4 of the Most Costly HIPAA Enforcement Actions from 2018

In 2018, Office for Civil Rights (OCR) settled 10 cases and was granted summary judgment in a Health Insurance Portability and Accountability Act (HIPAA) enforcement case. Out of the cases OCR was involved with, here are the most costly enforcement actions:

  • Fresenius Medical Care North America (FMCNA) — In January 2018, FMCNA settled for $3.5 million with OCR for the five separate data breaches that occurred between February 23rd, 2012 and July 18th, 2012.

  • The University of Texas MD Anderson Cancer Center (MD Anderson) — In June 2018, a Department of Health and Human Services (HHS) judge ruled in favor of OCR and ordered MD Anderson to pay $4.3 million in penalties for their HIPAA violations.

  • Anthem Inc. — In October 2018, Anthem paid $16 million to OCR, an all-time record for the most costly penalty, after a series of cyber attacks allowed criminals to steal the electronic personal health information (ePHI) from nearly 79 million individuals from December 2nd, 2014 to January 27th, 2014.

  • Cottage Health — In December 2018, Cottage Health agreed to pay $3 million to OCR after two breaches exposed unsecured ePHI for 62,500 individuals.

What Does This Mean for Your Health Organization?

The HIPAA Privacy and Security Rules are complex and violations can trigger expensive penalties. Fortunately, there are resources available from HHS to help covered entities comply with the HIPAA rules. These resources are available through HHS’ website on the following topic pages:

Amanda SSIA Group