Most Recent HIPAA Violation Real-World Examples

Delta Dental of Virginia Data Breach

In November 2025, Delta Dental of Virginia reported a data breach affecting approximately 146,000 individuals. The breach, which occurred in April 2025, was the result of unauthorized access to sensitive patient information due to a vulnerability in their data security protocols. The breach involved the exposure of Protected Health Information (PHI), including personal and dental-related data, impacting Delta Dental’s members. Delta Dental notified the affected individuals and took immediate steps to secure their systems, although the breach raised concerns about the adequacy of their internal security measures and the need for more robust protection of PHI.

The breach is under investigation, and Delta Dental may face penalties or corrective actions from the Department of Health and Human Services (HHS) if found to have violated HIPAA regulations.

Key Takeaways:

• Protect PHI with Stronger Security: Healthcare organizations must invest in strong security measures to protect sensitive patient data from unauthorized access.
  
  
• Immediate Response is Crucial: Promptly notifying affected individuals and taking corrective actions is essential to mitigating the impact of a data breach.
  
  
• Security Audits Are Key: Regular security audits and vulnerability assessments help prevent potential breaches by identifying weaknesses in data protection practices.
  
  
• Compliance with HIPAA Regulations: Violations of HIPAA regulations can lead to significant financial penalties and corrective action plans, underscoring the importance of ongoing compliance efforts.

Orthopedics Rhode Island — Class‑Action Settlement After Ransomware Attack

In 2025, Orthopedics Rhode Island (Ortho RI) agreed to pay $2.9 million to settle a class‑action lawsuit stemming from a ransomware attack that occurred in September 2024.  The attack gave unauthorized access to Ortho RI’s network between September 4 and September 8, 2024; the breach was detected on September 7, 2024.  As a result, the protected health information (PHI) of about 377,731 individuals — including names, addresses, dates of birth, billing and health‑insurance claims data, diagnoses, medications, treatment information, test results, and medical images — was compromised. 

The lawsuit (consolidated as Lavoie‑Soria et al. v. Orthopedics Rhode Island, Inc.) was brought by multiple patients who argued that Ortho RI failed to follow standard data‑security practices.  Although Ortho RI denied wrongdoing, the settlement allows affected individuals to submit claims: eligible class members may receive medical‑record monitoring and either a cash payment around $100 or up to $5,000 — if they document actual losses related to the breach. 

Key Takeaways:

• Ransomware can trigger massive PHI exposure — A cyberattack affecting one provider led to exposure of hundreds of thousands of individuals’ sensitive health and billing information.
  
  
• Class‑action lawsuits may follow — even without admission of wrongdoing — Even though the provider denied liability, the settlement shows that lawsuits can succeed based on alleged security failures.
  
  
• Financial and corrective consequences are substantial — The $2.9 million settlement plus required monitoring and remediation underscore the cost of insufficient cybersecurity.
  
  
• Prompt detection and response remain critical — The attack was caught quickly (Sept 7) and followed by a forensic investigation; yet, the breach still caused major harm — highlighting that prevention and robust protective measures are indispensable.
  
  
• Patients have recourse — but must act — Eligible individuals need to submit claim forms (by the settlement deadline) to secure compensation or monitoring services.
  
  

Reid Health (Indiana) — Data Breach Linked to Web Tracking Tools

In October 2025, Reid Health, a healthcare provider in Indiana, agreed to settle a class‑action lawsuit over allegations that it violated HIPAA privacy standards by improperly sharing patients’ protected health information (PHI) via website tracking tools, including “Meta Pixel.” The lawsuit claimed that Reid Health’s use of Meta Pixel, a tool typically employed for advertising and tracking website engagement, resulted in the unintentional transmission of sensitive patient data to third parties. This breach occurred without the knowledge or consent of the affected individuals, raising concerns about the provider’s practices regarding PHI security in its digital tools.

The class‑action settlement serves as a reminder that HIPAA violations do not always stem from traditional security breaches like hacking; in this case, the breach was tied to improper handling of data within web and marketing tools, which are often overlooked in HIPAA compliance efforts. The case highlighted the need for healthcare providers to be diligent in their use of third‑party services and ensure they adhere to privacy protections when dealing with PHI.

Key Takeaways:

• Web and Marketing Tools Must Be HIPAA Compliant: Healthcare providers must ensure that all third‑party tools, including website trackers and analytics services, comply with HIPAA standards and do not inadvertently expose PHI to unauthorized entities.
  
  
• Non-Hacking Violations Can Be Costly: HIPAA violations are not limited to hacking incidents; improper use of digital tools that handle PHI can trigger violations and legal consequences.
  
  
• Patient Consent and Transparency Are Essential: Healthcare organizations must ensure transparency and obtain proper consent from patients when utilizing technologies that might share or expose their sensitive data.
  
  
• Data Protection Should Extend to All Digital Interactions: Whether through patient portals, websites, or marketing efforts, healthcare organizations must consider the security of PHI across all platforms and third‑party integrations.
  
  

Ransomware & Vendor‑/Business‑Associate–Related Breaches Recognized by Regulators (2025)

In 2025, regulators — most notably Office for Civil Rights (OCR) at U.S. Department of Health & Human Services (HHS) — continued to take action against healthcare‑related entities and their business associates whose failure to safeguard electronic protected health information (ePHI) led to ransomware incidents or other security failures. One clear example is the settlement announced in August 2025 with BST & Co. CPAs, LLP, a New York business‑advisory firm that functioned as a business associate for a HIPAA‑covered entity. According to the settlement, BST failed to conduct the thorough risk analysis mandated by the HIPAA Security Rule; as a result, its network was compromised by ransomware in 2019, exposing ePHI belonging to a covered entity’s clients. OCR required BST to pay $175,000, implement a comprehensive corrective‑action plan (CAP), and revamp risk management, policies, and workforce‑training procedures. 

This case is part of a broader pattern: 2025 has seen a spike in enforcement actions under what regulators call the “Risk Analysis Initiative,” driven by a dramatic rise in ransomware and hacking incidents targeting healthcare—and by the recurring failure of many covered entities and their business associates to meet baseline HIPAA safeguards. The healthcare sector remains among the most targeted industries for cyberattacks: as of late 2025 the average cost of a healthcare data breach hovered around $7.42 million, frequently worsened by lengthy breach detection and containment periods. 

Key Takeaways:

• Business associates are fully liable under HIPAA — As the BST settlement shows, third‑party vendors (not just direct providers) are subject to OCR enforcement if they hold ePHI and fail to comply with required safeguards.
  
  
• Comprehensive risk analysis is non‑negotiable — A root cause of many of these breaches is failure to perform an accurate risk analysis and implement risk‑management plans, which leaves ePHI vulnerable to ransomware and other threats.
  
  
• Ransomware remains a leading breach cause — Healthcare organizations and their associates continue to be prime targets for ransomware, underscoring that cyber‑security in healthcare remains a critical concern.
  
  
• Enforcement and financial consequences are significant — OCR is increasingly using settlements and corrective action plans to address non‑compliance — meaning the cost of negligent security is not just reputational, but also financial and regulatory.
  
  
• Ongoing training, audits, and policy maintenance are essential — Compliance isn’t a one‑time checkbox: to avoid becoming the next headline breach, entities must build continuous risk assessment, audits, policies, and workforce training into their operations.
  
  

Cadia Healthcare Facilities — HIPAA Privacy & Breach Notification Settlement (Sep 2025)

In September 2025, the Office for Civil Rights (OCR) at U.S. Department of Health and Human Services (HHS) announced a settlement with Cadia Healthcare Facilities, a group of five Delaware-based rehabilitation, skilled nursing, and long‑term care providers, for improper disclosure of patients’ protected health information (PHI). The investigation began after a 2021 complaint alleged that Cadia had posted a patient’s name, photograph, and details about their condition and treatment on its public website under a “success story,” without obtaining valid, written authorization. 

OCR found that Cadia had disclosed PHI for a total of about 150 patients via its marketing / public‑facing “success story” program — without HIPAA‑compliant authorization — and lacked sufficient administrative, technical, and physical safeguards to protect PHI. Cadia also failed to issue the required breach notifications to affected individuals. 

Under the settlement, Cadia agreed to pay $182,000 and implement a two-year corrective action plan (CAP), including reviewing and revising HIPAA policies and procedures, providing workforce training (including marketing staff), and notifying all individuals whose PHI was impermissibly disclosed. 

Key Takeaways:

• Marketing & Social‑Media Posts Are Not Exempt: Using patient stories or success‑stories for promotion still counts as a HIPAA disclosure. Written authorizations are required before using PHI publicly.
  
  
• Safeguards Must Cover Non‑Clinical Departments: Compliance isn’t only for clinical operations — marketing, communications, social‑media teams must also understand HIPAA obligations and follow policies.
  
  
• Breach Notification Must Be Timely: Failing to notify individuals when PHI has been disclosed improperly or publicly is itself a violation.
  
  
• Corrective Action Plans Often Follow Violations: Settlements typically require policy overhauls, staff training, and ongoing monitoring — illustrating that HIPAA compliance is a continual process.
  
  

Deer Oaks – The Behavioral Health Solution — HIPAA Privacy/Security Settlement (July 2025)

In July 2025, OCR announced a settlement with Deer Oaks, a behavioral‑health provider delivering psychological and psychiatric services to residents of long-term care and assisted‑living facilities, following findings of multiple HIPAA violations. The violations involved two separate incidents: first, an online exposure of patient discharge summaries (names, dates of birth, diagnoses, etc.) due to a coding error in a patient portal; and second, a ransomware attack in August 2023 that compromised the ePHI of many individuals. 

OCR determined that Deer Oaks had failed to conduct an accurate and thorough risk analysis as required under the HIPAA Security Rule — which contributed to the vulnerabilities that allowed the exposure and breach. As a result, Deer Oaks agreed to pay $225,000 and entered into a two‑year corrective action plan. The CAP requires a comprehensive risk analysis, implementation of a risk‑management plan, updated policies and procedures, and annual workforce training on HIPAA compliance. 

Key Takeaways:

• Behavioral‑Health Providers Are Not Immune: Mental health and assisted-living care providers are subject to the same HIPAA Security and Privacy requirements as other medical providers.
  
  
• Risk Assessments Are Fundamental: Failure to conduct or maintain a proper risk analysis significantly increases the likelihood of ePHI exposure — via portal misconfigurations or ransomware attacks.
  
  
• Ransomware & Technical Failures Can Trigger HIPAA Penalties: Security incidents beyond “hacking” — including coding errors or inadequate controls — can lead to major liabilities.
  
  
• Ongoing Compliance Requires Policy, Training, and Governance: Entities must not only have policies in place, but also ensure they’re implemented and that staff are trained and aware, especially when handling sensitive mental‑health information.
  
  

Comstar, LLC — Ransomware Breach & HIPAA Security Rule Settlement (May 2025)

On May 30, 2025, OCR announced a settlement with Comstar, LLC — a Massachusetts‑based company that provides billing, collection, and related services to emergency ambulance services — following a ransomware breach that affected ePHI belonging to approximately 585,621 individuals. The breach occurred after an unauthorized actor encrypted Comstar’s network servers; Comstar did not detect the intrusion until a week after the initial attack. 

OCR concluded that Comstar failed to perform an accurate and thorough risk analysis of the vulnerabilities to the confidentiality, integrity, and availability of the ePHI it stored, in violation of the HIPAA Security Rule. As part of the settlement, Comstar agreed to pay $75,000 and implement a corrective action plan — including a comprehensive risk analysis, risk management, revised policies and procedures, and mandatory workforce training. 

Key Takeaways:

• Business Associates Are Equally Accountable: Entities that provide non‑clinical services (billing, collections, ambulance support) but handle PHI must comply with HIPAA and are subject to enforcement.
  
  
• Ransomware Threat Remains Substantial: A breach affecting over half a million individuals underscores how damaging cyberattacks can be, both in scale and compliance consequences.
  
  
• Risk Analysis & Management Are Core Requirements: Neglecting to conduct or update security risk assessments and management plans leaves ePHI vulnerable — and can lead directly to enforcement actions.
  
  
• Corrective Actions Include Policy, Enforcement, and Training: Remediation is not only financial; organizations must overhaul their security posture, procedures, and workforce awareness to regain compliance.

Conclusion

HIPAA compliance is not just a legal requirement—it’s essential to maintaining patient trust and safeguarding sensitive health information. From understanding the key components of the law to preventing violations through proper training and strong security practices, every healthcare provider has a role to play in protecting patient privacy.

By learning from real-world HIPAA violation examples and implementing proactive strategies, you can significantly reduce the risk of costly fines and reputational damage. Remember, compliance isn’t a one-time effort—it’s an ongoing process that requires attention, vigilance, and the right tools.

Our HIPAA Compliance Software is designed to make this process easier, more efficient, and more effective. With automated tools, regular audits, and built-in risk management features, our software helps you stay on top of your compliance responsibilities. Protect your patients, your practice, and your peace of mind by investing in a solution that simplifies compliance and reduces the risk of HIPAA violations.

FAQs | HIPAA Violations

What are common examples of HIPAA violations?

Common examples include:

• Unauthorized access to patient records by staff members.
  
  
• Failure to encrypt data during storage or transmission.
  
  
• Sharing PHI without consent (e.g., via social media or marketing).
  
  
• Ransomware attacks are compromising PHI.
  
  
• Failure to conduct risk assessments leads to data breaches.
  
  

What happens if a healthcare provider commits a HIPAA violation?

If a healthcare provider commits a HIPAA violation, they could face civil or criminal penalties, including fines ranging from thousands to millions of dollars. The provider may also be required to implement corrective actions, such as workforce training and improved security measures.

How are HIPAA violations reported?

HIPAA violations are typically reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Healthcare organizations are also required to notify affected individuals if their PHI is breached.

How can HIPAA violations be prevented?

To prevent violations, healthcare organizations should:

• Implement strong data encryption protocols.
  
  
• Conduct regular risk assessments and security audits.
  
  
• Train staff on HIPAA compliance.
  
  
• Ensure proper access controls are in place.
  
  

Stay up to date with regulatory changes.