIPAA best of access failure1$38,000
All Inclusive medical Services, Inc.HIPAA right of accessibility failure1$15,000
Beth Israel Lahey Health behavior ServicesHIPAA right of access failure1$70,000
King MDHIPAA appropriate of accessibility failure1$3,500
Wise Psychiatry, PCHIPAA best of accessibility failure1$10,000
Lifespan health and wellness System Affiliated spanned EntityLack the encryption; insufficient machine and media controls;ack of service associate agreements; impermissible disclosure of 20,431 patients’ ePHI20,431$1,040,000
Metropolitan ar Health solutions dba Agape wellness ServicesLongstanding, systemic noncompliance through the HIPAA security Rule1,263$25,000

OCR HIPAA Fines 2019

HIPAA enforcement continued at a high level in 2019. Eight negotiations were reached with HIPAA covered entities and also business associates to fix HIPAA violations and also two civil monetary penalties to be issued. The financial penalties were implemented to resolve comparable violations of HIPAA Rules together previous years, yet 2019 likewise saw the first financial penalties issued under OCR’s brand-new HIPAA right of access initiative. Two spanned entities worked out cases over the fail to provide patients v a copy the their medical records, in the asked for format, in a reasonable time frame.

2019 OCR HIPAA Settlements

Covered EntityReasonIndividuals ImpactedAmount
West Georgia AmbulanceRisk evaluation failure; no security awareness training program; failure to implement HIPAA Security dominion policies and procedures.500$65,000
Korunda Medical, LLCHIPAA best of accessibility failure.1 or more$85,000
Sentara HospitalsBreach an alert failure; business associate agreement failure577$2,175,000
University that Rochester medical CenterLoss of flash drive/laptop; no encryption; risk evaluation failure; risk monitoring failure; lack of device media controls.43$3,000,000
Elite dentist AssociatesSocial media disclosure; notice of privacy practices; impermissible PHI disclosure.Unconfirmed$10,000
Bayfront health and wellness St PetersburgHIPAA appropriate of access failure1$85,000
Medical Informatics EngineeringRisk analysis failure; impermissible disclosure that 3.5 million records3,500,000$100,000
Touchstone medical imagingNo BAAs; insufficient access rights; risk evaluation failure; failure to respond come a defense incident; breach an alert failure; media notification failure; impermissible disclosure the 307,839 individuals’ PHI.307,839$3,000,000

2019 OCR Civil monetary Penalties

Covered EntityReasonIndividuals ImpactedAmount
Texas room of Aging and Disability ServicesRisk analysis failure; access control failure; info system task monitoring failure; impermissible disclosure that 6,617 patient ePHI6,617$1,600,000
Jackson health SystemMultiple Privacy Rule, defense Rule, and Breach notification Rule violations25,661$2,154,000

OCR HIPAA Fines 2018

There to be a year-over-year increase in HIPAA violation penalty in 2018. 11 financial penalties were agreed in 2018: 10 settlements and also one civil monetary penalty. Two records were broken in 2018. 2018 saw the largest ever HIPAA settlement agreed – A $16 million jae won penalty because that Anthem Inc., to fix HIPAA violations discovered during the investigation of the 78.8 million document breach in 2015. HIPAA extended entities likewise paid much more in fines 보다 in any other year due to the fact that OCR began enforcing compliance through HIPAA Rules: $28,683,400.

2018 OCR HIPAA Settlements

Covered EntityReasonIndividuals ImpactedAmount
Cottage HealthRisk evaluation and risk management failures; No BAA62,500$3,000,000
Pagosa Springs clinical CenterFailure to terminate employee access; No BAA557+$111,400
Advanced treatment HospitalistsImpermissible PHI Disclosure; No BAA; insufficient security measures; No HIPAA compliance initiatives prior come April 1, 20149,255$500,000
Allergy Associates that HartfordPHI disclosure to reporter; No sanctions against employee1$125,000
Anthem IncRisk evaluation failure; inadequate reviews of system activity; fail to respond to a detected breach; inadequate technical controls to stop unauthorized ePHI access78,800,000$16,000,000
Boston medical CenterFilming patients without consentUnspecified$100,000
Brigham and also Women’s HospitalFilming patients there is no consentUnspecified$384,000
Massachusetts general HospitalFilming patients there is no consentUnspecified$515,000
Filefax, Inc.Impermissible disclosure of physical PHI – Left unprotected in truck2,150$100,000
Fresenius Medical care North America5 breaches: examination revealed risk evaluation failures; Impermissible disclosure of ePHI; absence of policies covering electronic devices; lack of encryption; poor security policies; insufficient physical safeguards521$3,500,000

2018 Civil monetary Penalties for HIPAA Violations

Covered EntityReasonIndividuals ImpactedAmount
University that Texas MD Anderson Cancer Center3 breaches bring about an impermissible disclosure of ePHI; No Encryption34,883$4,348,000

OCR HIPAA Fines 2017

A review of the 2017 OCR penalties for HIPAA violations.

2017 OCR HIPAA Settlements

Covered EntityBreach SummaryIndividuals ImpactedSettlement Amount
Memorial health care SystemImpermissible access of PHI through employees; Impermissible disclosure the PHI to affiliated physicians’ offices115,143$5,500,000
CardionetTheft of one unencrypted laptop computer1,391$2,500,000
Memorial Hermann health SystemDisclosure of patient’s PHI to the media1$2,400,000
21st Century OncologyMultiple HIPAA violations2,213,597$2,300,000
MAPFRE Life Insurance firm of Puerto RicoTheft of one unencrypted USB warehouse device2,209$2,200,000
Presense HealthDelayed breach notifications836$475,000
Metro ar Provider NetworkLack the a protection management procedure to safeguard ePHI3,200$400,000
Luke’s-Roosevelt Hospital center Inc.Impermissible disclosure of PHI come patient’s employer1$387,000
The facility for Children’s cradle HealthLack the a company associate agreementN/A$31,000

2017 Civil financial Penalties because that HIPAA Violations

Covered EntityBreach SummaryIndividuals ImpactedPenalty Amount
Children’s Medical facility of DallasTheft of unencrypted devices6,262$3,200,000

OCR HIPAA Fines 2016

2016 to be a document year for financial penalty to settle violations of HIPAA Rules. 2016 observed 12 settlements agreed and one civil financial penalty issued by OCR.

2016 OCR HIPAA Settlements

Covered EntityBreach SummaryIndividuals ImpactedSettlement Amount
Feinstein academy for medical ResearchImproper disclosure of research participants’ PHI13,000$3,900,000
Advocate Health care NetworkTheft of desktop computer computers; ns of laptop; improper accessing the data at service associate3,994,175$5,550,000
University the Mississippi medical CenterUnprotected network drive10,000$2,750,000
Oregon health and wellness & scientific research UniversityLoss the unencrypted laptop; warehouse on cloud server without BAA4,361$2,700,000
New York Presbyterian HospitalFilming of patients by TV crewUnconfirmed$2,200,000
North Memorial Health treatment of MinnesotaTheft that laptop computer; wrong disclosure to service associate299,401$1,550,000
St. Joseph HealthPHI made available through find engines31,800$2,140,500
Raleigh Orthopaedic Clinic, P.A. Of phibìc CarolinaImproper disclosure to organization associate17,300$750,000
University the Massachusetts Amherst (UMass)Malware infection1,670$650,000
Catholic Health treatment Services that the Archdiocese that PhiladelphiaTheft of mobile device412$650,000
Care brand-new England health SystemLoss of 2 unencrypted back-up tapes14,000$400,000
Complete P.T., swimming pool & Land physical Therapy, Inc.

See more: How Many Calories Does A Sit Up Burn ? How Many Calories Will 200 Situps Burn

Improper disclosure that PHI (website testimonials)Unconfirmed$25,000

 2016 Civil financial Penalties because that HIPAA Violations

Covered EntityBreach SummaryIndividuals ImpactedPenalty Amount
Lincare, Inc.Improper disclosure (unprotected documents)278$239,800