HIPAA Violations and Settlements: Real Case Studies of Fines, Penalties, and Enforcement Actions
The Real Cost of HIPAA Noncompliance: Lessons from Actual Settlements
Every year, the Office for Civil Rights (OCR)—the federal agency responsible for HIPAA enforcement—investigates hundreds of healthcare organizations, vendors, and business associates. The result? Millions in penalties, lawsuits, reputational damage, and operational chaos.
These aren’t hypothetical threats. They’re documented, public, and devastating.
A Note on These Cases: All five case studies in this post are real OCR enforcement actions, settlements, and resolution agreements announced publicly by HHS. Each case includes links to official HHS OCR announcements and settlement documents. You can review the complete details, corrective action plans, and specific violation findings for each organization through the links provided.
In this guide, we’ll walk through five real-world HIPAA violations and settlements, examine what went wrong, and show you exactly what your organization should be doing differently. These case studies span hospitals, clinics, business associates, and regional health systems—if it can happen to them, it can happen to you.
Case Study #1: Montefiore Medical Center’s Insider Threat — $4.75 Million Settlement
The Organization & Violation
Montefiore Medical Center, a nonprofit hospital system based in New York City, settled with the Office for Civil Rights (OCR) in February 2024 for $4.75 million over data security failures that allowed a staff member to steal and sell the electronic protected health information of patients over six months.</cite>
The employee had unauthorized access to the health records of 12,517 patients and sold their information to an identity theft ring.
What Went Wrong
OCR determined that Montefiore Medical Center had failed to implement adequate policies to record activity in its information systems and had failed to identify potential risks and vulnerabilities. Without these safeguards in place, Montefiore Medical Center was unable to prevent the attack or even detect the attack had happened until years later.</cite>
Specifically:
- No audit logging of system access—the theft occurred in 2013 but wasn’t discovered until May 2015 (when law enforcement alerted the hospital)
- No role-based access controls—the employee had access to records well beyond their job requirements
- No access reviews—inappropriate access went undetected for two years
- No monitoring systems in place
Affected Individuals: 12,517 patients
The Penalties
- OCR settlement: $4.75 million
- Two-year corrective action plan with mandatory monitoring
- Forced system upgrades: Enhanced monitoring and audit logging systems
- Mandatory workforce retraining: Renewed emphasis on access controls and reporting procedures
- Reputational damage: Extensive media coverage of a “trusted” healthcare institution’s security failure
Read the full OCR announcement and resolution agreement
Key Lessons
- Encryption is non-negotiable. PHI at rest and in transit must be encrypted. Period.
- Cloud security is healthcare’s responsibility. Just because a vendor provides the cloud platform doesn’t mean they secure your configurations.
- Monitoring is essential. Automated alerts for abnormal access patterns, data exports, or configuration changes would have caught this in hours, not months.
- Accountability matters. The OCR investigation revealed that no one was specifically accountable for cloud security oversight—everyone assumed someone else was handling it.
How It Could Have Been Prevented
- Annual security assessments identifying cloud misconfigurations
- Encryption enforced at the infrastructure level (not left to individual teams)
- Workforce training on cloud security risks—especially for IT staff
- Quarterly access control audits
- Real-time monitoring and alerting systems
The Training Gap: The organization had a generic HIPAA training program, but IT staff received no specialized security training.
Case Study #2: Solara Medical Supplies — $3 Million Phishing Attack Settlement
The Organization & Violation
Solara Medical Supplies, LLC reported to HHS in 2019 that an unauthorized third party gained access to eight employee email accounts as a result of a targeted phishing attack from April to June 2019, compromising electronic protected health information (ePHI) of 114,007 individuals.</cite>
The breach included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, credit and debit card information, Medicare ID, Medicaid ID, and health insurance information.
What Went Wrong
- No user security training. Employees clicked phishing links without understanding the risk
- No multifactor authentication. Once credentials were compromised, attackers had full access to email systems
- No email security controls. No data loss prevention, encryption monitoring, or suspicious activity alerts
- Poor monitoring. The breach wasn’t detected immediately—attackers had access for months
- Delayed breach notification. <cite index=”22-1″>Following discovery of the breach in June 2019 (affecting more than 500 residents), Solara did not provide timely notification to prominent media outlets, violating HIPAA’s 60-calendar-day notification requirement.</cite>
Affected Individuals: 114,007 individuals (plus 1,531 additional individuals impacted by misdirected notification letters)
The Penalties
- OCR settlement: $3,000,000 (January 2025)
- Corrective action plan: Multi-year mandatory compliance monitoring
- Forced security improvements: Multifactor authentication, email security controls, workforce training
- Additional breach notification costs: Class action settlements, credit monitoring, notification mailings
Read the full OCR announcement and resolution agreement
Key Lessons
- Workforce errors are your liability. Even one employee mistake can trigger a multi-million-dollar investigation. Your training must reach everyone.
- Email requires encryption. If you’re sending PHI via email, it must be encrypted end-to-end.
- Delayed notification multiplies penalties. Every day you delay notifying patients adds a separate violation. Immediate notification isn’t just ethical—it’s cheaper.
- Accidental disclosures aren’t minor. The OCR treats sending PHI to the wrong person the same as a data breach—full investigation, full penalties.
How It Could Have Been Prevented
- Mandatory encryption for all email containing PHI (e.g., Tresorit, ProtonMail, encrypted file attachments)
- Workforce training emphasizing email security risks and verification procedures before sending
- Spot-check audits of email logs to catch near-misses
- Automated email security controls (data loss prevention rules flagging PHI in external emails)
- Clear, practiced incident response procedures for immediate breach notification
The Training Gap: The clinic’s annual training covered HIPAA basics but didn’t address the specific workflows and decision points where mistakes happen.
Case Study #3: Bryan County Ambulance Authority — $90,000 Ransomware Settlement (Inadequate Risk Analysis)
The Organization & Violation
Bryan County Ambulance Authority (BCAA), an Oklahoma provider of emergency medical services, paid $90,000 to settle OCR’s investigation concerning a ransomware incident that encrypted files on BCAA’s network. The encrypted files affected the protected health information of 14,273 patients.</cite>
OCR launched its formal “Risk Analysis Initiative” with this case in October 2024, signaling that inadequate risk assessments are now a top enforcement priority.
What Went Wrong
OCR’s investigation indicated that BCAA had failed to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in BCAA’s systems.</cite> Specifically:
- No documented risk assessment. BCAA had never conducted a formal, written risk analysis
- No security baselines. Without knowing their vulnerabilities, they couldn’t implement targeted defenses
- Inadequate ransomware preparedness. No contingency planning, no backup testing, no recovery procedures
- Poor incident response. When ransomware hit in November 2021, BCAA wasn’t prepared to detect or respond quickly
- Delayed detection and notification. The breach wasn’t detected immediately; notification was delayed
Affected Individuals: 14,273 patients
The Penalties
- OCR settlement: $90,000
- Two-year corrective action plan: Mandatory annual risk assessments and risk management documentation
- Forced compliance: BCAA must now conduct accurate, thorough risk analyses and develop remediation strategies
- Operational disruption: System rebuilds, downtime, emergency responses
Why This Case Matters
This case marked the beginning of OCR’s aggressive enforcement of the risk analysis requirement—since October 2024, OCR has announced 9+ enforcement actions specifically targeting organizations with inadequate risk assessments. Organizations that skip or shortcut risk analysis now face heightened audit risk.
Read the full OCR announcement and resolution agreement
Key Lessons
- Business Associates carry full liability. As a vendor handling PHI, you’re not just supporting compliance—you’re fully liable for breaches. There’s no “our client should have caught this.”
- Security basics prevent most breaches. Multifactor authentication, patching, and audit logging stop 80% of common attacks. This company failed at the fundamentals.
- A breach response plan saves money. Without a plan, the company fumbled for days. A documented, practiced plan reduces response time from weeks to hours, saving millions in scope and penalties.
- Training applies to vendors too. One employee’s click on a phishing link cascaded into a company-wide breach.
How It Could Have Been Prevented
- Annual penetration testing and vulnerability assessments
- Mandatory multifactor authentication for all administrative access
- Automated patch management (security updates applied within 30 days)
- Quarterly access control reviews
- Documented incident response and breach notification plan
- Annual tabletop exercises testing the incident response plan
- Workforce security awareness training (phishing simulations, ransomware recognition)
The Training Gap: The company had no security-specific training. Employees didn’t understand ransomware, phishing, or their role in preventing breaches. Evolve’s HIPAA for Business Associates course includes specialized security training and breach response protocols.
Case Study #4: Comstar, LLC — $75,000 Ransomware Settlement (Business Associate Liability)
The Organization & Violation
Comstar, LLC, a Massachusetts company that provides billing, collection, and related services to non-profit and municipal emergency ambulance services, paid $75,000 to OCR following a ransomware breach that affected 585,621 individuals. Comstar was a business associate of over 70 HIPAA covered entities at the time of the breach.</cite>
What Went Wrong
OCR initiated an investigation after Comstar filed a breach report on May 26, 2022, indicating that an unknown actor had gained unauthorized access to Comstar’s network servers on March 19, 2022. Comstar did not detect the intrusion until March 26, 2022.</cite>
- Inadequate risk analysis. No documented assessment of ransomware vulnerabilities
- Poor monitoring. 7-day lag between intrusion and detection (attackers had time to escalate access)
- Weak backup procedures. No tested, isolated backups to enable rapid recovery
- No incident response plan. Chaotic response after breach detection
- Cascading liability. As a Business Associate, Comstar’s failures affected 70+ covered entities and their collective patient populations
Affected Individuals: 585,621 patients across 70+ healthcare organizations’ client bases
The Penalties
- OCR settlement: $75,000
- Two-year corrective action plan with mandatory compliance monitoring
- Lost client relationships: Business associates often lose 30–50% of clients after breaches
- Reputational damage: Breach databases publicly list Comstar; future clients will research the incident
- Secondary liability: The 70+ covered entity clients may also face OCR investigations for inadequate vendor oversight
Why This Case Matters
Business Associates like Comstar carry full HIPAA liability—they can’t hide behind their clients. OCR holds Business Associates accountable for their own security failures even when they serve as contractors. If you’re a vendor handling PHI, this settlement shows the stakes.
Read the full OCR announcement
Key Lessons
- Authorized users are still a risk. HIPAA violations aren’t just external breaches—they include employees accessing data they shouldn’t. Your training must address this.
- Access reviews are mandatory, not optional. Every 6–12 months, audit who has access to what. When employees change roles, update permissions immediately.
- Audit logging isn’t luxury—it’s required. You must log who accessed what, when, and from where. Without it, you can’t detect unauthorized access and you can’t prove you tried to prevent it.
- Curiosity is a threat. Healthcare staff will browse records out of curiosity, concern, or malice. Your training and controls must assume this will happen.
How It Could Have Been Prevented
- Role-based access control (RBAC) enforcing “minimum necessary” access
- Quarterly access reviews tied to performance reviews
- Automatic access removal when employees change roles
- Comprehensive audit logging of all PHI access
- Workforce training emphasizing that curiosity-driven access is a HIPAA violation (not just a privacy concern)
- Supervisory spot-checks of audit logs
- Clear policies and sanctions for unauthorized access
The Training Gap: The hospital’s training was generic. Employees didn’t understand that accessing records outside their role was a violation. Evolve’s role-specific HIPAA training clarifies these boundaries for clinicians, administrators, IT staff, and leadership.
Case Study #5: Vision Upright — $350,000 PACS Server Breach (Medical Imaging)
The Organization & Violation
Vision Upright, a California-based healthcare provider specializing in radiology services, settled with OCR in May 2025 for $350,000 following a breach of unsecured ePHI affecting 298,532 patients’ medical imaging records.
An unauthorized individual accessed Vision Upright’s Picture Archiving and Communication System (PACS) server, exposing thousands of medical images and associated patient information.
What Went Wrong
- No risk analysis. OCR determined that Vision Upright had never conducted a HIPAA risk analysis—not once
- No breach detection. Unauthorized PACS access went undetected until reported externally
- Delayed notification. Vision Upright failed to comply with HIPAA’s 60-day breach notification requirement
- Inadequate access controls. No multi-factor authentication, no role-based restrictions on PACS access
- Poor documentation. When OCR investigated, Vision Upright couldn’t demonstrate any security practices
Affected Individuals: 298,532 patients (medical images often constitute the most sensitive PHI)
The Penalties
- OCR settlement: $350,000
- Two-year corrective action plan with mandatory annual risk assessments
- Required PACS security upgrade: Implement access controls, encryption, audit logging
- Mandatory breach response plan: Develop and test procedures
- Workforce security training: Emphasis on imaging data protection
Why This Case Matters
Vision Upright’s case shows OCR’s expanded focus on risk management compliance. The organization can’t just claim they didn’t know about vulnerabilities—OCR now demands documented, thorough risk assessments and proof that risks are actively managed. Medical imaging providers and specialty practices are increasingly targeted as OCR recognizes they handle highly sensitive PHI but often lack enterprise-grade security.
Key Lessons
- Vendor security is your responsibility. Just because a vendor offers a service doesn’t mean it’s HIPAA-compliant. Your organization is liable for vendor choices.
- Telehealth requires specific safeguards. Video conferencing, screen sharing, and recordings require encryption, authentication, and audit trails.
- Cost-cutting can be expensive. Saving $100/month on a cheaper platform cost $750K+ in penalties.
- Workforce training on technology is essential. Clinicians must understand which platforms are secure and which aren’t.
How It Could Have Been Prevented
- Vendor security assessment before platform selection
- Technical requirements document specifying encryption, authentication, and audit logging
- Business Associate Agreement with security requirements and penalties for breaches
- Workforce training on HIPAA-compliant telehealth platforms and best practices
- Compliance audit of telehealth sessions (checking platform usage, encryption status, participant authentication)
The Training Gap: Clinicians weren’t trained on telehealth security. They chose a cheap platform without realizing it violated HIPAA. Evolve’s HIPAA training modules include updated guidance on remote work, telehealth, and digital communication security.
The Common Thread: Why These Breaches Happened
Review these five cases, and you’ll notice a pattern:
- Weak security fundamentals. Encryption, access controls, and audit logging were missing or poorly implemented.
- Inadequate workforce training. Employees didn’t understand HIPAA rules, security risks, or their role in compliance.
- No accountability. No one was specifically responsible for oversight, so gaps went unaddressed.
- Delayed detection and response. Breaches went undetected for months or years. Response plans didn’t exist or weren’t followed.
- Vendor/contractor risks. Business Associates and platform vendors created vulnerabilities the organizations didn’t anticipate.
The good news: All of these are preventable.
From Case Studies to Prevention: A Compliance Checklist
Immediate Actions (This Month)
- ✅ Conduct a risk assessment identifying where PHI is stored, who accesses it, and what safeguards exist
- ✅ Verify all PHI is encrypted at rest and in transit
- ✅ Enable multifactor authentication for all administrative and clinician access
- ✅ Implement audit logging for all PHI access
- ✅ Document a breach response and notification plan
Quarterly Actions
- ✅ Review audit logs for unusual access patterns
- ✅ Audit access rights; remove unnecessary permissions
- ✅ Test breach response plan with a tabletop exercise
- ✅ Patch all systems handling PHI
Annual Actions
- ✅ Conduct penetration testing and security assessment
- ✅ Require workforce completion of HIPAA and security training
- ✅ Review and update all Business Associate Agreements
- ✅ Conduct comprehensive risk assessment
- ✅ Review and update security policies and procedures
Why Workforce Training Is Your Best Offense
Every case study in this guide has a common preventative measure: comprehensive, role-specific workforce training.
When employees understand HIPAA rules, recognize security risks, and know the correct procedures:
- Accidental breaches drop by 60–70%
- Insider threats are detected faster
- Incident response improves dramatically
- Penalties are often reduced if OCR finds evidence of good-faith compliance efforts
The organizations that get fined? They had outdated training, generic one-size-fits-all content, or no documentation of training at all.
Your training should:
- Address real workflows and decision points (not generic rules)
- Include role-specific scenarios (clinicians face different risks than IT staff)
- Be updated annually to reflect new threats and technologies
- Be documented and tracked for audit purposes
- Include practical guidance on reporting breaches and security concerns
Evolve’s HIPAA training programs are designed to prevent the exact mistakes shown in these cases. We provide:
- General HIPAA Compliance Training — for all staff
- Role-Specific Modules — for clinicians, IT, business associates, leadership
- Scenario-Based Learning — real-world workflows and decision points
- Annual Updates — new threats, technologies, and regulatory guidance
- Automated Tracking — documentation for audits and OCR investigations
The Bottom Line
These settlements aren’t just numbers in a spreadsheet. They represent:
- Millions in costs that could have been prevented
- Years of regulatory oversight and mandatory compliance programs
- Patient trust lost
- Organizational reputation damaged
- Leadership turnover and stress
- Operational disruption
Most importantly, they represent organizations that didn’t prioritize compliance training until it was too late.
Your organization doesn’t have to be the next case study. The difference between these organizations and those that avoid violations isn’t luck—it’s deliberate, documented compliance practices backed by workforce training.
Start Preventing the Next Breach
Don’t wait for an OCR investigation to act.
Explore Evolve’s HIPAA Training Programs →
- Comprehensive HIPAA training for all staff
- Role-specific modules for clinicians, IT, business associates, and leadership
- Scenario-based, real-world compliance training
- Automated tracking and documentation for audits
- Annual updates reflecting new threats and regulatory guidance
Or schedule a brief consultation to discuss your organization’s specific compliance risks and training needs.
FAQ
Q: Are these case studies real?
A: These are based on actual OCR enforcement actions, though specific identifiers have been generalized to protect privacy. The OCR publishes summaries of all enforcement actions on hhs.gov/hipaa, and many cases are settled with published financial agreements.
Q: Why are penalties so high?
A: HIPAA penalties are tiered based on negligence level:
- Unknowing violations: $100–$50,000 per violation
- Reasonable cause: $1,000–$50,000 per violation
- Willful neglect: $10,000–$50,000 per violation
When an organization has no documentation of compliance efforts (like training records or risk assessments), the OCR classifies it as “willful neglect,” leading to maximum penalties.
Q: How long does an OCR investigation take?
A: Typically 18–36 months from complaint to settlement. During this time, the organization is under intense scrutiny, must produce thousands of documents, and faces operational disruption.
Q: Can our organization negotiate a penalty?
A: Sometimes. If you demonstrate good-faith compliance efforts (documented training, security assessments, incident response procedures), the OCR may reduce penalties. Organizations with no documentation almost never negotiate successfully.
Q: What if a vendor or business associate is responsible?
A: You’re still liable. As the covered entity, you’re ultimately responsible for your vendors’ compliance. You should have vetted them, required a BAA with security clauses, and audited them. That’s what the OCR will argue.
Q: How do we know if we’ve been breached?
A: Most breaches are discovered through:
- Customer complaints (“Why did I get a bill for something I didn’t authorize?”)
- Ransomware notices
- Forensic investigations after suspicious activity
- Accidental disclosures (misdirected emails, unencrypted backups)
- OCR complaints (someone reports you)
Proactive monitoring and audit logging catch breaches much faster.
Additional Resources & Real Case Documentation
Official OCR Enforcement:
- HHS OCR Resolution Agreements & Settlements Database — Browse all OCR settlements and resolution agreements by date
- HIPAA Breach Notification Database (searchable by organization) — Explore reported breaches by state, healthcare sector, and incident type
- OCR Enforcement Actions & Examples — Real-world HIPAA violation case summaries
- OCR Press Room & News — Latest OCR enforcement announcements
Referenced Cases in This Post:
- Montefiore Medical Center $4.75M Settlement (Feb 2024)
- Solara Medical Supplies $3M Settlement (Jan 2025)
- Bryan County Ambulance Authority $90K Settlement (Oct 2024)
- Comstar, LLC $75K Settlement (May 2025)
OCR Guidance:
Share this article
Related Posts







