In October 2018 the company was fined $16 million by the US Department of Health and Human Services for Health Insurance Portability and Accountability Act (HIPAA) violations.
That fine was in addition to the $115 million the company had to pay out in 2017 to settle a class action lawsuit relating to the breach.
The University of Texas MD Anderson Cancer Center: $4.3M
In June 2018 a judge upheld the decision to fine the University of Texas MD Anderson Cancer Center $4.3 million for HIPAA violations. The cancer centre suffered three data breaches between 2012 and 2013, which resulted in the loss of health information of over 33,500 individuals.
In one case an unencrypted laptop was stolen from an employee’s residence. The other two breaches involved the loss of unencrypted USBs.
Fresenius Medical Care North America: $3.5M
HIPAA failures strike again. In February 2018 Fresenius Medical Care North America (FMCNA) was slapped with a bill for $3.5 million after suffering five separate breaches at different company locations between February and July of 2012.
An investigation by the Office for Civil Rights found FMCNA had failed to “conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the health information it was storing across its different entities.”
These failures include not preventing unauthorised access to facilities and equipment, failing to encrypt health data, not governing the removal of electronic media holding health data, and having a lack of security incident procedures.
Cottage Health and Touchstone Medical Imaging: $3M each
2019 has already seen two large HIPAA violations; $3 million each for Cottage Health & Touchstone Medical Imaging.
Cottage health was fined for two breaches — one in 2013 and another in 2015 — resulting in electronic protected health information (ePHI) affecting over 62,500 individuals being leaked. Both incidents involved servers holding ePHI being accessible over the internet.
Tennessee-based Touchstone Medical Imaging was fined after leaving the protected health information (PHI) of over 300,000 patients available online through an exposed FTP server. Touchstone was notified about this exposure by the FBI in 2014 but claimed no patient PHI was exposed.
The US Department of Health and Human Services (HHS) found that Touchstone “did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR.”
In addition, the HHS said that notification to individuals affected by the breach was “untimely,” that Touchstone “failed to conduct an accurate and thorough risk analysis of potential risks,” and the company “failed to have business associate agreements in place with its vendors.”
Jackson Health System: $2.15M
Another large HIPAA violation, this time for Miami nonprofit academic medical system Jackson Health System (JHS), which runs a number of hospitals and care centers in Florida. JHS was fined $2.15 million by DHS over several incidents between 2013 and 2016.
Although JHS did report the loss of paper records on 756 patients to DHS in 2013, it failed to report the loss of an additional three boxes of patient records after an internal investigation.
In 2015, JHS discovered two employees had accessed a patient’s electronic medical record without a job-related purpose.
Meanwhile in 2016, JHS reported a breach after finding that an employee had been selling patient data totalling 24,000 patients' records since 2011.
Equifax and Facebook: $650,000 each
Equifax and Facebook can count themselves lucky. In 2018 the UK Information Commissioner’s Office fined the two companies for data failures under the pre-GDPR Data Protection Act, in which the highest possible fine is just £500,000 (~$650,000). Under GDPR, the penalties could have been much higher.