1,285 enforcement actions from 14 federal and state jurisdictions. Every event traced back to its official government source.
1,285
Total Actions
14
Jurisdictions
$35.3B+
Total Fines Tracked
EngageMED, Inc (Business Associate, AR) reported a HIPAA breach affecting 249,297 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Excelsior Orthopaedics, LLC (Healthcare Provider, NY) reported a HIPAA breach affecting 292,913 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
VeriSource Services, Inc. (Business Associate, TX) reported a HIPAA breach affecting 112,726 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Kerber, Eck & Braeckel LLP (Business Associate, IL) reported a HIPAA breach affecting 134,918 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Specialty Networks, Inc. (Business Associate, TN) reported a HIPAA breach affecting 411,037 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Connecticut Attorney General William Tong, along with New York and New Jersey attorneys general, secured a $4.5 million settlement from Enzo Biochem, Inc. for failing to protect patient health data, resulting in a ransomware attack that compromised 2.4 million patients' information. Enzo must pay the fine and implement enhanced cybersecurity measures including multi-factor authentication and annual risk assessments.
$4.5M
Enzo Biochem, Inc. agreed to pay $4.5 million and strengthen its cybersecurity practices to settle allegations that deficient data security led to a ransomware attack exposing the health data of 2.4 million patients. The multistate enforcement action was led by New Jersey with New York and Connecticut.
$4.5M
New York Attorney General Letitia James, along with the Attorneys General of Connecticut and New Jersey, settled with Enzo Biochem, Inc. for $4.5 million over a 2023 ransomware attack that exposed health and personal data of 2.4 million patients, including 1.4 million New York residents. The investigation found Enzo had inadequate data security practices, including shared employee login credentials, lack of multi-factor authentication, no suspicious activity monitoring, and unencrypted personal information. As part of the settlement, Enzo will pay the penalty and implement enhanced cybersecurity measures including MFA, encryption, risk assessments, and an incident response plan.
$4.5M
Alabama Cardiovascular Group (Healthcare Provider, AL) reported a HIPAA breach affecting 280,534 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Deer Oaks Behavioral Health (Healthcare Provider, TX) reported a HIPAA breach affecting 171,871 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Delta County Memorial Hospital District (Delta Health) (Healthcare Provider, CO) reported a HIPAA breach affecting 148,363 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
United of Omaha Life Insurance Company (Health Plan, NE) reported a HIPAA breach affecting 107,894 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
The FTC settled with NGL for deceptively marketing its anonymous messaging app to children and teens, using fake messages to trick users into paid subscriptions without proper consent. The order banned marketing to users under 18 and required $4.5 million in refunds for unauthorized charges.
$4.5M
Blackbaud, a software company, suffered a data breach in 2020 due to inadequate security measures and made misleading statements about the breach and its security practices. California Attorney General Rob Bonta secured a $6.75 million settlement requiring Blackbaud to pay penalties and implement enhanced data security and breach notification protocols.
$6.8M
Signature Performance, Inc. (Business Associate, NE) reported a HIPAA breach affecting 130,228 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Panorama Eyecare (Healthcare Provider, CO) reported a HIPAA breach affecting 377,911 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
AmerisourceBergen Specialty Group, LLC (Healthcare Provider, PA) reported a HIPAA breach affecting 252,214 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Tri-City Healthcare District (Healthcare Provider, CA) reported a HIPAA breach affecting 108,149 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Connecticut Attorney General William Tong filed a lawsuit against Altice for charging unlawful 'Network Enhancement Fees' and failing to adequately disclose internet speed limits. The complaint seeks to stop the fees, recover millions for consumers, and address deceptive marketing practices including language barriers.
Watson Clinic (Healthcare Provider, FL) reported a HIPAA breach affecting 280,278 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Medical Express Ambulance Inc. D/B/A Medex Ambulance (Healthcare Provider, IL) reported a HIPAA breach affecting 121,190 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
United Seating and Mobility, L.L.C., d/b/a Numotion (Healthcare Provider, TN) reported a HIPAA breach affecting 602,265 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Kootenai Health (Healthcare Provider, ID) reported a HIPAA breach affecting 464,088 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
NorthBay Healthcare Corporation (Healthcare Provider, CA) reported a HIPAA breach affecting 569,012 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
The FTC settled with telehealth firm Cerebral, Inc. for sharing sensitive consumer mental health data with third parties like LinkedIn, Snapchat, and TikTok for advertising without proper consent, employing sloppy security practices, and misleading consumers about cancellation policies. Cerebral must pay over $7 million (with $2 million due upfront), is permanently banned from using health information for most advertising, must implement a comprehensive privacy program, delete unnecessary data, and provide easy cancellation.
$7.0M
Monument, Inc., an alcohol addiction treatment firm, shared consumers' health data with third-party advertising platforms like Meta and Google without consent, despite promising confidentiality. The FTC settled with a consent order that bans Monument from disclosing health data for advertising, requires affirmative consent for other sharing, imposes a $2.5 million suspended fine, and mandates data deletion, consumer notification, and a privacy program.
$2.5M
Delta Health System (Healthcare Provider, MS) reported a HIPAA breach affecting 216,532 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
The FTC settled charges that Rite Aid deployed AI facial recognition technology in hundreds of stores from 2012 to 2020 without reasonable safeguards, resulting in false-positive matches that disproportionately harmed women and people of color. The proposed order bans Rite Aid from using facial recognition for surveillance for five years and requires comprehensive biometric data safeguards, data deletion, consumer notifications, and a certified security program.
Morgan Stanley failed to properly decommission computer devices containing unencrypted customer data, leading to the sale of devices with personal information at auction and missing servers with potential data. A multistate coalition secured a $6.5 million settlement requiring Morgan Stanley to implement enhanced data security measures.
$6.5M
New Jersey Attorney General Matthew Platkin announced a multistate settlement where Morgan Stanley will pay $1.27 million to NJ over data security incidents that compromised personal information of over 755,000 NJ residents and millions nationwide. The incidents involved improper decommissioning of devices and a software flaw, leading to unauthorized access. The settlement requires Morgan Stanley to strengthen its data security and disposal procedures.
$1.3M
All data sourced from official government enforcement pages.