Learning from Enforcement Actions
OCR publishes details of resolved HIPAA investigations and enforcement actions, providing the healthcare industry with a rich source of compliance guidance through real-world examples. Each case reveals the types of conduct OCR prioritizes, the documentation failures that leave organizations unable to defend themselves, and the compliance investments that could have prevented the violation. The following cases represent some of the most significant and instructive enforcement actions in HIPAA history.
Case 1: Anthem, Inc. — $16 Million (2018)
Violation: Largest HIPAA settlement in history at the time. A cyberattack in 2015 resulted in the breach of nearly 79 million individuals' PHI — including names, Social Security numbers, medical identification numbers, dates of birth, addresses, and employment information.
Root cause: OCR found that Anthem had failed to conduct a thorough risk analysis, failed to identify and respond to the suspected security incident for an extended period, and had insufficient access controls and multi-factor authentication.
Lesson: Comprehensive risk analysis and strong access controls — particularly multi-factor authentication — are not optional at scale. The sheer volume of PHI at large organizations makes the cost of prevention small relative to the cost of a breach of this magnitude.
Case 2: Advocate Medical Group — $5.55 Million (2016)
Violation: Three data breaches in 2013 involving the theft of unencrypted laptops containing ePHI of over 4 million individuals.
Root cause: OCR found that Advocate failed to conduct a thorough risk analysis of its systems and devices, failed to implement sufficient physical safeguards for its electronic devices, and had inadequate security awareness training.
Lesson: Unencrypted laptops and portable devices containing ePHI represent one of the most common and preventable breach scenarios. Full-disk encryption of all portable devices is a straightforward safeguard that would have prevented this breach entirely — making the $5.55 million penalty especially instructive.
Case 3: University of Texas MD Anderson Cancer Center — $4.3 Million (2018)
Violation: Three breaches between 2012 and 2013 — a stolen unencrypted laptop and two lost unencrypted USB drives — affected over 33,500 individuals.
Root cause: OCR found that MD Anderson had written encryption policies since 2006 but failed to implement them on its devices. OCR imposed the full statutory penalties because the violation was willful neglect: MD Anderson knew encryption was required by its own policies but did not implement it.
Lesson: Having a policy is not enough — policies must be implemented and monitored. Organizations that have written policies they do not follow face the highest penalty tiers because the gap between policy and practice demonstrates willful neglect.
Case 4: Fresenius Medical Care — $3.5 Million (2018)
Violation: Five separate breaches in 2012 involving different facilities — stolen laptops, a stolen hard drive, and a stolen USB drive — affecting a total of 521 individuals.
Root cause: OCR found systemic failures across multiple facilities: inadequate risk analysis, lack of encryption policies, and failure to implement device and media controls. The relatively small number of affected individuals (521) compared to the large penalty ($3.5 million) demonstrates that OCR penalizes systemic compliance failures, not just the scale of individual breaches.
Lesson: Systemic compliance failures — repeated violations across multiple facilities indicating an organizational culture of non-compliance — attract significant penalties regardless of the number of individuals actually affected.
Case 5: Right of Access Enforcement — Cignet Health ($4.3 Million, 2011)
Violation: Cignet Health denied 41 patients access to their medical records for months, ignoring both the patients' requests and OCR's subsequent demands for compliance.
Root cause: Cignet failed to provide patients with their records, failed to cooperate with OCR's investigation, and was found to have willfully neglected its HIPAA obligations.
Lesson: The right of access is one of the most fundamental patient rights under HIPAA, and OCR takes it seriously. Covered entities that deny or delay patient access requests — particularly without legal justification — face significant enforcement risk. OCR's ongoing Right of Access Initiative has resulted in dozens of enforcement actions specifically targeting access denials and delays.
Case 6: Banner Health — $1.25 Million (2022)
Violation: A 2016 cyberattack compromised the PHI of approximately 2.81 million individuals, including names, Social Security numbers, birth dates, addresses, and health information.
Root cause: OCR found that Banner Health failed to conduct a thorough risk analysis prior to the breach, failed to implement a sufficient risk management plan, failed to review information system activity regularly, and failed to implement technical security measures to guard against unauthorized access.
Lesson: OCR's investigation focused not on the breach itself but on the pre-breach compliance failures that created the conditions for the attack to succeed. A robust, current risk analysis and active monitoring of information system activity are the two compliance investments most consistently cited by OCR as the gap between compliant and non-compliant organizations.