1,285 enforcement actions from 14 federal and state jurisdictions. Every event traced back to its official government source.
1,285
Total Actions
14
Jurisdictions
$35.3B+
Total Fines Tracked
Delta County Memorial Hospital District (Delta Health) (Healthcare Provider, CO) reported a HIPAA breach affecting 148,363 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
United of Omaha Life Insurance Company (Health Plan, NE) reported a HIPAA breach affecting 107,894 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
Signature Performance, Inc. (Business Associate, NE) reported a HIPAA breach affecting 130,228 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Panorama Eyecare (Healthcare Provider, CO) reported a HIPAA breach affecting 377,911 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
AmerisourceBergen Specialty Group, LLC (Healthcare Provider, PA) reported a HIPAA breach affecting 252,214 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Tri-City Healthcare District (Healthcare Provider, CA) reported a HIPAA breach affecting 108,149 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Watson Clinic (Healthcare Provider, FL) reported a HIPAA breach affecting 280,278 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Medical Express Ambulance Inc. D/B/A Medex Ambulance (Healthcare Provider, IL) reported a HIPAA breach affecting 121,190 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
United Seating and Mobility, L.L.C., d/b/a Numotion (Healthcare Provider, TN) reported a HIPAA breach affecting 602,265 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Kootenai Health (Healthcare Provider, ID) reported a HIPAA breach affecting 464,088 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
NorthBay Healthcare Corporation (Healthcare Provider, CA) reported a HIPAA breach affecting 569,012 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
The FTC settled with telehealth firm Cerebral, Inc. for sharing sensitive consumer mental health data with third parties like LinkedIn, Snapchat, and TikTok for advertising without proper consent, employing sloppy security practices, and misleading consumers about cancellation policies. Cerebral must pay over $7 million (with $2 million due upfront), is permanently banned from using health information for most advertising, must implement a comprehensive privacy program, delete unnecessary data, and provide easy cancellation.
$7.0M
Monument, Inc., an alcohol addiction treatment firm, shared consumers' health data with third-party advertising platforms like Meta and Google without consent, despite promising confidentiality. The FTC settled with a consent order that bans Monument from disclosing health data for advertising, requires affirmative consent for other sharing, imposes a $2.5 million suspended fine, and mandates data deletion, consumer notification, and a privacy program.
$2.5M
Delta Health System (Healthcare Provider, MS) reported a HIPAA breach affecting 216,532 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
BetterHelp agreed to pay $7.8 million to settle FTC allegations that it used and shared consumers' health data for advertising without consent. The online therapy provider is banned from such practices and must provide refunds to approximately 800,000 affected consumers.
$7.8M
EyeMed Vision Care suffered a data breach in June 2020 due to poor security practices, including shared passwords, exposing personal and medical information of approximately 2.1 million individuals. The multistate settlement imposes a $2.5 million penalty and requires EyeMed to implement enhanced security measures and comply with privacy laws.
$2.5M
The FTC proposed a consent order against BetterHelp for sharing consumers' sensitive mental health data with third parties like Facebook for targeted advertising without proper consent. BetterHelp must pay $7.8 million in refunds and is banned from such data sharing, with requirements for consent and privacy programs.
$7.8M
The FTC settled with GoodRx for sharing consumers' sensitive prescription and health information with Facebook, Google, and other third parties for advertising without consent, and for failing to report these unauthorized disclosures as required by the Health Breach Notification Rule. GoodRx will pay a $1.5 million civil penalty and is permanently barred from sharing user health data for advertising.
$1.5M
New Jersey, as part of a multistate coalition, settled with Carnival Cruise Line over a 2019 data breach that compromised personal information of approximately 180,000 employees and customers nationwide. The breach resulted from deficiencies in Carnival's data security program and delayed breach notification. Carnival will pay $1.25 million and implement enhanced email security and breach response measures.
$1.3M
New Jersey Attorney General settled with Community Health Systems, Inc. over a 2014 data breach affecting 6.1 million patients, including over 45,000 New Jersey residents. CHS will pay $5 million to 28 states and implement enhanced data security measures to protect personal and health information.
$5.0M
Anthem, Inc. settled with California for $8.69 million over a 2014 data breach that exposed personal information of 78 million consumers, including 13.5 million Californians. The breach resulted from security deficiencies, and the settlement includes injunctive relief to improve information security practices. This action was part of a parallel multistate settlement.
$8.7M
Premera Blue Cross suffered a data breach in 2014 that exposed personal and medical information of 10.5 million consumers. As part of a multistate settlement, Premera agreed to pay $10 million in civil penalties and implement security improvements and a compliance program. California will receive over $1 million from the settlement.
$10.0M
Virtua Medical Group agreed to pay $417,816 and implement a corrective action plan to settle allegations that it failed to properly secure electronic protected health information (ePHI). A vendor's server misconfiguration publicly exposed the medical records of over 1,650 patients via Google searches. The New Jersey Division of Consumer Affairs found VMG violated HIPAA's Security and Privacy Rules by not adequately vetting the vendor's security and failing to conduct proper risk analysis.
$418K
Cottage Health System experienced two data breaches exposing medical information of over 50,000 patients due to inadequate security measures. The settlement requires a $2 million penalty and upgrades to security practices, including designating a Chief Privacy Officer.
$2.0M
All data sourced from official government enforcement pages.