HIPAA Enforcement by State Attorneys General
The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance; however, state Attorneys General also play a role in enforcing compliance with the Rules of the Health Insurance Portability and Accountability Act (HIPAA).
The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and they can obtain damages on behalf of state residents. The Connecticut Attorney General was the first to exercise this right in 2010 against Health Net Inc. for the loss of an unencrypted hard drive containing the electronic protected health information of 1.5 million individuals and for delayed breach notifications. The case was settled for $250,000. The Vermont Attorney General followed suit with a similar action against Health Net in 2011 that was settled for $55,000, and Indiana brought a civil action against Wellpoint Inc. in 2011 that was settled for $100,000.
State attorneys general HIPAA cases were relatively rare occurrences, with only 11 settlements reached with HIPAA-covered entities and business associates to resolve HIPAA violations between 2010 and 2015. HIPAA enforcement by state attorneys general was stepped up in 2017 with 5 settlements and again in 2018 when 12 cases resulted in financial penalties for violations of the HIPAA Rules.
In 2019 and 2020, a total of just 5 cases resulted in financial penalties, although those penalties were sizeable, with four of the five cases being multistate actions against HIPAA-covered entities and business associates where several state attorneys general participated in the actions. These multistate actions allow state attorneys general to pool their resources and investigate potential violations of HIPAA and state laws more efficiently.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
2023 was a busy year in terms of enforcement, with 16 enforcement actions to resolve violations of the HIPAA Rules and state consumer protection and breach notification laws. Cases were resolved by the Attorneys General in California, Colorado, Indiana, New York, Ohio, and Pennsylvania and there were three multistate investigations resolved, including a 49-state action against Blackbaud, a 32-stat action against Personal Touch Home Care, and a 4-state action against EyeMed Vision Care. The case against Blackbaud over its 5.5 million-record breach resulted in a penalty of $49.5 million.
When civil actions are brought against covered entities or business associates by state Attorneys General, they are separate from any Office for Civil Rights actions which may also choose to investigate and impose its own fins and penalties. Several data breaches have resulted in settlements being reached at both the federal and state level. Community Health Systems/CHSPSC, Anthem Inc., Premera Blue Cross, Aetna, Cottage Health System, University of Rochester Medical Center, and Medical Informatics Engineering have all settled cases with OCR and separate cases with state attorneys general to resolve potential HIPAA violations.
In many of the state AG enforcement actions below, the financial penalties resolve violations of federal (HIPAA) and/or state laws. Over the years there have been several cases where HIPAA Rules have been violated, but the decision was taken to bring actions for violations of the equivalent provisions in state laws. The cases detailed below include cases where the HIPAA Rules have been violated, but action has been taken for the violation of state laws.
HIPAA Enforcement by State Attorneys General in 2024
| Year | State | Entity | Amount | Individuals Affected | Reason for Investigation | Findings |
| 2024 | California | Quest Diagnostics | $5,000,000 | Unclear | Improper disposal of waste and PHI | Illegal disposal of hazardous waste, medical waste, and patients’ personal health information. Penalized for violating California state law rather than HIPAA. |
| 2024 | New York | Refuah Health Center | $450,000 and invest $1.2 million in cybersecurity | 260,740 | May 2021 ransomware attack | Multiple violations of the HIPAA Security Rule, a violation of the HIPAA Breach Notification Rule, and violations of New York Business Law. |
HIPAA Enforcement by State Attorneys General in 2023
State attorneys general have imposed three financial penalties for HIPAA violations or equivalent violations of state laws.
| Year | State | Entity | Amount | Individuals Affected | Reason for Investigation | Findings |
| 2023 | New York | New York Presbyterian Hospital | $300,000 | 54,396 | Use of pixels and other tracking tools on website | Violation of the HIPAA Privacy Rule and New York Executive Law for impermissibly disclosing PHI to third parties. |
| 2023 | New York | Healthplex | $400,000 | 89,955 (62,922 in New York) | Phishing attack | Violation of New York’s data security and consumer protection laws (data retention/logging, MFA, data security assessments) |
| 2023 | Indiana | CarePointe ENT | $120,000 | 48,742 | Ransomware attack and data breach | Failure to address known vulnerabilities, business associate agreement failure, violations of the Indiana Disclosure of Security Breach Act and Indiana Deceptive Consumer Sales Act |
| 2023 | New York | U.S. Radiology Specialists Inc. | $450,000 | 198,260, including 92,540 New York residents | Cyberattack and data breach | Failure to upgrade hardware in a reasonable time frame to address a known vulnerability. |
| 2023 | New York | Personal Touch Holding Corp | $350,000 | 753,107 | Ransomware attack | Only had an informal information security program, insufficient access controls, no continuous monitoring system, lack of encryption, and inadequate staff training. |
| 2023 | Multistate (32 states and PR) | Inmediata | $1.4 million | 1,565,338 | Unsecured server exposed PHI online, breach notifications | Failure to implement appropriate safeguards to ensure data security and breach response failures, which violated the HIPAA Security Rule, Breach Notification Rule, and state breach notification laws |
| 2023 | Multistate (49 states and DC) | Blackbaud | $49.5 million | 5,500,000 | Ransomware attack | Violations of the HIPAA Rules regarding safeguards and breach response, and violations of state consumer data protection laws |
| 2023 | Colorado | Broomfield Skilled Nursing and Rehabilitation Center | $60,000 ($25,000 suspended if full compliance with corrective measures) | 677 individuals | 2 compromised email accounts | Violations of the HIPAA Security Rule, state data protection laws, including the Colorado Consumer Protection Act (CCPA) |
| 2023 | Indiana | Schneck Medical Center | $250,000 | 89,707 individuals | Ransomware attack and data breach | Violations of the HIPAA Privacy, Security, and Breach Notification Rules. Violations of the Indiana Disclosure of Security Breach Act and the Indiana Deceptive Consumer Sales Act |
| 2023 | California | Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals | $49,000,000 | 7,700 individuals | Improper disposal of hazardous waste, medical waste, and protected health information | Violations of HIPAA, California’s Hazardous Waste Control Law, Medical Waste Management Act, Confidentiality of Medical Information Act, Customer Records Law, and Unfair Competition Law. |
| 2023 | California | Kaiser Permanente | $450,000 | up to 167,095 individuals | Mailing error and PHI disclosure | California Confidentiality of Medical Information Act (CMIA) violations – impermissible disclosure of PHI and negligent maintenance or disposal of PHI |
| 2023 | New York | Practicefirst Medical Management Solutions (Professional Business Systems Inc.) | $550,000 | 1.2 million | Ransomware attack and data breach | Failure to patch a critical firewall vulnerability for 22 months. No penetration testing or vulnerability scanning, and a lack of encryption for sensitive health data. |
| 2023 | Multi-state: Oregon, New Jersey, Florida & Pennsylvania | EyeMed Vision Care | $2,500,000 | 2.1 million | Ransomware attack and data breach | Insufficient password complexity requirements, insufficient locking of accounts after failed password attempts, no multifactor authentication on a browser-accessible email account containing large amounts of PHI, inadequate logging and monitoring of email accounts, and storing unnecessary amounts of PHI in email accounts. |
| 2023 | New York | Heidell, Pittoni, Murphy & Bach LLP | $200,000 | 61,438 | Ransomware attack and data breach | Violation of 17 provisions of the HIPAA Privacy and Security Rules |
| 2023 | Pennsylvania | DNA Diagnostics Center | $200,000 | 33,000 | Stolen database containing 2.1 million records | Lack of safeguards, failure to update asset inventory, failure to remove assets not used for business purposes. |
| 2023 | Ohio | DNA Diagnostics Center | $200,000 | 12,600 | Stolen database containing 2.1 million records | Lack of safeguards, failure to update asset inventory, failure to remove assets not used for business purposes. |
This article will be updated as and when new fines, settlements, and other resolutions are announced to resolve violations of HIPAA and state laws.
HIPAA Enforcement by State Attorneys General in 2022
| Year | State | Entity | Amount | Individuals Affected | Reason for Investigation | Findings |
| 2022 | Oregon and Utah | Avalon Healthcare | $200,000 | 14,500 | 10 Month delay in notifying individuals about a phishing attack and data breach | The investigation determined the 10-month delay violated HIPAA (60-day reporting deadline) and Oregon law (45-day reporting deadline), email security practices were found to be insufficient, with the settlement including several data security requirements including the appointment of an individual responsible for developing, implementing, and maintaining a comprehensive data security program to ensure compliance with Consumer Protection Laws and HIPAA, including email filtering, security awareness training, and multifactor authentication. |
| 2022 | Aveanna Healthcare | Massachusetts | $425,000 | 166,000 | Phishing attack and data breach | The Massachusetts Attorney General determined there was a lack of appropriate safeguards to prevent phishing attacks, such as multifactor authentication and security awareness training for its workforce. The security measures implemented did not meet the minimum level for compliance with the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts or the HIPAA Security Rule. |
| 2022 | New York | EyeMed Vision Care | $600,000 | 2.1 million | Phishing attack and data breach | Insufficient password complexity requirements, insufficient locking of accounts after failed password attempts, no multifactor authentication on a browser-accessible email account containing large amounts of PHI, inadequate logging and monitoring of email accounts, and storing unnecessary amounts of PHI in email accounts. |
HIPAA Enforcement by State Attorneys General in 2021
New Jersey was particularly active in HIPAA enforcement in 2021 and was the only state to initiate its own investigations and issue financial penalties to resolve HIPAA violations in 2021. New Jersey also participated in a joint investigation into the data breach at American Medical Collection Agency (AMCA) – One of the largest ever breaches of healthcare data. The AMCA HIPAA case saw a $21 million financial penalty imposed; however, due to the huge costs incurred as a result of the breach, AMCA filed for bankruptcy protection. Due to the financial position of the company, the financial penalty was suspended and will only need to be paid if AMCA defaults on the terms of the settlement agreement.
| Year | State | Entity | Amount | Individuals Affected | Reason for Investigation | Findings |
| 2021 | New Jersey | Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC) | $425,000 | 105,000 | Phishing attack and data breach | Failure to ensure the confidentiality, integrity, and availability of PHI, failure to protect against reasonably anticipated threats, failure to implement security measures to reduce risks, failure to conduct an accurate risk assessment, lack of a security awareness and training program. |
| 2021 | New Jersey | Command Marketing Innovations, LLC and Strategic Content Imaging LLC | $130,000 (Plus $65,000 suspended) | 55,715 | Printing and mismailing incident | Failure to ensure the confidentiality of PHI, lack of PHI safeguards, failure to review security measures following changes to procedures |
| 2021 | New Jersey | Diamond Institute for Infertility and Menopause | $495,000 | 14,663 | Hacking incident and data breach | Multiple Privacy Rule and Security Rule failures, and violations of the Consumer Fraud Act |
| 2021 | Multi-state (41 state attorneys general) | American Medical Collection Agency | $21 million (suspended) | 21 million | Hacking incident and data breach | Security failures including failure to detect a data breach |
HIPAA Enforcement by State Attorneys General in 2020
| Year | State | Entity | Amount | Individuals affected | Reason for Investigation | Findings |
| 2020 | Multistate (28 states) | Community Health Systems / CHSPSC LLC | $5,000,000 | 6.1 million | Hacked by Chinese APT group | Failure to implement and maintain reasonable security practices |
| 2020 | Multistate (43 states) | Anthem Inc | $39.5 million | 78.8 million | Phishing attack and major data breach | Multiple violations of HIPAA and state laws |
| 2020 | California | Anthem Inc | $8.7 million | 78.8 million | Phishing attack and major data breach | Multiple violations of HIPAA and state laws |
HIPAA Enforcement by State Attorneys General in 2019
| Year | State | Entity | Amount | Individuals affected | Reason for Investigation | Findings |
| 2019 | Multistate (30 states) | Premera Blue Cross | $10,000,000 | 10.4 million | Hacking incident and major data breach | Multiple violations of HIPAA and state laws |
| 2019 | Multistate (16 states) | Medical Informatics Engineering | $900,000 | 3.5 million | Breach of NoMoreClipboard data | Multiple violations of HIPAA and state laws |
| 2019 | California | Aetna | $935,000 | 1,991 | 2 mailings exposed PHI (Afib, HIV) | Impermissible disclosure of sensitive health information |
HIPAA Enforcement by State Attorneys General in 2018
| Year | State | Entity | Amount | Individuals affected | Reason for Investigation | Findings |
| 2018 | Massachusetts | McLean Hospital | $75,000 | 1,500 | Loss of backup tapes | Insufficient risk assessment, failure to encrypt data, delayed breach notifications |
| 2018 | New Jersey | EmblemHealth | $100,000 | 6,443 (81,000) | Mailing error exposed SSNs | Impermissible disclosure of PHI, lack of staff training |
| 2018 | New Jersey | Best Transcription Medical | $200,000 | 1,650 | Exposure of ePHI in Internet | Risk assessment and risk management failure, breach notification failure |
| 2018 | Multistate (CT, NJ, DC) | Aetna | 640170.59 | 13,160 | 2 mailings exposed PHI (Afib, HIV) | Impermissible disclosure of sensitive health information |
| 2018 | Massachusetts | UMass Memorial Medical Group / UMass Memorial Medical Center | $230,000 | 15,000 | Multiple data breaches | Failure to secure ePHI |
| 2018 | New York | Arc of Erie County | $200,000 | 3,751 | Exposure of ePHI on the Internet | Failure to secure ePHI |
| 2018 | New Jersey | Virtua Medical Group | $417,816 | 1,654 | Exposure of ePHI on the Internet | Multiple violations of the HIPAA Rules |
| 2018 | New York | EmblemHealth | $575,000 | 81,122 | Mailing error exposed SSNs | Impermissible disclosure of PHI, lack of staff training |
| 2018 | New York | Aetna | $1,150,000 | 12,000 | 2 mailings exposed PHI (Afib, HIV) | Impermissible disclosure of sensitive health information |
HIPAA Enforcement by State Attorneys General in 2017
| Year | State | Entity | Amount | Individuals affected | Reason for Investigation | Findings |
| 2017 | California | Cottage Health System | $2,000,000 | More than 54,000 | Exposure of PHI on the Internet | Failure to safeguard personal information |
| 2017 | Massachusetts | Multi-State Billing Services | $100,000 | 2,600 | Theft of unencrypted laptop computer | Failure to safeguard personal information |
| 2017 | New Jersey | Horizon Healthcare Services Inc | $1,100,000 | 3.7 million | Theft of 2 unencrypted laptop computers | Failure to safeguard personal information |
| 2017 | Vermont | SAManage USA, Inc. | $264,000 | 660 | Exposure of PHI on the Internet | Failure to secure ePHI, breach notification failure |
| 2017 | New York | CoPilot Provider Support Services, Inc | $130,000 | 221,178 | Delayed breach notification | Violation of breach notification requirements |
HIPAA Enforcement by State Attorneys General (2010-2016)
| Year | State | Entity | Amount | Individuals affected | Reason for Investigation | Findings |
| 2015 | New York | University of Rochester Medical Center | $15,000 | 3,403 | List of patients provided to nurse who took it to a new employer | Impermissible disclosure of ePHI |
| 2015 | Connecticut | Hartford Hospital/ EMC Corporation | $90,000 | 8,883 | Theft of unencrypted laptop containing PHI | Lack of Business Associate Agreement, failure to encrypt ePHI |
| 2014 | Massachusetts | Women & Infants Hospital of Rhode Island | $150,000 | 12,000 | Loss of backup tapes containing PHI | Failure to safeguard ePHI, lack of staff training |
| 2014 | Massachusetts | Boston Children’s Hospital | $40,000 | 2,159 | Loss of laptop containing PHI | Failure to encrypt ePHI |
| 2014 | Massachusetts | Beth Israel Deaconess Medical Center | $100,000 | 3,796 | Loss of laptop containing PHI | Failure to encrypt ePHI |
| 2013 | Massachusetts | Goldthwait Associates | $140,000 | 67,000 | Mishandling of PHI | Improper disposal of PHI |
| 2012 | Minnesota | Accretive Health | $2,500,000 | 24,000 | Mishandling of PHI | Failure to safeguard PHI |
| 2012 | Massachusetts | South Shore Hospital | $750,000 | 800,000 | Loss of backup tapes containing PHI | Failure to safeguard PHI |
| 2011 | Vermont | Health Net Inc. | $55,000 | 1,500,000 | Loss of unencrypted hard drive/delayed breach notifications | Failure to safeguard PHI, violation of breach notification requirements |
| 2011 | Indiana | WellPoint Inc. | $100,000 | 32,000 | Failure to report breach in a reasonable timeframe | Violation of breach notification requirements |
| 2010 | Connecticut | Health Net Inc. | $250,000 | 1,500,000 | Loss of unencrypted hard drive | Failure to safeguard PHI, violation of breach notification requirements |
