1,285 enforcement actions from 14 federal and state jurisdictions. Every event traced back to its official government source.
1,285
Total Actions
14
Jurisdictions
$35.3B+
Total Fines Tracked
Alpine Ears, Nose & Throat, P.L.L.C. (Healthcare Provider, CO) reported a HIPAA breach affecting 65,648 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
Eastern Idaho Public Health (Healthcare Provider, ID) reported a HIPAA breach affecting 759 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Electronic Medical Record.
DentaQuest (Health Plan, WI) reported a HIPAA breach affecting 868 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Paper/Films.
Khalil Foundation (DBA Khalil Center) (Healthcare Provider, IL) reported a HIPAA breach affecting 1,153 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
El Paso Healthcare System, Ltd. d/b/a Las Palmas Del Sol Healthcare (Healthcare Provider, TX) reported a HIPAA breach affecting 1,854 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Electronic Medical Record.
Atrium Health (Healthcare Provider, NC) reported a HIPAA breach affecting 585,959 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
AuthoraCare Collective (Healthcare Provider, NC) reported a HIPAA breach affecting 57,944 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
Huron Inc. Health Plan (Health Plan, MI) reported a HIPAA breach affecting 750 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
Mid-Minnesota Management Services d/b/a Central Resources (Business Associate, IL) reported a HIPAA breach affecting 1,232 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Other.
Mohawk Valley Cardiology, P.C. (Healthcare Provider, NY) reported a HIPAA breach affecting 4,973 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Other.
Jacksonville Children's Multispecialty Clinics/Atlantic Medical Management (Healthcare Provider, NC) reported a HIPAA breach affecting 2,224 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Email.
Ad Valorem Records, Inc. (Business Associate, TN) reported a HIPAA breach affecting 590 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Paper/Films.
Contents Trader, Inc. (Healthcare Provider, TX) reported a HIPAA breach affecting 27,329 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
Pemiscot Memorial Health System (Healthcare Provider, MO) reported a HIPAA breach affecting 33,279 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Electronic Medical Record.
Geisinger (Healthcare Provider, PA) reported a HIPAA breach affecting 1,276,026 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
Insurance ACE/Humana Inc. (Health Plan, KY) reported a HIPAA breach affecting 15,003 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Paper/Films.
The FTC settled with telehealth firm Cerebral, Inc. for sharing sensitive consumer mental health data with third parties like LinkedIn, Snapchat, and TikTok for advertising without proper consent, employing sloppy security practices, and misleading consumers about cancellation policies. Cerebral must pay over $7 million (with $2 million due upfront), is permanently banned from using health information for most advertising, must implement a comprehensive privacy program, delete unnecessary data, and provide easy cancellation.
$7.0M
Kaiser Foundation Health Plan, Inc. (Health Plan, CA) reported a HIPAA breach affecting 13,400,000 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
Monument, Inc., an alcohol addiction treatment firm, shared consumers' health data with third-party advertising platforms like Meta and Google without consent, despite promising confidentiality. The FTC settled with a consent order that bans Monument from disclosing health data for advertising, requires affirmative consent for other sharing, imposes a $2.5 million suspended fine, and mandates data deletion, consumer notification, and a privacy program.
$2.5M
Strive Holdco, LLC (Healthcare Provider, TX) reported a HIPAA breach affecting 51,477 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
The FTC finalized an order against 1Health.io for failing to secure genetic data and unfairly changing its privacy policy. The company must pay $75,000 for consumer refunds, destroy DNA samples, and implement security measures. It deceived consumers about data deletion and shared data without proper consent.
$75K
The FTC and HHS sent warning letters to approximately 130 hospital systems and telehealth providers about the privacy and security risks of using online tracking technologies, such as Meta/Facebook pixel and Google Analytics, which may impermissibly disclose sensitive health information to third parties. The agencies emphasized that such disclosures could violate HIPAA for covered entities and the FTC Act for others, citing recent enforcement actions against companies like BetterHelp and GoodRx.
BetterHelp agreed to pay $7.8 million to settle FTC allegations that it used and shared consumers' health data for advertising without consent. The online therapy provider is banned from such practices and must provide refunds to approximately 800,000 affected consumers.
$7.8M
The FTC charged Easy Healthcare Corporation, operator of the Premom fertility app, with deceiving users by sharing their sensitive health data with third parties for advertising without consent and failing to notify breaches as required by the Health Breach Notification Rule. Under a proposed consent decree, the company will pay a $100,000 civil penalty, be barred from sharing health data for advertising, and must implement privacy and security measures.
$100K
Connecticut, Oregon, and the District of Columbia reached a $100,000 settlement with Easy Healthcare Corporation, the operator of the Premom ovulation tracking app, for sharing sensitive user health and location data with third parties without appropriate disclosures or user consent. The settlement requires the company to implement comprehensive privacy and security programs, obtain consent before sharing health or location data, and provide users with a method to delete their personal information.
$100K
The FTC proposed a consent order against BetterHelp for sharing consumers' sensitive mental health data with third parties like Facebook for targeted advertising without proper consent. BetterHelp must pay $7.8 million in refunds and is banned from such data sharing, with requirements for consent and privacy programs.
$7.8M
The FTC settled with Flo Health, Inc., developer of a popular fertility-tracking app, alleging it misled users by sharing sensitive health data with third-party analytics providers like Facebook and Google after promising to keep such data private. The proposed consent order requires Flo to obtain user consent before sharing health data, notify affected users, and destroy previously shared data, among other requirements.
All data sourced from official government enforcement pages.