HHS' Office for Civil Rights reports $28.7M in payments for record HIPAA enforcement year

The Department of Health and Human Services Office for Civil Rights had a record year for settlements from its enforcement of the nation's largest healthcare privacy law. 

In 2018, OCR settled 10 cases and secured one judgment totaling $28.7 million in fines for healthcare provider and health-related companies' violations of the Health Insurance Portability and Accountability Act (HIPAA). It is 22% higher than the previous record of $23.5 million in 2016.

That was due in part to the single largest HIPAA settlement in history of $16 million with Anthem Inc. The insurer agreed to pay HHS the settlement in October for a landmark 2015 breach that impacted nearly 79 million consumers.

An investigation by OCR found that the insurance giant failed to conduct an enterprise-wide risk analysis, regularly review system activity or identify and respond to a known threat.

Date Name Amount
Jan. 2018 Filefax Inc. (settlement) $100,000
Jan. 2018

Fresenius Medical Care North America (settlement)

June 2018 MD Anderson (judgment) $4.35M
Aug. 2018

Boston Medical Center (settlement)

Sep. 2018 Brigham and Women’s Hospital (settlement) $384,000
Sep. 2018 Massachusetts General Hospital (settlement) $515,000
Sep. 2018 Advanced Care Hospitalists (settlement) $500,000
Oct. 2018 Allergy Associates of Hartford (settlement) $125,000
Oct. 2018 Anthem Inc. (settlement) $16M
Nov. 2018 Pagosa Springs (settlement) $111,400
Dec. 2018 Cottage Health (settlement) $3M
  Total (settlements and judgment)


The previous record settlement was $5.5 million in 2016.

  • The University of Texas MD Anderson Cancer Center was ordered to pay a $4.3 million penalty issued by an administrative law judge in June—the second summary judgment victory in OCR’s history of HIPAA enforcement. The cancer center faced penalties over three data breaches dating back to 2012 and 2013, when an unencrypted laptop was stolen from an MD Anderson employee and two unencrypted USB thumb drives containing information on 33,500 patients were lost.

    An investigation found that MD Anderson had written encryption policies dating back to 2006, and an internal risk analysis found a lack of encryption on hospital-owned devices posed a security risk.
  • Fresenius Medical Care, which operates more than 2,200 dialysis clinics, along with outpatient cardiac and vascular labs and urgent care centers, agreed to a $3.5 million settlement after an OCR investigation revealed that the company failed to perform an accurate and thorough risk assessment, which led to five separate data breaches over a five-month period in 2012. 
  • Cottage Health agreed to pay $3 million to OCR and "to adopt a substantial corrective action plan" after OCR received two notifications from Cottage Health regarding breaches of unsecured electronic protected health information affecting over 62,500 individuals in 2013 and 2015. Cottage Health operates Santa Barbara Cottage Hospital, Santa Ynez Valley Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital in California.