Privacy and consumer protection enforcement actions against healthcare companies.
792
Total Actions
$23.1B
Total Fines
Texas Attorney General Ken Paxton announced the effective date of a $7.4 billion settlement with Purdue Pharma, Inc. and the Sackler family over their role in fueling the opioid crisis. Texas will receive $286.5 million from the settlement, bringing the state’s total opioid recovery funds to over $3 billion. The settlement includes permanent bans on Sackler opioid sales in the U.S., public release of 30 million company documents, and distribution of funds for addiction treatment and prevention over 15 years.
$7.4B
Connecticut Attorney General William Tong announced that Purdue Pharma will dissolve as the company’s bankruptcy concludes and a $7.4 billion settlement with Purdue and the Sackler family takes effect. The settlement permanently bars the Sacklers from selling opioids in the U.S., directs funds to addiction treatment and prevention, and requires the release of over 30 million documents related to Purdue’s opioid business. Connecticut is expected to receive $64 million from the settlement, with first payments anticipated in fall 2026.
$7.4B
New York Attorney General Letitia James announced the shutdown of opioid manufacturer Purdue Pharma as part of a $7.4 billion settlement with a bipartisan coalition of 54 other state attorneys general. The Sackler family, former owners of Purdue, are permanently barred from selling opioids in the U.S. and have no involvement in Knoa Pharma, the new public benefit corporation replacing Purdue. Purdue was sentenced on criminal charges related to its role in the opioid crisis on April 28, 2026, with the new entity operating under strict oversight and excess revenue funding opioid abatement efforts.
$7.4B
Virginia Attorney General Jay Jones joined a bipartisan coalition of 44 state attorneys general in submitting a comment letter supporting a proposed U.S. Department of Labor rule to increase transparency requirements for pharmacy benefit managers (PBMs) servicing employer-funded ERISA health plans. The coalition urged the DOL to clarify that the proposed rule does not preempt existing state PBM transparency laws and to coordinate enforcement with state attorneys general. This action is a policy advocacy comment letter and does not constitute an enforcement action against any specific entity.
The FTC alleged that Vanilla Chip LLC (d/b/a TruHeight) deceptively advertised height-enhancing supplements for children and teens without competent scientific evidence, and used fake employee-written and incentivized 5-star reviews. The proposed settlement requires TruHeight and its principals to pay $750,000, bars false health claims, and prohibits misleading review practices. A $4 million total judgment is partially suspended due to the respondents' inability to pay the full amount.
$750K
BMG of Kansas, Inc. (Health Plan, KS) reported a HIPAA breach affecting 1,327 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Manhattan Retirement Foundation d/b/a Meadowlark Hills (Healthcare Provider, KS) reported a HIPAA breach affecting 14,442 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
AltaMed Health Services Corporation (Healthcare Provider, CA) reported a HIPAA breach affecting 501 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Commonwealth Care Alliance (Health Plan, MA) reported a HIPAA breach affecting 634 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Paper/Films.
Couve Healthcare Consulting, LLC DBA Evergreen Healthcare Group (Business Associate, WA) reported a HIPAA breach affecting 11,795 individuals. Breach type: Hacking/IT Incident. Location of breached information: Electronic Medical Record.
Weill Cornell Medicine (Healthcare Provider, NY) reported a HIPAA breach affecting 516 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Electronic Medical Record.
QualDerm Partners, LLC (Healthcare Provider, TN) reported a HIPAA breach affecting 3,117,874 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
The Center for Advanced Eye Care (Healthcare Provider, ME) reported a HIPAA breach affecting 9,300 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server, Other.
Option Care Health, Inc. (Healthcare Provider, IL) reported a HIPAA breach affecting 2,086 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
Connecticut Attorney General William Tong submitted testimony in support of genetic privacy legislation that would grant residents exclusive control over their DNA and genetic data. The legislation is inspired by his office's investigation into 23andMe's data breach affecting over six million customers and the company's subsequent bankruptcy. The bill requires express consent for DNA use, imposes security measures, and prohibits marketing use of DNA.
VNS Behavioral Health Inc. (“VNS Health”) (Healthcare Provider, NY) reported a HIPAA breach affecting 739 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
Emanuel Medical Center (Healthcare Provider, GA) reported a HIPAA breach affecting 28,963 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
44North (Business Associate, MI) reported a HIPAA breach affecting 2,158 individuals. Breach type: Hacking/IT Incident. Location of breached information: Desktop Computer.
Easterseals Northeast Indiana (Healthcare Provider, IN) reported a HIPAA breach affecting 3,158 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Wee Care Pediatrics, LLC (Healthcare Provider, UT) reported a HIPAA breach affecting 2,127 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
National Association on Drug Abuse Problems (Healthcare Provider, NY) reported a HIPAA breach affecting 90,000 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Cedar Valley Services (Healthcare Provider, MN) reported a HIPAA breach affecting 501 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Academic Urology & Urogynecology of Arizona (Healthcare Provider, AZ) reported a HIPAA breach affecting 73,281 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Resource Corporation of America (Business Associate, TX) reported a HIPAA breach affecting 501 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Communications Workers of America Local 1180 Security Benefits Fund (Health Plan, NY) reported a HIPAA breach affecting 18,550 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Electronic Medical Record, Other.
VPS Medical PLLC (Healthcare Provider, PA) reported a HIPAA breach affecting 4,600 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Cedar Point Health, LLC (Healthcare Provider, CO) reported a HIPAA breach affecting 23,114 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
University Spine Center (Healthcare Provider, NJ) reported a HIPAA breach affecting 582 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server, Other.
Alexes Hazen MD, PLLC (Healthcare Provider, NY) reported a HIPAA breach affecting 500 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email, Network Server.
First Choice Community Home Care, Inc. (Healthcare Provider, TX) reported a HIPAA breach affecting 725 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
BlueCross BlueShield of Tennessee, Inc. (Business Associate, TN) reported a HIPAA breach affecting 1,670 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
ApolloMD Business Services, LLC (Business Associate, GA) reported a HIPAA breach affecting 626,540 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Five Star Home Health, Inc. (Healthcare Provider, OK) reported a HIPAA breach affecting 1,575 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Houston Health Department (Healthcare Provider, TX) reported a HIPAA breach affecting 7,445 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Carolina Foot & Ankle Associates (Healthcare Provider, NC) reported a HIPAA breach affecting 501 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Wendy Foster OD (Healthcare Provider, KS) reported a HIPAA breach affecting 20,000 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Counseling Center of Wayne & Holmes Counties (Healthcare Provider, OH) reported a HIPAA breach affecting 83,354 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Adapt Integrated Health Care (Healthcare Provider, OR) reported a HIPAA breach affecting 2,908 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Marin Cancer Care (Healthcare Provider, CA) reported a HIPAA breach affecting 501 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
EDGAR A MARTORELL MD LLC (Healthcare Provider, FL) reported a HIPAA breach affecting 1,107 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Cottage Hospital (Healthcare Provider, NH) reported a HIPAA breach affecting 1,005 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
TriZetto Provider Solutions (Business Associate, MO) reported a HIPAA breach affecting 3,433,965 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Apex Spine & Neurosurgery, LLC (Healthcare Provider, GA) reported a HIPAA breach affecting 2,500 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Triad Radiology Associates (Healthcare Provider, NC) reported a HIPAA breach affecting 11,011 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
WIRX Pharmacy (Healthcare Provider, PA) reported a HIPAA breach affecting 20,047 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Issaqueena Pediatric Dentistry PA (Healthcare Provider, SC) reported a HIPAA breach affecting 501 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Personalis, Inc. (Healthcare Provider, CA) reported a HIPAA breach affecting 650 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
Antitrust enforcement action where the FTC settled with Express Scripts, a major pharmacy benefit manager, for using anticompetitive rebating practices that artificially inflated insulin prices. The settlement requires ESI to change its business practices to increase transparency and lower patient out-of-pocket costs, potentially saving $7 billion over 10 years.
EyeCare Partners, LLC, including The Ophthalmology Group, Ophthalmology Consultants, and Ophthalmology Associates. (Healthcare Provider, MO) reported a HIPAA breach affecting 17,110 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
New Jersey Acting Attorney General Jennifer Davenport, alongside 42 states and territories, filed a multistate complaint against Novartis AG and its subsidiaries Sandoz AG and Sandoz Group AG alleging a conspiracy to fix prices, allocate markets, and rig bids for 31 generic drugs, inflating costs for consumers and public healthcare programs. The complaint also alleges Novartis fraudulently spun off Sandoz to shield itself from liability for prior antitrust violations. This action builds on evidence from three previous multistate generic drug price-fixing complaints.
Pafford Medical Services (Healthcare Provider, AR) reported a HIPAA breach affecting 1,000 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Mindoula Health, Inc. (Business Associate, MD) reported a HIPAA breach affecting 626 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
Connecticut Attorney General William Tong led a coalition of 48 states and territories in announcing settlements with Lannett Company, Inc. and Bausch Health entities totaling $17.85 million. The settlements resolve allegations that the companies engaged in conspiracies to inflate prices and limit competition for generic prescription drugs. The companies agreed to cooperate in ongoing litigation and implement internal reforms, while a new complaint was filed against Novartis and subsidiaries.
$17.9M
Lincoln National Corporation d/b/a/ Lincoln Financial (Health Plan, IN) reported a HIPAA breach affecting 998 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Paper/Films.
Health and Hospital Corporation of Marion County (Healthcare Provider, IN) reported a HIPAA breach affecting 792 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Email, Laptop.
BAYADA Home Health Care, Inc. (Healthcare Provider, NJ) reported a HIPAA breach affecting 9,526 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Wakefield & Associates, LLC (Business Associate, TN) reported a HIPAA breach affecting 31,751 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Comstar, LLC, an ambulance billing vendor, suffered a data breach in March 2022 that exposed sensitive patient information, including Social Security numbers and medical records, of over 349,000 residents in Connecticut and Massachusetts. The settlement requires Comstar to pay $515,000 and implement enhanced security measures such as phishing protection and annual security assessments.
$515K
Clinic Service Corporation (Business Associate, CO) reported a HIPAA breach affecting 82,331 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Massachusetts Attorney General secured a $515,000 settlement with Comstar, LLC for a March 2022 data breach that exposed sensitive patient information of over 326,000 Massachusetts residents. Comstar violated Massachusetts Data Security regulations and HIPAA by failing to maintain adequate security measures. The settlement includes monetary payment and mandated security improvements.
$515K
WindRose Health Network (Healthcare Provider, IN) reported a HIPAA breach affecting 691 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Pecan Tree Dental, PLLC (Healthcare Provider, TX) reported a HIPAA breach affecting 13,300 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Telemarketing enforcement case where the FTC obtained a temporary restraining order against defendants who deceptively marketed limited benefit health plans as comprehensive health insurance. The scheme caused tens of millions of dollars in harm to consumers seeking health coverage. The court halted operations at the FTC's request.
Precipio, Inc. (Healthcare Provider, CT) reported a HIPAA breach affecting 501 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Jefferson-Blount-St. Clair Mental Health Authority (Healthcare Provider, AL) reported a HIPAA breach affecting 30,434 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
True RCM, a Rapid Care Transcription, Inc., Company (Business Associate, MD) reported a HIPAA breach affecting 1,247 individuals. Breach type: Hacking/IT Incident. Location of breached information: Desktop Computer.
AdventHealth Daytona Beach (Healthcare Provider, FL) reported a HIPAA breach affecting 821 individuals. Breach type: Loss. Location of breached information: Paper/Films.
Middlesex Sheriff's Office (Healthcare Provider, MA) reported a HIPAA breach affecting 501 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Benton County Health (Healthcare Provider, OR) reported a HIPAA breach affecting 1,476 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Minnesota Department of Human Services (Health Plan, MN) reported a HIPAA breach affecting 303,965 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
Central Texas MHMR Center dba Center for Life Resource (Healthcare Provider, TX) reported a HIPAA breach affecting 501 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Superior Care Plus LLC d/b/a Supportive Home Health LLC (Healthcare Provider, OH) reported a HIPAA breach affecting 1,415 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
360 Dental PC (Healthcare Provider, PA) reported a HIPAA breach affecting 11,273 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Administrators of the Tulane Educational Fund d/b/a Tulane University Medical Group (Healthcare Provider, LA) reported a HIPAA breach affecting 6,556 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
Southern Immediate Care, LLC (Healthcare Provider, AL) reported a HIPAA breach affecting 7,447 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
Florence County Commission on Alcohol & Drug Abuse – dba Circle Park Behavioral Health Services (“Circle Park”) (Healthcare Provider, SC) reported a HIPAA breach affecting 7,020 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
TMG Health, Inc. (Business Associate, TX) reported a HIPAA breach affecting 2,076 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
FullBeauty Brands, Inc. Associate Benefits Plan (Health Plan, NY) reported a HIPAA breach affecting 4,725 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Avosina Healthcare Solutions (Business Associate, VA) reported a HIPAA breach affecting 44,425 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Central Ozarks Medical Center (Healthcare Provider, MO) reported a HIPAA breach affecting 11,818 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
The Center for Neuropsychology and Learning, PC (Healthcare Provider, MI) reported a HIPAA breach affecting 3,722 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Illinois Department of Human Services (Health Plan, IL) reported a HIPAA breach affecting 705,017 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
ABKSW PREFERRED HEALTH PARTNERS, PLLC d/b/a NORTH TEXAS PREFERRED HEALTH PARTNERS (Healthcare Provider, TX) reported a HIPAA breach affecting 2,074 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Devereux Foundation (Healthcare Provider, PA) reported a HIPAA breach affecting 501 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Consumer protection case: Oregon Attorney General filed a lawsuit against six major drug companies and pharmacy benefit managers for allegedly coordinating to inflate insulin prices, seeking $900 million in damages under the Unlawful Trade Practices Act.
$900.0M
Pit River Health Service Inc. (Healthcare Provider, CA) reported a HIPAA breach affecting 1,800 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Methodist Homes of Alabama and Northwest Florida (Healthcare Provider, AL) reported a HIPAA breach affecting 1,406 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
Mid Michigan Medical Billing Service, Inc. (Business Associate, MI) reported a HIPAA breach affecting 28,185 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Andover Eye Associates (Healthcare Provider, MA) reported a HIPAA breach affecting 1,638 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
Steel Encounters, Inc. (Healthcare Provider, UT) reported a HIPAA breach affecting 959 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Advanced Healthcare Professionals (Healthcare Provider, TX) reported a HIPAA breach affecting 800 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
The Connecticut Attorney General reached an agreement with Hartford Healthcare to address antitrust concerns in the acquisition of Manchester Memorial and Rockville General hospitals from Prospect Medical. The agreement includes conditions to limit cost increases, waive physician non-compete clauses, and maintain medical staff privileges to protect competition and physician mobility. This resolves the antitrust review under the state's notice of material change statute.
Associated Radiologists of the Finger Lakes, P.C. (Business Associate, NY) reported a HIPAA breach affecting 501 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Exact Sciences Laboratories LLC (Healthcare Provider, WI) reported a HIPAA breach affecting 2,658 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Paper/Films.
Docs Medical Group, Inc. dba Pulse Urgent Care (Healthcare Provider, CA) reported a HIPAA breach affecting 4,035 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
CareOregon (Health Plan, OR) reported a HIPAA breach affecting 5,473 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
New York Attorney General Letitia James secured a $500,000 settlement with orthopedics practice OrthopedicsNY, LLP for failing to implement adequate data security measures, leading to a 2023 cyberattack that exposed personal and health information of approximately 656,000 patients and employees. The settlement requires OrthopedicsNY to pay the penalty, fund one year of free credit monitoring for affected individuals, and adopt enhanced data security practices including multifactor authentication, encryption, and annual risk assessments.
$500K
BlueCross BlueShield of Tennessee, Inc. (Business Associate, TN) reported a HIPAA breach affecting 780 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Email.
Glendale Obstetrics & Gynecology PCA (Healthcare Provider, AZ) reported a HIPAA breach affecting 501 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Health and civil rights enforcement action. Oregon Attorney General Dan Rayfield led a coalition of 19 states and the District of Columbia in filing a lawsuit against the U.S. Department of Health and Human Services (HHS). The suit challenges a December 18, 2025 HHS 'declaration' that claims certain gender-affirming care is 'unsafe and ineffective' and threatens to exclude providers from Medicare/Medicaid for offering such care. The attorneys general argue HHS violated federal administrative law by implementing a major policy change without required notice-and-comment rulemaking, creating fear for patients and providers and threatening state Medicaid programs.