In 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) settled ten cases and won summary judgment from an Administrative Law Judge (ALJ), all of which resulted in recoveries totaling $28.7 million from HIPAA enforcement actions. The previous record was from 2016 when OCR recovered $23.5 million from its HIPAA enforcement actions. OCR also broke the record for the single highest recovery last year when Anthem, Inc. agreed to pay $16 million to settle allegations that it violated HIPAA.

Here is a breakdown of the largest HIPAA enforcement recoveries in 2018:

  • In January 2018, Fresenius Medical Care of North America (Fresenius), a chronic kidney disease provider, agreed to pay $3.5 million to settle allegations that it violated HIPAA. OCR investigated Fresenius after the company filed five separate breach reports for incidents that all occurred in 2012. OCR’s investigation found that Fresenius failed to conduct adequate risk analysis and failed to implement proper policies and procedures concerning the protection of electronic PHI (ePHI).
  • In June 2018, a Department of Health and Human Services ALJ granted summary judgment to OCR, finding that The University of Texas MD Anderson Cancer Center (MD Anderson) would have to pay $4.3 million in civil money penalties for violating HIPAA. OCR investigated MD Anderson after it filed breach reports in 2012 and 2013 that an unencrypted laptop had been stolen and two unencrypted USB drives had been lost, all of which contained ePHI of over 33,5000 individuals. OCR’s investigation found that MD Anderson had longstanding encryption policies and had assessed a level of risk regarding ePHI on electronic devices but failed to encrypt all devices enterprise-wide. The ALJ agreed with OCR, but MD Anderson is appealing the case.
  • As previously reported by Chilivis Grubman, in October 2018, Anthem, Inc. agreed to pay $16 million and take substantial corrective action to resolve allegations that it violated HIPAA by failing to properly protect ePHI from cyberattacks.
  • In December 2018, Cottage Health agreed to pay $3 million and implement significant corrective action to resolve potential HIPAA violations involving reports of unsecured ePHI that exposed the names, addresses, birthdates, Social Security numbers, medical conditions, lab results, and other health information of over 62,500 individuals. OCR’s investigation found that Cottage Health did not thoroughly or regularly evaluate potential risks and vulnerabilities, did not implement adequate security measures, and failed to enter a business associate agreement with a contractor that maintained ePHI for Cottage Health.