The good news regarding HIPAA violations: The number of large healthcare data breaches reported to the U.S. Department of Health and Human Services (HHS) reached a five-year low in 2025. The bad news: That low nonetheless totaled 710 breaches, with each affecting at least 500 individuals, according to The HIPAA Journal.
What’s more, the figure does not take into account data breaches affecting fewer than 500 people, nor does it include other types of HIPAA violation examples. In all, more than 61.5 million individuals, or 18% of all Americans, had their protected health information (PHI) exposed or disclosed in 2025 without their permission.
Medical professionals also suffer in the aftermath of HIPAA violations. Providers and organizations can face severe penalties, including civil penalties and criminal penalties, with fines reaching hundreds of thousands of dollars and possible prison terms. What’s more, they can lose hospital privileges, the ability to participate in Medicare and Medicaid programs, and sometimes their licenses.
Fortunately, strong HIPAA compliance programs and following HIPAA guidelines drastically reduce medical practitioners’ chances of running afoul of HIPAA. Below, we’ll look at common HIPAA breach examples, discuss how to avoid accidental HIPAA violations, and more.
The federal Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal HIPAA law designed to prevent HIPAA covered entities and business associates from disclosing protected health information (PHI) without the patient’s consent, with a few exceptions. HIPAA also requires healthcare providers to give patients access to their patient health information and records upon request and in a timely manner under HIPAA requirements.
Three broad types of data are considered PHI:
This data, as individually identifiable health information, can include details about a person’s health status and is protected by HIPAA’s Privacy Rule whether it appears in electronic, written, or verbal form. As a subset of PHI, data created, stored, or transmitted electronically, known as electronic PHI and electronic protected health information, is also subject to the Security Rule, which requires that the records be protected by digital safeguards such as encryption and firewalls.
A covered entity is a healthcare provider, health plan, or healthcare clearinghouse—certain healthcare organizations such as providers, plans, and clearinghouses—that creates, receives, maintains, or transmits PHI and therefore must comply with HIPAA. Physicians, nurses, pharmacies, clinics, hospitals, rehab facilities, nursing homes, and HMOs are among the individuals and organizations considered covered entities, though not every employer is subject to employer HIPAA obligations, only those acting in a covered-entity role or handling plan data subject to HIPAA.
They are not the only parties that must comply, however. Billing firms, medical transcriptionists, IT providers, and other vendors and consultants hired by a covered entity to handle PHI in some way are required to sign Business Associate Agreements (BAAs) that they will follow HIPAA regulations.
HIPAA’s Privacy Rule allows PHI to be disclosed and used without the patient’s consent for treatment, payment, and healthcare operations, as well as in certain instances of “public interest and benefit.” For instance, disclosure might be required to comply with workers’ compensation laws, when reporting domestic violence to government authorities, regarding exposure to certain communicable diseases, and should a court or attorney subpoena medical records. In such cases, only the minimum necessary standard of information should be shared, and disclosures to family members still require appropriate authorization or another HIPAA permission when applicable.
Large-scale cyberattacks, such as Warby Parker’s 2018 breach for which the eyewear brand was fined $1.5 million in 2025, are perhaps the best-known examples of HIPAA violations. But infringements actually fall into three categories.
Administrative violations involve a failure to meet procedural requirements and maintain required documentation, often reflecting gaps in healthcare compliance programs. Storing data on unencrypted devices, inadequate employee training, failure to conduct comprehensive risk assessments, failure to implement adequate safeguards, weak administrative safeguards, and sharing patient data with third-party providers that have not signed BAAs are just a few examples.
The HHS Office for Civil Rights (OCR) typically investigates these types of infringements, though when applicable the Centers for Medicare & Medicaid Services might become involved. Violators typically are not fined but instead must implement corrective action plans and prove compliance going forward through updated policies, audits, and training.
Civil violations are disclosures of PHI due to negligence, indifference, simple human error, or other unintentional breaches; in HIPAA terms, this is an impermissible disclosure. Examples of unintentional HIPAA violations considered civil infringements include sending an email with sensitive patient information to the wrong recipient, discussing a patient by name in a crowded waiting room, and discarding patient notes in a recycling bin without first shredding them or otherwise making them unreadable.
Civil violations often result from administrative violations. For instance, failure to properly train staff on HIPAA-approved methods of storage devices is an administrative violation; if untrained staff members subsequently reformat a hard drive containing PHI rather than degausses or overwrites it, they are guilty of civil violations.
The OCR usually investigates these violations and can impose civil penalties. The fines, which are adjusted annually to account for cost-of-living increases, vary depending on the severity of the violation.
Whereas civil violations are unintended, criminal violations are conducted knowingly and deliberately. Malicious intent and personal gain, such as selling PHI to hackers for a fee, are often but not always behind these infringements, and a healthcare employee who accesses records for personal gain can trigger criminal liability, even though such cases are less common than civil or administrative offenses.
The Department of Justice, rather than HHS, handles criminal violations, though OCR may refer the matter to DOJ and criminal penalties can follow; these violations fall into three tiers.
Patients and other victims of violations cannot sue healthcare providers for violating HIPAA. In many jurisdictions, however, victims can use reported HIPAA infringements to substantiate malpractice, negligence, and other claims.
For instance, when suing a hospital for breach of duty, the plaintiff could claim that their emotional and financial distress resulted directly from the organization’s unauthorized disclosure of their medical history to their employer, with the HIPAA violation establishing negligence per se.
Whereas medical negligence, the failure to provide a reasonable standard of care under the circumstances, typically requires expert testimony to be proven, a HIPAA violation can be proof enough of negligence per se in some states. Similarly, if a hospital failed to provide requested medical records in a timely manner, resulting in damaging treatment delays, the plaintiff could cite that violation to prove breach of implied contract.
HIPAA violations typically aren’t ruled on or settled for a number of years after the breaches are first reported, due to the necessary OCR audits and investigations. Below are examples of common intentional and accidental HIPAA violations that were recently reported or resolved, and some involve multiple HIPAA violations rather than a single lapse.
The event: The health screening services provider discovered a ransomware attack on its medical record system in May 2020. The names, addresses, birthdates, medical histories, and other PHI of 244,813 patients were exposed.
The violations: OCR found no evidence of Assured Imaging ever having conducted a risk analysis, despite such an assessment being required by the HIPAA Security Rule. Making matters worse, the provider failed to notify patients of the data breach within 60 days, as mandated by the Breach Notification Rule.
The penalty: Assured Imaging agreed in 2026 to pay $375,000 to OCR, in addition to committing to a corrective action plan.
The takeaway: Conduct and document a thorough enterprise-wide security risk assessment at least once a year. In addition, set up a 60-day notification protocol your organization can implement as soon as a breach is discovered.
The event: A patient requested an electronic copy of his medical and billing records in February 2018 but, despite five subsequent requests, did not receive the records until March 2019. What’s more, at one point the patient was asked to pay $82.57 to receive the information.
The violations: Concentra failed to meet the HIPAA Privacy Rule’s Right of Access provision, which requires patients or their personal representatives to receive information within 30 days of their request, with the possibility of an additional 30-day extension. The healthcare provider also tried to charge more than the allowed “reasonable, cost-based fees.”
The penalty: Concentra settled with the OCR in 2025 and agreed to pay $112,500.
The takeaway: Establish a standardized system for patients to request records, one that includes automated identity verification, and set standardized fees that cover only the actual costs of providing the records.
The event: During a six-month period in 2013, an employee of the nonprofit hospital system stole e-PHI of 12,517 patients and sold the data to an identity theft ring. The theft was not discovered until 2015, however.
The violations: OCR found Montefiore failed to identify and analyze potential security risks, to monitor its information systems and conduct routine audits, and to implement policies and procedures that would safeguard the systems.
The penalty: In a 2024 settlement, Montefiore agreed to pay OCR $4.75 million, implement a corrective action plan, and be monitored by OCR for two years to ensure compliance.
The takeaway: Risk analysis and system audits are neither optional nor one-and-done events. Routine monitoring would have revealed the theft appreciably sooner, potentially leading to fewer patients being affected.
The event: Although the provider of pain management services stopped working with a particular independent business consultant in August 2018, that contractor nonetheless accessed e-PHI of approximately 34,310 individuals between September 2018 and February 2019, resulting in roughly 6,500 false Medicare claims.
The violations: Gulf Coast Pain failed to implement the appropriate termination procedures that would have eliminated the contractor’s access to its database as soon as the parties stopped working together. And not only did the company fail to implement procedures for establishing, documenting, reviewing, and modifying user access to data, but it also neglected to regularly monitor its information systems, which could have resulted in the breach being found earlier.
The penalty: In 2024, OCR imposed a $1.19 million civil monetary penalty against Gulf Coast Pain.
The takeaway: Organizations need to implement and enforce rules regarding who has access to PHI as well as establish protocols for immediately eliminating access to individuals as soon as they no longer work for or with the organization.
The event: Because multi-factor authentication (MFA) had been disabled on an email account, a 2017 phishing attack compromised the PHI of 3,370 individuals. In another infringement three years later, three student nurses accepted MFA access requests despite not initiating them; this led to their email accounts being breached, affecting 10,840 patients’ data.
The violations: HIPAA’s Security Rule mandates MFA across all user accounts with access to e-PHI. In addition, HHS found that the nonprofit hospital system failed to train its workforce on HIPAA regulations, including those regarding MFA access requests, and neglected to conduct a HIPAA-compliant risk analysis; better HIPAA training could also have helped staff recognize and reject suspicious MFA prompts instead of approving them.
The penalty: Children’s Hospital Colorado was fined $548,265 in 2024.
The takeaway: Workplace training on HIPAA policies and procedures is required and should be ongoing. MFA is mandatory as well.
The event: On its websites, the nursing home chain posted “success stories,” complete with the names, photos, and medical information of 150 clients, without obtaining their written consent.
The violations: In addition to impermissibly disclosing PHI, Cadia failed to have appropriate safeguards in place to protect patient data. It also neglected to notify the affected clients of the privacy infringement.
The penalty: In 2025, Cadia agreed to pay OCR $182,000, implement a corrective action plan, and be monitored by OCR for two years to ensure compliance.
The takeaway: HIPAA privacy regulations apply to social media and other marketing efforts. For that reason, even team members who don’t work directly with clients or on the clinical side need training on HIPAA policies.
The event: Following a 2019 phishing attack, the distributor of diabetes supplies sent breach-notification letters to the 114,007 individuals potentially affected. However, 1,531 of those letters, which included demographic information, were sent to the wrong individuals.
The violations: OCR determined that the letters mailed to the wrong addresses impermissibly disclosed PHI. In addition, it concluded that Solara did not provide timely notification of the original breach or the subsequent incorrect mailing, nor had it conducted an adequate risk assessment or implemented appropriate safeguards that could have protected the e-PHI in the first place.
The penalty: Solara settled the case in 2024 by agreeing to pay OCR $3 million, implement a corrective action plan, and be monitored by OCR for two years to ensure compliance. The company also settled a class-action lawsuit over the data breach for $9.76 million.
The takeaway: Cybersecurity risk assessments must become standard operating procedure, and client/patient contact information should regularly be confirmed and updated.
The event: For a decade, beginning in 2011, the dermatology services provider tossed empty specimen containers in its parking lot dumpster. The container labels included the names, birthdates, and other PHI of 58,106 patients.
The violation: PHI was not disposed of in a way that renders it unreadable, undecipherable, and unable to be reconstructed, as per the HIPAA Privacy Rule.
The penalty: OCR fined New England Dermatology $300,640 in 2022. The company also agreed to implement a corrective action plan and be monitored by OCR for two years.
The takeaway: How you delete PHI is just as important as how you protect it on your premises and in your information systems.
The event: The clinic hired a third party to transfer images from the X-rays of 17,300 patients to electronic media without having the vendor sign a BAA; the X-rays included PHI.
The violation: By failing to execute a BAA and therefore disclosing PHI to an authorized party, Raleigh Orthopaedic Clinic in effect disclosed PHI without authorization.
The penalty: The clinic agreed to pay OCR $750,000 and established procedures governing business associates and BAA documentation; these procedures included disclosing only a minimum necessary standard of PHI.
The takeaway: A Business Associate Agreement is not a nice-to-have but rather a must-have, and it must be kept on file for at least six years after the partnership has been terminated.
The event: Between 2010 and 2013, three devices issued by the hospital or synced to its information systems were lost or stolen devices by employees. Together these resulted in the exposure of approximately 6,285 patients’ e-PHI.
The violations: The devices and data were not encrypted or password-protected, and in one case, janitorial staff had unrestricted access on the hospital’s premises to the stolen laptop. Children’s Medical Center had hired consultants to conduct risk assessments but did not implement their suggestions, which included encryption.
The penalty: Children’s Medical Center paid OCR $3.2 million in 2017 for failing to physically and electronically safeguard PHI.
The takeaway: A risk assessment does no good if you do not follow through with its recommendations. And along with digital safeguards such as encryption and MFA, physical and administrative safeguards are also essential to protect data, including physical security measures such as storing devices in restricted areas.
As the above HIPAA violation examples show, most infringements result from failure to adhere to basic rules. While accidental HIPAA violations might not be entirely preventable, following these best practices for HIPAA compliance and for avoiding the most common HIPAA violation examples will mitigate their likelihood.
The HHS Office of the National Coordinator for Health Information Technology has created several downloadable security risk assessment tools for small and midsize organizations, and specialists can help covered entities of all sizes create assessment templates as well as conduct analyses. In a nutshell, an assessment consists of:
OCR recommends conducting and thoroughly documenting a risk assessment at least once a year. The assessment should also be updated whenever new technology or software is implemented, in the wake of a security incident, and after mergers, acquisitions, newly onboarded vendors, or other operational or organizational changes.
Access to PHI should be based on a minimum necessary standard, or the principle of least privilege. For instance, because hospital physicians generally don’t handle billing, they should not have access to patient billing information. To minimize unauthorized access, organizations are required to issue a unique user ID to anyone with access to the electronic health record system and to implement role-specific data privilege rules so that each individual is locked out of data they don’t need.
At the same time, “break glass” procedures must be in place enabling individuals to override the controls in emergencies. In addition, multi-factor authentication must be required for access.
This was mandated in 2025, with entities having until the end of that year to comply. Cloud-stored data must be encrypted using in-house key management systems, and data transfers between cloud platforms and on-premises systems, as well as between devices, must be protected as well through secure communication channels when transmitting electronic protected health information between systems or devices.
When disclosure of PHI is permitted, an organization or individual should release only the minimum data needed for the particular purpose so unauthorized individuals do not receive more information than necessary.
Providers have 30 days to respond to requests from patients or their authorized personal representatives for access to their medical and billing information; in some cases providers can be granted an additional 30 days, but the requestor must be notified of that extension within the first 30 days. Providers can charge only a “reasonable” cost-based fee for providing the records.
To help ensure compliance, set up a secure patient portal or digital intake form, complete with identification confirmation, to accept requests. The portal and forms should coincide with an automated workflow that alerts team members when requests are received and need to be sent. Info should be sent only via encrypted email, the secure portal, or certified mail.
Contractors, vendors, or other third parties must sign and submit a business associate agreement before being permitted to receive, create, maintain, or transmit PHI. Should the third party in turn contract out services involving PHI, the subcontractor must sign a BAA as well. The BAA must address, among other aspects, permissible uses of the PHI, safeguards to prevent unauthorized use or disclosure, and termination provisions for when the third party’s services are no longer required. The HHS offers a template BAA for reference.
A HIPAA violation occurs when there is unauthorized access, acquisition, use, or disclosure of PHI that triggers reporting duties, and a covered entity has 60 days to notify affected individuals of data breaches. (Note that in some states, the time frame for informing those affected is even shorter.) All breaches affecting 500 or more individuals must also be reported to the HHS within 60 days; if fewer than 500 people are affected, the HHS must receive a report within 60 days after the end of the calendar year in which the violation was reported.
For breaches affecting more than 500 residents of a particular state or jurisdiction, the local media must be notified within 60 days as well. Regularly updating patient contact information in the electronic health record system and having a notification protocol in place will simplify the process.
Disposed PHI must be unreadable, indecipherable, and impossible to reconstruct. Cross-cut or micro shredding, incineration, and pulverizing are among the acceptable methods of disposal of physical records.
For e-PHI, not only must files be deleted but the magnetic media must also be cleared, overwritten, or degaussed. As for the electronic devices themselves and any other equipment that had contact with PHI, such as copy machines, they must be stripped of the data or physically destroyed. Providers must also document the destruction of the information.
Onboarding of new employees needs to include HIPAA training on PHI policies, typically within 90 days of hiring. Annual refresher courses should be given to all employees with access to patient data, with training emphasizing patient confidentiality and patient privacy responsibilities for healthcare professionals, and team members should receive training updates whenever policies, electronic health record systems, or HIPAA regulations change. Keep records of training curriculum and attendance, and augment training with readily accessible guides to regulations and protocols.
A HIPAA violation is generally defined as the failure of HIPAA covered entities or business associates to safeguard patient health information and prevent a patient’s protected health information from being disclosed without their permission, including the impermissible disclosure of individually identifiable health information. Failing to provide in a timely manner medical information requested by a patient also counts as a HIPAA violation.
An OCR audit is a review conducted by the HHS Office for Civil Rights, the enforcement arm within the health and human services office, of how a healthcare organization is safeguarding patients’ protected health information. Desk audits are random evaluations of organizations; investigative audits are more thorough reviews in response to reported breaches or patient complaints.
Most HIPAA violations are not reported to the National Practitioner Data Bank (NPDB), the web-based archive of reports concerning medical malpractice payments and adverse actions among healthcare providers, practitioners, and suppliers. Violations that result in criminal convictions or civil judgments in federal or state court, however, must be reported.
Physicians and other healthcare providers cannot be sued for violating HIPAA. In some jurisdictions, however, plaintiffs can cite examples of HIPAA violations as proof of negligence per se, breach of confidentiality, breach of duty, or other claims, if the patients suffered harm as a result.
HIPAA violations can cost healthcare providers and organizations significant fines, hospital privileges, the ability to participate in Medicare and Medicaid programs, and patient trust. In some jurisdictions, they can also be used to substantiate claims in lawsuits.
Committing to privacy and security protocols, regular training sessions, and solid documentation can prevent the majority of violations. But should your practice nonetheless be flagged for a HIPAA infringement, and should that infringement be cited in a lawsuit, our medical malpractice coverage can help provide the support you need.
Contact Indigo today!
Image by horillaz from iStock.
