States Privacy News

HIPAA Events


Events Webinars Training

$3.5 million - Fresenius Medical Care North America

In early 2013, the entity filed multiple breach reports for various incidents. OCR launched an investigation and among the many list of violations found, probably the most important was the entity's failure to conduct a risk analysis as required by HIPAA. | Read the Press Release

$2.3 million - 21st Century Oncology

Twice in 2015, the FBI gave notice to the entitiy that it's PHI had been illegally obtained. The FBI was able to produce to the entity patient records purchased by an informant. The investigation OCR launched showed that the entity

  • did not conduct an accurate and thorough assessment
  • did not implement security measures in an effort to reduce it's risks and vulnerabilities;
  • did not implement procedures to regularly review logs of computing system activity;
  • and additionally disclosed PHI to vendors without a written BAA.

Read the Press Release

$387k - St. Luke’s-Roosevelt Hospital Center

OCR launched an investigation based on a complaint that a workforce member faxed a patients PHI to the patient's employer incorrectly. | Read the Press Release

$2.4 million - Memorial Hermann Health System

OCR started and investigation of the entity based on various news reporting suggesting that the entity disclosed a patient’s PHI without obtaining an authorization. | Read the Press Release

$2.5 million - CardioNet

The covered entity self-reported as required to OCR that a computing device had been stolen from a workforce member's car. The device contained ePHI. The investigation found that the entity did not have adequate risk analysis and risk management processes in place when the incident occurred. Among other violations, the audit found that HIPAA policies and procedures were still in draft form. | Read the Press Release