1,285 enforcement actions from 14 federal and state jurisdictions. Every event traced back to its official government source.
1,285
Total Actions
14
Jurisdictions
$35.3B+
Total Fines Tracked
California Attorney General Rob Bonta announced a $49 million settlement with Kaiser for illegally disposing of hazardous waste, medical waste, and protected patient information at facilities statewide. The settlement resolves allegations of violations under health privacy and environmental laws, requiring Kaiser to pay penalties, implement compliance measures, and undergo independent audits.
$49.0M
California Attorney General Rob Bonta, alongside six county district attorneys, announced a $49 million settlement with Kaiser Foundation Health Plan, Inc. and Kaiser Foundation Hospitals resolving allegations of unlawful disposal of hazardous waste, medical waste, and protected patient health information. Investigations of 16 Kaiser facilities found hundreds of hazardous and medical waste items and over 10,000 paper records containing data of more than 7,700 patients in unsecured dumpsters. The settlement requires Kaiser to pay up to $49 million in penalties and compliance costs, retain an independent auditor for five years of regular audits, and implement enhanced waste and data disposal procedures.
$49.0M
The FTC finalized an order against 1Health.io for failing to secure genetic data and unfairly changing its privacy policy. The company must pay $75,000 for consumer refunds, destroy DNA samples, and implement security measures. It deceived consumers about data deletion and shared data without proper consent.
$75K
The FTC and HHS sent warning letters to approximately 130 hospital systems and telehealth providers about the privacy and security risks of using online tracking technologies, such as Meta/Facebook pixel and Google Analytics, which may impermissibly disclose sensitive health information to third parties. The agencies emphasized that such disclosures could violate HIPAA for covered entities and the FTC Act for others, citing recent enforcement actions against companies like BetterHelp and GoodRx.
BetterHelp agreed to pay $7.8 million to settle FTC allegations that it used and shared consumers' health data for advertising without consent. The online therapy provider is banned from such practices and must provide refunds to approximately 800,000 affected consumers.
$7.8M
The FTC settled with genetic testing company 1Health.io for failing to secure sensitive genetic and health data, deceiving consumers about data deletion, and unfairly changing its privacy policy without notice or consent. The settlement includes refunds totaling over $49,500 to 2,432 affected consumers.
$50K
The FTC charged Easy Healthcare Corporation, operator of the Premom fertility app, with deceiving users by sharing their sensitive health data with third parties for advertising without consent and failing to notify breaches as required by the Health Breach Notification Rule. Under a proposed consent decree, the company will pay a $100,000 civil penalty, be barred from sharing health data for advertising, and must implement privacy and security measures.
$100K
Connecticut, Oregon, and the District of Columbia reached a $100,000 settlement with Easy Healthcare Corporation, the operator of the Premom ovulation tracking app, for sharing sensitive user health and location data with third parties without appropriate disclosures or user consent. The settlement requires the company to implement comprehensive privacy and security programs, obtain consent before sharing health or location data, and provide users with a method to delete their personal information.
$100K
EyeMed Vision Care suffered a data breach in June 2020 due to poor security practices, including shared passwords, exposing personal and medical information of approximately 2.1 million individuals. The multistate settlement imposes a $2.5 million penalty and requires EyeMed to implement enhanced security measures and comply with privacy laws.
$2.5M
The FTC proposed a consent order against BetterHelp for sharing consumers' sensitive mental health data with third parties like Facebook for targeted advertising without proper consent. BetterHelp must pay $7.8 million in refunds and is banned from such data sharing, with requirements for consent and privacy programs.
$7.8M
The FTC settled with GoodRx for sharing consumers' sensitive prescription and health information with Facebook, Google, and other third parties for advertising without consent, and for failing to report these unauthorized disclosures as required by the Health Breach Notification Rule. GoodRx will pay a $1.5 million civil penalty and is permanently barred from sharing user health data for advertising.
$1.5M
State attorneys general reached a $450 million settlement with opioid manufacturer Endo International plc as part of its bankruptcy. The settlement resolves allegations of deceptive marketing that downplayed addiction risks and overstated benefits, particularly for Opana ER. Endo must pay $450 million over 10 years, ban opioid marketing forever, and disclose millions of documents.
$450.0M
The New Jersey Board of Pharmacy temporarily suspended the license of Christina Bekhit, owner of AllCare Pharmacy, after her arrest for selling falsified COVID-19 vaccination cards and entering false information into the state's immunization database. Under a consent order filed on July 5, 2022, Bekhit agreed to cease pharmacy operations and surrender her permit, addressing grave public health risks from fraudulent vaccination records.
The New Jersey Attorney General announced the arrest of Christina Bekhit, a pharmacist operating AllCare Pharmacy, for selling fake COVID-19 vaccination record cards and entering false information into the state's immunization database. She faces criminal charges for computer criminal activity, tampering with public information, and falsification of medical records.
Connecticut Attorney General William Tong announced a $601,759 settlement with American Medical Response of Connecticut (AMR-CT) for overbilling the state Medicaid program by billing for Advanced Life Support services when only Basic Life Support was provided, and even when local fire departments had already provided and billed for those services. AMR-CT also entered a consent agreement with the Department of Public Health requiring it to cease improper billing, comply with reporting requirements for one year, and pay a $25,000 civil penalty.
$627K
The Connecticut Attorney General settled with PCA Pain Care Center and its owner for overbilling Medicaid by using higher billing codes than warranted for services provided. They paid $1 million to resolve allegations under the Connecticut False Claims Act.
$1.0M
Connecticut Attorney General William Tong announced settlements with four hearing aid companies for marketing their products as 'FDA-approved' when no such approval exists. The companies will collectively pay $40,000 and cease such marketing practices. The investigation underscores that over-the-counter hearing aids are not FDA-approved and consumers should be wary of such claims.
$40K
Attorney General William Tong led a coalition of 42 states and territories to urge the FDA to preserve state consumer protection authorities for over-the-counter hearing aids, concerned that the proposed rule could preempt state laws and lack adequate age verification and labeling requirements.
The New Jersey Attorney General settled with Diamond Institute for Infertility and Menopause, LLC, following a data breach that exposed the electronic protected health information (ePHI) of 14,663 patients. The investigation found the clinic failed to implement required HIPAA Security Rule safeguards, including risk assessments, encryption, and access controls. The $495,000 settlement includes civil penalties and requires the clinic to implement a comprehensive information security program and corrective actions.
$495K
Connecticut Attorney General William Tong announced a $678,901 settlement with L.A. Vision and optician Lisa Azinheira for overbilling the state Medicaid program. The providers billed for non-medically necessary vision services and extra eyeglasses for children. In addition to restitution, they must comply with a federal Integrity Agreement requiring audits, training, and compliance measures.
$679K
AMCA suffered an eight-month data breach from August 2018 to March 2019, exposing personal information including Social Security numbers, payment card data, and medical test details of over 7 million individuals nationwide, including 246,000 New Jersey residents. The multistate settlement requires AMCA to implement enhanced data security measures and pay $21 million, though payment is suspended due to the company's financial situation.
$21.0M
The FTC finalized a settlement with SkyMed International, Inc., an emergency travel services provider, for failing to secure sensitive consumer data and deceiving consumers about HIPAA compliance. The company left a cloud database with 130,000 membership records unsecured, containing personal and health information. Under the settlement, SkyMed must notify affected consumers, implement a security program, undergo biennial assessments, and is prohibited from misrepresenting its data practices.
The FTC settled with Flo Health, Inc., developer of a popular fertility-tracking app, alleging it misled users by sharing sensitive health data with third-party analytics providers like Facebook and Google after promising to keep such data private. The proposed consent order requires Flo to obtain user consent before sharing health data, notify affected users, and destroy previously shared data, among other requirements.
SkyMed International, Inc. settled FTC allegations that it failed to secure sensitive consumer data, including health information, leaving a cloud database with 130,000 records exposed to the public. The FTC also alleged that SkyMed misrepresented HIPAA compliance on its website. As part of the settlement, SkyMed must implement a comprehensive security program, undergo biennial third-party assessments, and send notices to affected consumers.
Wakefern Food Corp. and associated ShopRite entities settled allegations that they improperly disposed of electronic devices containing protected health information, potentially exposing the data of over 9,700 New Jersey residents. They agreed to pay $235,000 and implement comprehensive data security measures including appointing privacy officers and providing training.
$235K
New Jersey Attorney General settled with Community Health Systems, Inc. over a 2014 data breach affecting 6.1 million patients, including over 45,000 New Jersey residents. CHS will pay $5 million to 28 states and implement enhanced data security measures to protect personal and health information.
$5.0M
New Jersey Attorney General announced a multi-state settlement with Anthem, Inc. over a 2015 data breach that exposed personal information of over 78 million Americans, including 1.15 million New Jersey residents. Anthem will pay $39.5 million to participating states and implement enhanced cybersecurity measures.
$39.5M
Anthem, Inc. settled with California for $8.69 million over a 2014 data breach that exposed personal information of 78 million consumers, including 13.5 million Californians. The breach resulted from security deficiencies, and the settlement includes injunctive relief to improve information security practices. This action was part of a parallel multistate settlement.
$8.7M
The FTC settled with Ortho-Clinical Diagnostics, Inc. for misleading consumers about its participation in the EU-U.S. Privacy Shield framework. The company allowed its certification to lapse in 2018 but continued to claim participation. The settlement prohibits such misrepresentations and requires compliance with Privacy Shield obligations for data collected or deletion of such data.
Aetna Inc. settled with the California Attorney General for $935,000 over allegations that it revealed the HIV status of 1,991 Californians through a mailing error where medication information was visible through envelope windows. The settlement requires Aetna to implement improved mailing procedures and conduct annual privacy assessments. This action enforces health privacy laws and protects sensitive medical information.
$935K
All data sourced from official government enforcement pages.