How many healthcare data breaches occurred in 2017 and how many of those violated HIPAA rules resulted in financial penalties? It’s difficult to get accurate data about HIPAA violations for several reasons.
First, many data breaches are not reported. The Department of Health and Human Services’ Office for Civil Rights only publish on its breach portal the reported HIPAA breaches that impacted over 50 persons. The OCR breach portal is called the “Wall of Shame.” It’s a name that is not fitting because the healthcare organizations published on this page had data breaches and not necessarily HIPAA Rules violations. Organizations may have spent on cybersecurity defenses and employee security training programs but still experience data breaches. It could be because of a patch not applied immediately or a phishing scam that an employee failed to avert.
Second, there are a few state attorneys general that publish details of data breaches. Many of the breaches are due to HIPAA violations but many breaches also happened to healthcare organizations that are totally HIPAA-compliant. It’s not easy to say how many actually violated HIPAA rules unless there’s a detailed investigation. OCR becomes aware of some potential violations because of submitted complaints from patients or employees who believe that there was a violation of HIPAA rules. But many complaints are unfounded and cannot be proven beyond reasonable doubt.
Third, the settlements and civil monetary penalties are not reliable gauges of HIPAA violations. Data breaches that end up with financial settlements usually include only cases with particularly strong evidence of HIPAA violations. In addition, cases usually take years before reaching settlements. So, it’s almost impossible to really know how many actual HIPAA violations resulting to monetary penalties occur per year.
Nevertheless, we can get a list of healthcare organizations that paid settlements and civil monetary penalties in 2017. See the table below.
| Covered Entity | Penalty Amount | Penalty Type | Reason for Penalty | Date of Violation(s) |
| 21st Century Oncology | $2,300,000 | Settlement | Multiple HIPAA Violations | 2015 |
| Memorial Hermann Health System | $2,400,000 | Settlement | Careless Handling of PHI | 2015 |
| St. Luke’s-Roosevelt Hospital Center Inc. | $387,000 | Settlement | Unauthorized Disclosure of PHI | 2014 |
| The Center for Children’s Digestive Health | $31,000 | Settlement | Lack of a Business Associate Agreement | 2003-2015 |
| Cardionet | $2,500,000 | Settlement | Impermissible Disclosure of PHI | 2011 |
| Metro Community Provider Network | $400,000 | Settlement | Lack of Security Management Process | 2011 |
| Memorial Healthcare System | $5,500,000 | Settlement | Insufficient ePHI Access Controls | 2007-2012 |
| Children’s Medical Center of Dallas | $3,200,000 | Civil Monetary Penalty | Impermissible Disclosure of ePHI | 2006-2013 |
| MAPFRE Life Insurance Company of Puerto Rico | $2,200,000 | Settlement | Impermissible Disclosure of ePHI | 2011 |
| Presense Health | $475,000 | Settlement | Delayed Breach Notifications | 2013 |
From the list, we can see that the violations occurred since 2003 up to 2015. But healthcare organizations only paid the settlement fees in 2017.