HIPAA Enforcement

Real privacy violations.
Real consequences.

Over $3.5 billion in penalties and costs for healthcare data breaches that exposed 320+ million Americans. Learn from the cases — and what you can do to protect your own information.

$3.5B+

Total Penalties & Costs

320M+

Individuals Affected

$16M

Largest HIPAA Penalty

Cyberattacks

Most Common Cause

Got a breach notification letter? Visit our breach tracker for incident-specific breakdowns of what was stolen, what your provider's response covers, and concrete steps to protect yourself.

Why this matters: These cases show what robust privacy protections prevent — and what happens when they fail. Each violation teaches a lesson about safeguarding health information.

Critical Impact Healthcare Technology • 2025

5.4 million

Individuals affected

OCR investigation ongoing; class actions filed

Total cost

EpiSource (Optum / UnitedHealth subsidiary)

Ransomware actor maintained network access for 10 days, exfiltrating patient files for ~5.4 million individuals

EpiSource — a medical-coding subsidiary in the UnitedHealth Group portfolio — disclosed in 2025 that a ransomware group had access to its network from January 27 through February 6, 2025. The attacker accessed files containing names, addresses, dates of birth, Social Security numbers, member IDs, and diagnosis and treatment details for approximately 5,418,866 individuals. Notification letters began in mid-2025; the OCR Breach Portal listing remains in active investigation. The breach lands inside the same parent organization as the 2024 Change Healthcare incident, intensifying scrutiny of UHG vendor security posture across the federation.

What went wrong

  • Insufficient identity-management controls on remote access (post-Change Healthcare lesson not propagated)
  • 10-day attacker dwell time before detection — long enough for full data exfiltration
  • Patient sensitive identifiers (SSN, DOB, diagnoses) stored in attacker-accessible layer
  • Notification timeline approached the HIPAA Breach Notification Rule outer limit

Key lessons

  • A single parent organization's lessons must propagate across all subsidiaries
  • Identity-management gaps remain the primary lateral-movement vector
  • Pre-staged forensic readiness shortens dwell-time discovery windows
  • Segment subsidiaries' data stores from each other for blast-radius containment
High Impact Healthcare Provider • 2025

2.69 million

Individuals affected

OCR investigation ongoing; multiple class actions filed

Total cost

DaVita (Dialysis Provider)

Ransomware operators accessed a laboratory database containing PHI of 2.69 million dialysis patients

In April 2025, ransomware actors accessed a DaVita laboratory database containing protected health information of 2,689,826 individuals. DaVita operates more than 2,600 dialysis centers across the United States; the exposed data included names, addresses, dates of birth, Social Security numbers, medical record numbers, and treatment and laboratory information specific to chronic kidney disease care. Operations were temporarily disrupted; notification began in June 2025. The breach is notable for the specificity of the exposed clinical data — kidney-disease patients carry a particularly stigmatized and commercially valuable health profile in the data-broker market.

What went wrong

  • Laboratory database segregated from EHR but inadequately monitored
  • Detection lag while attacker exfiltrated multi-year clinical records
  • Insufficient encryption of clinical data at rest in lab systems
  • Vendor-network defenses below standard for chronic-care providers

Key lessons

  • Ancillary clinical systems (lab, imaging, pharmacy) require the same posture as the EHR
  • Chronic-disease patient data is uniquely commercially valuable — and uniquely sensitive to leak
  • Pre-staged communications matter for multi-week care-coordination disruption
  • OCR will examine vendor BAAs for centers with shared back-office infrastructure
Medium Impact Healthcare Provider • 2025

501+ (interim)

Individuals affected

OCR investigation pending; multiple class-action investigations launched

Total cost

Newport Harbor Pathology Medical Group

Unauthorized network access for 34 days exposed SSNs, diagnoses, and pathology results of 501+ patients

Newport Harbor Pathology Medical Group — a Newport Beach, California pathology practice also operating as Orange County Medical Group Pathology, Mission Laguna Pathology Medical Group, and Barr Dermatopathology — detected unauthorized access to its network on November 11, 2024. A forensic investigation confirmed the attacker had access from October 8 through November 11, 2024. Exposed data included names, dates of birth, addresses, Social Security numbers, driver's license numbers, health insurance information, diagnoses, and pathology test results. The breach was reported to OCR on January 10, 2025, with an interim count of 501 individuals. The case is the highest-volume Newport Beach healthcare breach search-traffic driver in 2025–2026 and highlights how small-volume incidents at pathology and specialty practices can carry disproportionate identity-theft risk because of the combination of SSN + diagnosis exposure. <a href="/breaches/newport-harbor-pathology-2025" class="text-primary underline">Full breakdown →</a>

What went wrong

  • Network monitoring did not flag 34-day attacker dwell time
  • Sensitive identifiers (SSN, driver's license) co-located with clinical data
  • Multi-DBA structure complicated patient-notification mapping
  • Initial 501-individual filing widely expected to revise upward

Key lessons

  • Specialty practices need MDR/SOC coverage on par with hospital networks
  • SSNs and government IDs should not be stored alongside clinical results
  • Multi-DBA entities need consolidated incident-response playbooks
  • Initial OCR filings should expect upward revision post full review
Critical Impact Healthcare Technology • 2024
Change Healthcare (UnitedHealth Group) logo

192.7 million

Individuals affected

Costs exceeding $3.09 billion (still rising)

Total cost

Change Healthcare (UnitedHealth Group)

Largest healthcare data breach in U.S. history — 192.7 million individuals

HHS OCR cybersecurity incident FAQ

ALPHV/BlackCat ransomware operators accessed ~6TB of data via a Citrix portal that lacked multi-factor authentication, exfiltrating medical records, SSNs, insurance details, and active-duty military data. A $22 million ransom was paid; the gang executed an exit scam and kept the funds without deleting the data. CEO Andrew Witty testified to Congress that MFA was not enabled on the breached server. OCR investigation and a 78-case class-action MDL in the District of Minnesota remain ongoing.

What went wrong

  • Citrix remote-access portal without multi-factor authentication
  • Insufficient threat detection across business-associate systems
  • Identity-management gaps allowed enterprise-wide lateral movement
  • No tested recovery posture for sustained operational disruption

Key lessons

  • Enforce MFA on every remote-access surface — especially business associates
  • Treat business associates as critical infrastructure for the providers they serve
  • Pre-stage downtime procedures for multi-week clinical outages
  • Plan for the exit-scam scenario — paying ransom is not recovery
High Impact Health Plan • 2024
Kaiser Foundation Health Plan logo

13.4 million

Individuals affected

Up to $47.5 million class-action settlement

Total cost

Kaiser Foundation Health Plan

Marketing pixels and cookies on authenticated patient portals transmitted member health data to Google, Microsoft Bing, and X for years

HIPAA Journal report

Kaiser disclosed in October 2023 that tracking technologies on its websites and mobile apps had been transmitting member IP addresses, sign-in status, navigation patterns, and health-encyclopedia searches (symptoms, drugs, exercises) to third-party ad platforms. The disclosure was reported to OCR in May 2024 affecting up to 13.4 million members across nine states and DC — the largest confirmed pixel-tracking PHI disclosure in healthcare history. The class settlement covers members who used authenticated pages between November 2017 and May 2024.

What went wrong

  • Marketing pixels deployed on authenticated patient surfaces without privacy review
  • No HIPAA business associate agreements with ad-tech tracking partners
  • Sensitive health-search queries treated as ordinary analytics events
  • Multi-year detection lag despite OCR pixel guidance (Dec 2022)

Key lessons

  • Inventory every third-party tracker on patient-facing properties annually
  • Treat authenticated-page analytics as PHI by default
  • Require BAAs before any tracker, pixel, or SDK touches member data
  • Adopt server-side, privacy-preserving analytics for healthcare
High Impact Health Plan • 2015
Anthem Inc. (Elevance Health) logo

78.8 million

Individuals affected

$16M HHS + $115M class action + $39.5M state AG settlement (~$170M total)

Total cost

Anthem Inc. (Elevance Health)

Year-long phishing intrusion exposed PHI of 78.8 million members

HHS OCR resolution agreement

Beginning February 2014, attackers gained entry via phishing emails and maintained network access for nearly a year before a database administrator noticed credential misuse in January 2015. Exposed data included names, SSNs, birth dates, addresses, employment data, and health IDs. Anthem's $16M HHS settlement remains the largest HIPAA enforcement action on record; the case is the comparative anchor for every health-plan breach since.

What went wrong

  • Insufficient employee security training against phishing
  • Failure to encrypt sensitive personal data at rest
  • Inadequate network monitoring and intrusion detection
  • Deficient risk analysis and incident response planning

Key lessons

  • Robust phishing-defense training is the cheapest perimeter control
  • Encrypt all sensitive personal identifiers, not just clinical records
  • Deploy advanced threat detection with anomaly alerting
  • Conduct comprehensive risk assessments on a documented cadence
High Impact Healthcare Provider • 2024
Ascension Health logo

5.6 million

Individuals affected

Class actions pending; ~$1.1B FY2024 net loss tied in significant part to the attack

Total cost

Ascension Health

Black Basta ransomware encrypted EHR, medication ordering, and lab systems across 140 hospitals; PHI of 5.6 million exfiltrated

HIPAA Journal report

In May 2024 an Ascension employee downloaded a malicious file believed to be legitimate, giving Black Basta operators a foothold for enterprise-wide lateral movement. Nurses reverted to paper charting for weeks, ambulances were diverted, and attackers exfiltrated names, SSNs, medical records, insurance details, payment data, and government IDs. The final affected count of 5,599,699 individuals was reported to OCR in December 2024.

What went wrong

  • Single endpoint compromise enabled enterprise-wide lateral movement
  • Insufficient phishing and malicious-file controls on employee workstations
  • Inadequate segmentation between clinical and corporate networks
  • Backup posture forced weeks of manual paper-based operations

Key lessons

  • Treat one infected workstation as a network-wide breach risk
  • Segment clinical EHR systems from general corporate IT
  • Run regular paper-downtime drills so care continues during outages
  • Pair email/web filtering with continuous user-awareness training
High Impact Healthcare Provider • 2025
Yale New Haven Health System logo

5.5 million

Individuals affected

$18 million class-action settlement (preliminary approval)

Total cost

Yale New Haven Health System

Network intrusion exfiltrated PHI of 5.56 million patients — the largest healthcare breach of 2025

HIPAA Journal report

YNHHS identified suspicious activity on March 8, 2025, and reported the breach to OCR on April 11 affecting 5,556,702 individuals. While the EMR itself was not accessed, attackers exfiltrated names, addresses, phone, email, DOB, race/ethnicity, patient type, medical record numbers, and Social Security numbers. The consolidated class action settled in roughly seven months — class members can claim up to $5,000 for documented losses, ~$100 alternative cash payments, plus two years of medical-data monitoring.

What went wrong

  • Insufficient network monitoring delayed detection of exfiltration
  • PHI files stored outside the EMR remained reachable from compromised endpoints
  • Identity-governance gaps permitted lateral movement to data stores
  • SSNs co-located with clinical identifiers in exposed file shares

Key lessons

  • Detect-and-contain matters as much as prevention for large provider networks
  • Minimize SSN retention and segregate from clinical data
  • Inventory PHI outside the EMR — file shares are the real exposure
  • Pre-negotiate breach-response and notification vendors before an incident
High Impact Health App • 2024
23andMe, Inc. logo

6.4 million

Individuals affected

$30M initial settlement → $50M post-bankruptcy (final approval Jan 2026)

Total cost

23andMe, Inc.

Credential-stuffing attack against accounts without mandatory MFA exposed genetic ancestry and health-trait data for 6.4 million U.S. residents

Class settlement website

Disclosed October 2023, attackers reused passwords leaked from other breaches to access roughly 14,000 23andMe accounts directly, then leveraged the DNA Relatives feature to expose data on 6.4 million users. Stolen data was offered for sale targeting Ashkenazi Jewish and Chinese populations. 23andMe filed Chapter 11 in March 2025; assets sold to nonprofit TTAM Research Institute (led by co-founder Anne Wojcicki) for $305M in July 2025. The class settlement provides up to $10,000 per documented loss, $165 to health-data-affected users, and five years of identity-theft and genetic-anomaly monitoring.

What went wrong

  • MFA not required on accounts containing irrevocable genetic data
  • DNA Relatives feature amplified single-account compromise to millions
  • No anomaly detection for credential-stuffing login patterns
  • Bankruptcy left victims competing with creditors for recovery

Key lessons

  • Mandatory MFA is non-negotiable for genetic and health platforms
  • Social-graph features multiply the blast radius of one breached account
  • Genetic data cannot be revoked — minimize and encrypt at rest
  • Plan for company-failure: where does the data go in bankruptcy?
High Impact Health Plan • 2025
Blue Shield of California logo

4.7 million

Individuals affected

Class actions pending; no settlement as of May 2026

Total cost

Blue Shield of California

Misconfigured Google Analytics transmitted PHI of 4.7 million members directly to Google Ads for nearly three years

HIPAA Journal report

Disclosed April 9, 2025, Blue Shield reported that between April 2021 and January 2024 a Google Analytics configuration allowed member data to flow into Google Ads for ad targeting. Exposed fields included names, family size, plan details, city and zip, account identifiers, medical claims details, patient financial responsibility, and doctor-search activity. The data flow was severed in January 2024 — but the issue was not internally identified until February 11, 2025, more than a year later.

What went wrong

  • Google Analytics linked to Google Ads on a member-facing plan portal
  • No HIPAA privacy review of analytics pipeline before deployment
  • PHI sent to ad platforms in clear violation of OCR pixel guidance
  • Internal discovery lag of more than 12 months after the data flow stopped

Key lessons

  • Never connect Google Analytics to Google Ads on PHI surfaces
  • Periodically re-audit analytics pipelines as products and SDKs change
  • Require legal and privacy sign-off on any new tracking integration
  • Tabletop test how you would detect a silent multi-year disclosure
High Impact Health Plan • 2020
Premera Blue Cross logo

10.4 million

Individuals affected

$6.85M HHS (second-largest HIPAA penalty ever) + ~$74M class action

Total cost

Premera Blue Cross

Year-long network intrusion exposed PHI of 10.4 million members

HHS OCR resolution agreement

A spear-phishing campaign gave attackers persistent network access from May 2014 through March 2015. The intrusion was discovered January 2015 and disclosed publicly that March. Exposed data included names, DOBs, SSNs, member IDs, addresses, phone numbers, email addresses, bank-account information, and claims data. OCR's $6.85M settlement in September 2020 remains the second-largest HIPAA enforcement action; the parallel class action settled for approximately $74M.

What went wrong

  • Outdated risk-analysis processes missed the initial spear-phishing intrusion
  • Insufficient network segmentation allowed year-long lateral movement
  • Intrusion-detection gaps delayed discovery by 8+ months
  • No documented audit-control review for sensitive identifier stores

Key lessons

  • Refresh risk analyses on a documented schedule and after every major incident
  • Network segmentation contains breaches even when prevention fails
  • Deploy continuous threat hunting rather than incidental detection
  • Tier identifier storage so SSN + DOB exposure requires multiple compromises
Medium Impact Health App • 2024
Cerebral, Inc. logo

3.2 million

Individuals affected

$7.1M ($5.1M consumer refunds + $2M civil penalty of $10M suspended)

Total cost

Cerebral, Inc.

FTC found Cerebral disclosed sensitive mental-health data of 3.2 million consumers to LinkedIn, Snapchat, and TikTok via advertising trackers

FTC press release

In April 2024 the FTC announced enforcement against telehealth mental-health provider Cerebral for sharing patient information — including details about ADHD treatment, anxiety, and depression — to social platforms through pixels and SDKs while misrepresenting privacy practices and frustrating subscription cancellation. The proposed order permanently bans Cerebral from using or disclosing personal and health information for most marketing without affirmative consent. As of May 2025, more than $5M in refunds had been distributed to over 40,000 consumers.

What went wrong

  • Mental-health intake data sent to ad networks via pixels and SDKs
  • Privacy promises in consumer-facing materials not matched in practice
  • Mishandling of paper records exposed hundreds of thousands of patients
  • Dark-pattern cancellation flows trapped paying subscribers

Key lessons

  • Mental-health data deserves the strictest pixel and SDK scrutiny
  • Affirmative express consent — not buried defaults — is required
  • Cancellation must be as easy as sign-up (FTC Click-to-Cancel)
  • FTC Act and Health Breach Notification Rule apply even to non-HIPAA telehealth
Medium Impact Healthcare Provider • 2017
Memorial Healthcare System logo

115,143

Individuals affected

$5.5 million (HHS OCR)

Total cost

Memorial Healthcare System

Audit-controls failure allowed unauthorized access to 115,143 patient records over a year

HHS OCR resolution agreement

From April 2011 through April 2012, login credentials of a former employee at an affiliated physician's office were used daily to access ePHI maintained by Memorial Healthcare System — without detection. Two additional incidents in 2012 revealed inappropriate access by 12 users at affiliated physician offices. OCR found that MHS failed to regularly review audit logs, access reports, and security-incident tracking reports — a textbook violation of the HIPAA Security Rule's audit-controls requirement.

What went wrong

  • Failure to review audit logs and system-access reports
  • No timely termination of departed-employee credentials
  • Inadequate access controls for affiliated physician offices
  • Insufficient information-system activity review processes

Key lessons

  • Regularly review audit logs and access reports — not just on incident
  • Promptly disable credentials when employees or affiliates depart
  • Audit access by affiliated providers, not just direct employees
  • Implement automated anomaly detection for record-access patterns
Medium Impact Healthcare Provider • 2016
NewYork-Presbyterian Hospital logo

2 patients

Individuals affected

$2.2 million (HHS OCR)

Total cost

NewYork-Presbyterian Hospital

Allowed ABC News film crew unfettered access to patients without authorization for 'NY Med'

HIPAA Journal report

NewYork-Presbyterian allowed ABC's 'NY Med' film crew nearly unrestricted access to its facilities, including filming a patient dying in the emergency room (Mark Chanko, struck by a sanitation truck in 2011) and another in acute distress, without prior patient or family authorization. OCR called it an "egregious disclosure" and emphasized that media access to PHI requires affirmative written authorization — there is no public-interest or newsworthiness exception under HIPAA.

What went wrong

  • Allowed media access to PHI without written patient authorization
  • No HIPAA-compliant business associate agreement with ABC
  • Failure to enforce minimum-necessary standard for non-treatment access
  • Filming continued after staff and family requested it stop

Key lessons

  • Obtain written patient authorization before any media filming
  • HIPAA has no public-interest or newsworthiness exception
  • Train staff that filming requests can be refused on-site
  • Treat media crews as special-access requiring executive sign-off
Medium Impact Healthcare Provider • 2011
UCLA Health System logo

Dozens

Individuals affected

$865,000 (HHS OCR)

Total cost

UCLA Health System

Employees accessed celebrity patient records — including Britney Spears, Farrah Fawcett, and Maria Shriver — without authorization

HHS OCR settlement record

Between 2005 and 2009, multiple UCLA Health employees were terminated for snooping on the medical records of high-profile patients. Former administrative specialist Lawanda Jackson pleaded guilty to selling celebrity record details to the National Enquirer; former researcher Huping Zhou was sentenced to four months in federal prison — the first individual criminally convicted under HIPAA. UCLA settled with OCR in July 2011 for $865,000 with an extensive corrective-action plan.

What went wrong

  • Inadequate role-based access controls in the EHR
  • No proactive monitoring of record-access patterns
  • Insufficient minimum-necessary enforcement at the workforce level
  • Inadequate workforce training on patient privacy

Key lessons

  • Role-based access controls are the foundation of EHR security
  • Audit access to high-profile and VIP records on a continuous basis
  • Train workforce that HIPAA carries personal criminal liability
  • Embed minimum-necessary enforcement in every clinical workflow

Patterns & prevention

The biggest violations share predictable causes. Here’s what drives them, how organizations prevent them, and what you can do as a patient.

Most common causes

Across major settlements

  • Cyberattacks & breaches 40%
  • Unauthorized employee access 25%
  • Improper disposal or theft 20%
  • Unauthorized disclosure 15%

Prevention strategies

For covered entities

  • Implement strong cybersecurity measures
  • Regular employee training and awareness
  • Encrypt all devices with health data
  • Monitor and audit data access
  • Maintain updated security policies

What you can do

As a patient

  • Monitor your medical records regularly
  • Report suspicious communications
  • Understand your privacy rights
  • Ask about security measures
  • File complaints when necessary

View current breaches in real time

We track every reported healthcare data breach affecting 500+ individuals, with a consumer breakdown of each one: what was exposed, what the provider is offering, and the steps to protect yourself.

750+ breaches are currently under investigation, affecting millions of Americans. Our tracker pulls from the HHS Office for Civil Rights, the federal source of record.

Check if you were affected: Search by provider name, state, or date.

Don’t be the next case study.

Most of these violations stem from preventable failures. Understand your rights, hold organizations accountable, and protect yourself.