1,285 enforcement actions from 14 federal and state jurisdictions. Every event traced back to its official government source.
1,285
Total Actions
14
Jurisdictions
$35.3B+
Total Fines Tracked
Trionfo Solutions, LLC (Business Associate, IL) reported a HIPAA breach affecting 81,588 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Omni Healthcare Financial Holdings (Business Associate, NC) reported a HIPAA breach affecting 16,852 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Victoria Eye Center/Victoria Surgery Center/Victoria Vision Center (Healthcare Provider, TX) reported a HIPAA breach affecting 80,000 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Pope & Conner Consulting, Inc. (Business Associate, WI) reported a HIPAA breach affecting 1,035 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
Hypertension-Nephrology Associates, P.C. (Healthcare Provider, PA) reported a HIPAA breach affecting 39,491 individuals. Breach type: Hacking/IT Incident. Location of breached information: Electronic Medical Record, Network Server.
Superior Air-Ground Ambulance Service, Inc. (Healthcare Provider, IL) reported a HIPAA breach affecting 1,039,972 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Watson Clinic (Healthcare Provider, FL) reported a HIPAA breach affecting 280,278 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
WebTPA Employer Services, LLC (“WebTPA”) (Business Associate, TX) reported a HIPAA breach affecting 2,518,533 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Kenneth Young Center (Healthcare Provider, IL) reported a HIPAA breach affecting 6,842 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Medical Express Ambulance Inc. D/B/A Medex Ambulance (Healthcare Provider, IL) reported a HIPAA breach affecting 121,190 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
United Seating and Mobility, L.L.C., d/b/a Numotion (Healthcare Provider, TN) reported a HIPAA breach affecting 602,265 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
AMERICAN RENAL MANAGEMENT (Business Associate, TN) reported a HIPAA breach affecting 501 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Therapeutic Health Services (Healthcare Provider, WA) reported a HIPAA breach affecting 501 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Empath-Stratum Inc. doing business as Empath Health (Healthcare Provider, FL) reported a HIPAA breach affecting 5,545 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
Kootenai Health (Healthcare Provider, ID) reported a HIPAA breach affecting 464,088 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Medical Billing Specialists, Inc. (Business Associate, MA) reported a HIPAA breach affecting 43,673 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
NorthBay Healthcare Corporation (Healthcare Provider, CA) reported a HIPAA breach affecting 569,012 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Cumberland Heights Foundation, Inc. (Healthcare Provider, TN) reported a HIPAA breach affecting 5,078 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
The FTC settled with telehealth firm Cerebral, Inc. for sharing sensitive consumer mental health data with third parties like LinkedIn, Snapchat, and TikTok for advertising without proper consent, employing sloppy security practices, and misleading consumers about cancellation policies. Cerebral must pay over $7 million (with $2 million due upfront), is permanently banned from using health information for most advertising, must implement a comprehensive privacy program, delete unnecessary data, and provide easy cancellation.
$7.0M
Kaiser Foundation Health Plan, Inc. (Health Plan, CA) reported a HIPAA breach affecting 13,400,000 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
Monument, Inc., an alcohol addiction treatment firm, shared consumers' health data with third-party advertising platforms like Meta and Google without consent, despite promising confidentiality. The FTC settled with a consent order that bans Monument from disclosing health data for advertising, requires affirmative consent for other sharing, imposes a $2.5 million suspended fine, and mandates data deletion, consumer notification, and a privacy program.
$2.5M
Gaia Software, LLC (Business Associate, CO) reported a HIPAA breach affecting 56,676 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
UNC Hospitals (Healthcare Provider, NC) reported a HIPAA breach affecting 3,142 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
Delta Health System (Healthcare Provider, MS) reported a HIPAA breach affecting 216,532 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Strive Holdco, LLC (Healthcare Provider, TX) reported a HIPAA breach affecting 51,477 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
Refuah Health Center, Inc. failed to implement adequate data security measures, leading to a ransomware attack that compromised the personal and health information of approximately 250,000 New Yorkers. The New York Attorney General reached a settlement requiring Refuah to invest $1.2 million in cybersecurity improvements and pay $450,000 in penalties.
$450K
NewYork-Presbyterian Hospital used third-party tracking tools on its website that collected and shared patients' health information with tech companies without adequate safeguards, violating HIPAA. The hospital agreed to pay $300,000 and implement enhanced privacy policies, data deletion, and regular audits.
$300K
CRI Genetics, LLC was charged by the FTC and California Attorney General for deceptive marketing of DNA testing services, including false accuracy claims, fake reviews, and using dark patterns in billing. The company agreed to a settlement, paying a $700,000 civil penalty, and is prohibited from deceptive practices, must obtain consent for data sharing, and allow data deletion for consumers who requested it.
$700K
US Radiology Specialists, Inc. failed to upgrade its firewall, leading to a ransomware attack that compromised the personal and health data of over 198,000 patients, including 92,000 New Yorkers. The company agreed to pay $450,000 in penalties and implement comprehensive data security measures, including encryption and data deletion policies.
$450K
New York Attorney General Letitia James secured a $350,000 settlement from Personal Touch Holding Corporation for failing to protect patient and employee data. A ransomware attack in January 2021 compromised the personal and medical information of approximately 316,845 New Yorkers due to inadequate security measures. As part of the agreement, Personal Touch must pay penalties, enhance its cybersecurity program, and provide free credit monitoring to affected individuals.
$350K
All data sourced from official government enforcement pages.