Many more data breach lawsuits are filed against healthcare organizations than organizations are actually found guilty, or opt to settle. However, when settlements over large breaches do occur, they can be hugely expensive for companies and health systems. Out of court settlements and incurred HIPAA fines serve as reminders of just how vulnerable patients' protected health information is in the age of cyberattacks.
Here are 15 of the most expensive breach settlements and HIPAA fines.
All HIPAA settlement information from HHS website.
1. NewYork-Presbyterian Hospital and Columbia University (New York City)
- May 2014
- Deactivation of a network server resulted in the protected health information of more than 6,800 individuals being accessible online.
- $4.8 million HIPAA fine
2. Cignet Health (Temple Hills, Md.)
- February 2011
- Cignet violated patients' rights by denying them access to their medical records following requests to obtain them.
- $4.3 million HIPAA fine
3. Stanford Hospital & Clinics (California)
- March 2014
- Data from 20,000 patient records was found posted online.
- $4 million settlement
- 4. AvMed (Gainesville, Fla.)
- March 2014
- More than 1 million patient records, including Social Security numbers, were compromised following the theft of two unencrypted laptops.
- $3 million settlement
5. CVS Pharmacy (Woonsocket, R.I.)
- January 2009
- CVS retail pharmacy chains disposed of protected health information in dumpsters.
- $2.25 million HIPAA fine
6. Alaska HHS (Anchorage)
- June 2012
- A portable storage device containing electronic patient data was stolen from an HHS employee.
- $1.7 million HIPAA fine
7. Concentra Health Services (Addison, Texas)
- April 2014
- An unencrypted laptop containing patient data was stolen.
- $1.7 million HIPAA fine
8. WellPoint (Indianapolis)
- July 2013
- Company was found to not have technical safeguards in place to verify the entities accessing its database of protected health information.
- $1.7 million HIPAA fine
9. Massachusetts Eye and Ear Infirmary, Massachusetts Eye and Ear Associates
- September 2012
- An unencrypted laptop containing patient data was stolen.
- $1.5 million HIPAA fine
10. Blue Cross Blue Shield Tennessee (Memphis)
- March 2012
- Fifty-seven unencrypted computer hard drives containing the protected health information of more than 1 million individuals were stolen.
- $1.5 million HIPAA fine
11. Affinity Health Plan (New York City)
- August 2013
- Company returned photocopy machines to a leasing agent without wiping the data of more than 344,500 individuals stored on the machine.
- $1.2 million HIPAA fine
12. Rite Aid (Camp Hill, Pa.)
- July 2010
- Rite Aid chain locations improperly disposed of identifying information in trash containers accessible to unauthorized individuals.
- $1 million HIPAA fine
13. General Hospital Corp./Massachusetts General Physicians Organization (Boston)
- February 2011
- The organization lost the protected health information of 192 patients.
- $1 million HIPAA fine
14. UCLA Health (Los Angeles)
- July 2011
- Complaints were filed against UCLA Health that from 2005-2008, unauthorized employees repeatedly accessed the protected health information of patients.
- $865,000 HIPAA fine
15. Parkview (Ill.) Health System
- June 2014
- Medical records pertaining to up to 8,000 patients were left unattended and accessible in a physician's driveway.
- $800,000 HIPAA fine