HIPAA Breaches, Violations and Penalties

Video 10 of 27
1 min 34 sec

In this lesson, we'll be taking an introductory look at HIPAA data breaches, violations, and penalties. And at the end of the lesson, we'll look at some of the more recent healthcare data breaches and what caused them.

In 2008, total HIPAA breach fines were a scant $100,000. And while this may sound like a pretty good amount of money, we've seen these data breach fines jump up every year in ways that may shock you, culminating with a record year in 2017, which no doubt will be broken once 2018's figures are calculated.

Here's a look at how those data breach fines have been growing exponentially:

  2008 $100,000
  2010 $1.3 million
  2012 $4.8 million
  2014 $7.9 million
  2016 $20.7 million
  2017 $23 million
  2018 $28.6 million


As you can see, not only has there been a steady increase in fines every year, but they've been increasing at a pace beyond rapid.

Pro Tip: It's important for covered entities to have policies and procedures in place. One way to do this is by creating a Book of Evidence. Not only is this a HIPAA requirement, but it can help protect businesses in case of a data breach, violation, or audit. We'll be digging into the Book of Evidence in a subsequent lesson.

You may recall from the corresponding video for this lesson, how an employee had sticky notes containing passwords in her workstation and in plain sight. This would be an obvious violation of HIPAA security policies and an obvious example that common sense is actually pretty uncommon.

If like the person in the video, you also can't remember passwords, find a better way to keep them handy and secure, rather than just handy. Putting those sticky notes under your keyboard may seem like a good place, but that's kind of like putting your house keys under your welcome mat or your car keys on top of the visor – in other words, places thieving people will no doubt look.

And since you are required by law to have passwords in order to access PHI, make sure those passwords are complex and your storage location secure.

A Word About Recent Healthcare Data Breaches

This Word section is simply to provide you with an idea of how common, varied, and potentially devastating these data breaches can be, by highlighting a few of the more recent healthcare data breaches, as of the end of the year 2019.

New Mexico Hospital Discovers Malware on Imaging Server

Discovered on November 14, 2019

Roosevelt General Hospital in Portales, New Mexico recently discovered malware on a digital imaging server used by its radiology department. The malware may have allowed cybercriminals to gain access to the radiological images of around 500 patients.

The malware infection was discovered on November 14, 2019 and prompt action was taken to isolate the server in order to prevent further unauthorized access and block communications with the attackers' command and control server. The IT department was able to remove the malware and rebuild the server and all patient data was recovered. A scan was conducted to identify any vulnerabilities and the hospital is now satisfied that the server is secured and protected.

The investigation into the breach did not uncover any evidence to suggest that PHI and medical images were viewed or stolen by the hackers, but the possibility of unauthorized data access and PHI theft could not be ruled out.

CMS Blue Button 2.0 Coding Bug Exposed PHI of 10,000 Medicare Beneficiaries

Discovered on December 4, 2019

The Centers for Medicare and Medicaid Services (CMS) recently discovered a bug in its Blue Button 2.0 API that exposed the PHI of around 10,000 Medicare beneficiaries. Access to the Blue Button API was temporarily suspended while the CMS completed a comprehensive code review.

On December 4, 2019, the CMS was alerted to a data anomaly with the Blue Button API by a third-party application partner. The CMS confirmed the data anomaly and immediately suspended access to the production environment while the matter was investigated.

The CMS determined the anomaly was due to a coding bug. That bug potentially allowed data to be shared with incorrect Blue Button 2.0 applications and the wrong beneficiaries. The CMS determined that 30 applications were impacted by the bug, in addition to the thousands of people whose PHI was exposed.

Colorado Department of Human Services and Sinai Health System Alert Patients About HIPAA Breaches

Discovered on November 6, 2019

The State of Colorado recently notified 12,230 individuals about an impermissible disclosure of some of their protected health information as a result of a mailing error. The error occurred on a Colorado Department of Human Services mailing of notices to reapply for food and cash assistance programs.

The error was discovered on November 6, 2019. The investigation revealed 10,879 notice to reapply forms had been sent out that contained the information of incorrect individuals. The information of 12, 230 individuals had been incorrectly included on the forms.

The information included names, employers, whether the person had a vehicle, and a limited amount of other information related to household resources. No addresses, dates of birth, financial information, Social Security numbers, or other information required for identity theft and fraud were disclosed.

Some Important Points

While these data breach incidents aren't likely to make national headlines the way other healthcare data breaches involving millions of people have over the last year, they are still important for a couple of reasons:

  1. Frequency – These all happened in the last several weeks of 2019, which begs the question: how often is too often?
  2. How they occurred – All three of these breaches were caused in different ways – malware, a computer bug, and a mailing error. While it would be easy to chalk up data breaches to hackers and cybercriminals, the truth is that human/employee error accounts for a large number of them as well.