HIPAA breach cost an organisation US$ 4,800,000 !

HIPAA breaches could destroy your business

..... and land you in an US jail.....even if your business operates from India!

For details click here


Worse still, your organisation or clients activities could be

brought to a grinding halt and held to ransom!

For details click here

Here are some details of some of the biggest fines applied for HIPAA breaches


$4.8 million - New York Presbyterian Hospital and Columbia University - May 2014
Individuals affected: 6,800 – An OCR investigation discovered the HIPAA breach transpired when a CU physician, who developed applications for NYP and CU, attempted to deactivate a personally owned computer server on the network containing ePHI. Due to lack of technical safeguards, server deactivation resulted in ePHI being accessible on Google. The data was so widely accessible online that the entities learned of the breach after receiving a complaint by an individual who saw the ePHI of their deceased partner, a former NYP patient, online.

$4.3 million - Cignet Health Center - October 2010
Individuals affected: 41 – The Maryland-based health center from 2008 to 2009 denied 41 patient requests for their medical records, for which the medical group practice was fined $1.3 million. Moreover, during the investigation into Cignet allegations, the practice subsequently refused to respond to several of OCR's demands to produce the records and failed to cooperate with investigation requests, OCR officials said. For this, the practice was fined $3 million.

$2.25 million - CVS Pharmacy - January 2009
Individuals affected: NA – A 2007 OCR investigation, launched in response to media reports on the topic, found several CVS pharmacies were disposing of protected health information in public dumpsters. In collaboration with OCR, the Federal Trade Commission also launched an investigation into CVS. Officials determined the pharmacy chain did not have adequate policies and safeguards in place to protect patient data and dispose of it in the proper way.

$1.73 million - Concentra Health Services - April 2014
Individuals affected: 870 – A Concentra unencrypted laptop was stolen in November 2011, and according to OCR officials, the healthcare company from 2008 to 2012 failed to manage encryption policies, identify which assets needed to be encrypted and document why encryption was not reasonable for certain cases. In 2008, almost 28 percent of Concentra laptops were not encrypted, and a complete inventory assessment to assess this did not occur until four years later.

$1.7 million - WellPoint - July 2013
Individuals affected: 612,402 – The protected health information, Social Security numbers and demographic data of patients were made accessible to unauthorized users over the Internet for a period of nearly five months. An OCR investigation determined WellPoint failed to perform an adequate technical evaluation in response to a software upgrade. The managed care company also neglected to implement user verification technology to the Web-based patient database.

$1.7 million - Alaska Department of Health and Human Services - June 2012
Individuals affected: 501 – An unencrypted USB hard drive containing patient information was stolen from a DHSS employee's car. After conducting an investigation, OCR officials discovered that DHSS had failed to complete a risk analysis, implement adequate security measures and neglected to have security training for its employees and address device encryption.



By Bernie MonegainFebruary 08, 201602:28 PM
Respiratory care provider Lincare has been ordered to pay $239,800 in penalties for violating the HIPAA Privacy Rule.

An administrative law judge ruled in favor of the Office for Civil Rights, which is charged with enforcing the rule. OCR had asked the judge to approve the penalties, and the judge granted them on all issues, the agency announced on February 3.


By Erin McCannSeptember 02, 201502:59 PM
Computer code and lock Healthcare security folks, listen up: Failing to encrypt portable devices and laptops containing patient data could result in a serious HIPAA fine, as one Indiana-based health group can now attest to.

Cancer Care Group, a large radiation oncology practice in Indianapolis, is reevaluating its privacy and security practices after it was slapped with a $750,000 HIPAA settlement from the Department of Health and Human Services. It agreed to pay the sum to settle alleged HIPAA violations involving a breach that occurred three years ago.

Back in August 2012, Cancer Care reported a HIPAA security breach to the the Office for Civil Rights, after an unencrypted server backup media and laptop was stolen from an employee's car. Officials discovered the device contained the protected health information, Social Security numbers and insurance data for some 55,000 patients.


15 of the biggest data breach settlements and HIPAA fines
Written by Max Green | October 14, 2015

Many more data breach lawsuits are filed against healthcare organizations than organizations are actually found guilty, or opt to settle. However, when settlements over large breaches do occur, they can be hugely expensive for companies and health systems. Out of court settlements and incurred HIPAA fines serve as reminders of just how vulnerable patients' protected health information is in the age of cyberattacks.

Here are 15 of the most expensive breach settlements and HIPAA fines.

All HIPAA settlement information from HHS website.

1. NewYork-Presbyterian Hospital and Columbia University (New York City)

May 2014
Deactivation of a network server resulted in the protected health information of more than 6,800 individuals being accessible online.
$4.8 million HIPAA fine
2. Cignet Health (Temple Hills, Md.)

February 2011
Cignet violated patients' rights by denying them access to their medical records following requests to obtain them.
$4.3 million HIPAA fine
3. Stanford Hospital & Clinics (California)

March 2014
Data from 20,000 patient records was found posted online.
$4 million settlement
4. AvMed (Gainesville, Fla.)
March 2014
More than 1 million patient records, including Social Security numbers, were compromised following the theft of two unencrypted laptops.
$3 million settlement
5. CVS Pharmacy (Woonsocket, R.I.)

January 2009
CVS retail pharmacy chains disposed of protected health information in dumpsters.
$2.25 million HIPAA fine
6. Alaska HHS (Anchorage)

June 2012
A portable storage device containing electronic patient data was stolen from an HHS employee.
$1.7 million HIPAA fine
7. Concentra Health Services (Addison, Texas)

April 2014
An unencrypted laptop containing patient data was stolen.
$1.7 million HIPAA fine
8. WellPoint (Indianapolis)

July 2013
Company was found to not have technical safeguards in place to verify the entities accessing its database of protected health information.
$1.7 million HIPAA fine
9. Massachusetts Eye and Ear Infirmary, Massachusetts Eye and Ear Associates

September 2012
An unencrypted laptop containing patient data was stolen.
$1.5 million HIPAA fine
10. Blue Cross Blue Shield Tennessee (Memphis)

March 2012
Fifty-seven unencrypted computer hard drives containing the protected health information of more than 1 million individuals were stolen.
$1.5 million HIPAA fine
11. Affinity Health Plan (New York City)

August 2013
Company returned photocopy machines to a leasing agent without wiping the data of more than 344,500 individuals stored on the machine.
$1.2 million HIPAA fine
12. Rite Aid (Camp Hill, Pa.)

July 2010
Rite Aid chain locations improperly disposed of identifying information in trash containers accessible to unauthorized individuals.
$1 million HIPAA fine
13. General Hospital Corp./Massachusetts General Physicians Organization (Boston)

February 2011
The organization lost the protected health information of 192 patients.
$1 million HIPAA fine
14. UCLA Health (Los Angeles)

July 2011
Complaints were filed against UCLA Health that from 2005-2008, unauthorized employees repeatedly accessed the protected health information of patients.
$865,000 HIPAA fine
15. Parkview (Ill.) Health System

June 2014
Medical records pertaining to up to 8,000 patients were left unattended and accessible in a physician's driveway.
$800,000 HIPAA fine
More articles on health IT:




Ransom demand $ 3.4 million

February 16, 2016

Hackers have launched a ransomware attack against Hollywood Presbyterian Medical Center and are holding the hospital’s data hostage unless they receive a ransom of $3.4 million in Bitcoin.

Without access to their systems, Hollywood Presbyterian caregivers have fallen back on handwritten notes and faxes since the hackers knocked the provider offline last week, according to local news reports.


Everything from e-mails to CT scans have been affected, and patients are showing up in person to pick up prescriptions and test results that cannot be sent electronically because of the emergency.

Experts say ransomware attacks are simple for expert hackers to conduct, and can result in hackers securing the funds they seek from businesses, such as hospitals, anxious to get their critical systems and data back online.

The Los Angeles Police Department is working with the FBI to investigate the attack against the hospital, according to local news reports.


Copyright © 2008-2016 HCit Consultant. All rights reserved.