Every healthcare practice in the United States is subject to the Health Insurance Portability and Accountability Act. That includes solo dental offices, behavioral health clinics, ambulance services, and multi-location health systems. No organization is too small to draw the attention of the HHS Office for Civil Rights, and the financial consequences of noncompliance have never been higher.
Between 2024 and early 2026, OCR collected over $9 million in HIPAA penalties through settlements and civil monetary penalties. The agency launched a dedicated Risk Analysis Initiative in late 2024, and enforcement actions are accelerating. This is not a trend that favors the unprepared.
Below are real enforcement cases drawn from the HHS OCR breach portal. Each one illustrates a specific compliance failure, the penalty it triggered, and the corrective action the organization was required to implement. If any of these scenarios sound familiar, your practice may be at risk right now.
Understanding the Four HIPAA Penalty Tiers
Before examining specific cases, it helps to understand how OCR calculates penalties. HIPAA violations fall into four tiers based on the level of culpability. The 2025 inflation-adjusted amounts (the most recent published figures) are:
Tier 1 , Did Not Know: The covered entity was unaware of the violation and could not have reasonably avoided it. Minimum $145 per violation, maximum $73,011 per violation.
Tier 2 , Reasonable Cause: The violation was due to reasonable cause, not willful neglect. Minimum $1,461 per violation, maximum $73,011 per violation.
Tier 3 , Willful Neglect, Corrected: The violation resulted from willful neglect but was corrected within 30 days. Minimum $14,602 per violation, maximum $73,011 per violation.
Tier 4 , Willful Neglect, Not Corrected: The violation resulted from willful neglect and was not corrected within 30 days. Minimum $73,011 per violation, maximum $2,190,294 per violation.
The annual cap for identical violations of the same provision is $2,190,294 across all tiers. These numbers are adjusted for inflation each year. A single breach can involve multiple violations of multiple provisions, which is how penalties climb into the millions.
9 Real HIPAA Enforcement Cases and What They Cost
1. Montefiore Medical Center , $4.75 Million (February 2024)
What happened: An employee at this New York hospital system accessed the medical records of 12,517 patients over a six-month period, copied their information, and sold it to identity thieves. The New York Police Department notified Montefiore after discovering evidence of the criminal activity.
What OCR found wrong: Montefiore had failed to conduct an accurate risk analysis, failed to implement procedures for regularly reviewing audit logs and access reports, and lacked mechanisms to examine activity in systems containing ePHI.
Penalty: $4.75 million settlement plus a two-year monitored corrective action plan.
The lesson: Insider threats are real. If your practice does not review access logs or audit who is opening patient records, you will not catch unauthorized access until someone else tells you about it.
2. Gulf Coast Pain Consultants , $1.19 Million (December 2024)
What happened: The Florida pain management practice hired a contractor in 2018 and gave them system access. When the contractor's services ended in August 2018, no one revoked the credentials. Between September 2018 and February 2019, someone used those credentials to access the PHI of over 34,000 individuals and file 6,500 fraudulent Medicare claims.
What OCR found wrong: Four Security Rule violations: no risk analysis, no procedures for reviewing system activity, no procedures for terminating former workforce members' access, and no procedures for establishing and modifying access rights.
Penalty: $1.19 million civil monetary penalty.
The lesson: Access management is not optional. Every practice needs a documented process for onboarding and, critically, offboarding anyone who touches ePHI. When a contractor or employee leaves, access must be revoked the same day.
3. Heritage Valley Health System , $950,000 (July 2024)
What happened: This Pennsylvania health system suffered a ransomware attack that encrypted ePHI and disrupted operations.
What OCR found wrong: Heritage Valley had not conducted a thorough security risk analysis, lacked policies for responding to emergencies that damage systems containing ePHI, and had not implemented technical controls to restrict system access to authorized users.
Penalty: $950,000 settlement plus a three-year corrective action plan requiring a comprehensive security risk analysis and enterprise-wide risk management plan.
The lesson: Ransomware exploits known vulnerabilities. A risk analysis would have identified the gaps before an attacker did. After-the-fact remediation costs far more than proactive compliance.
4. Children's Hospital Colorado , $548,265 (December 2024)
What happened: Two separate phishing attacks compromised hospital email accounts. In the first incident, multi-factor authentication had been disabled on an email account containing the PHI of 3,370 individuals. The second incident compromised three email accounts, exposing 10,840 individuals' records.
What OCR found wrong: Violations of both the HIPAA Privacy and Security Rules. The hospital waived its right to a hearing and did not contest OCR's findings.
Penalty: $548,265 civil monetary penalty.
The lesson: Multi-factor authentication is one of the most effective defenses against phishing. Disabling it, even temporarily, creates an opening that attackers will find. Training staff to recognize phishing is important, but technical controls are the real safety net.
5. USR Holdings , $337,750 (January 2025)
What happened: An unauthorized third party gained access to a database containing the ePHI of over 2,900 individuals. The intruder was able to both access and delete records from the database.
What OCR found wrong: Failures under the HIPAA Privacy and Security Rules, including inadequate access controls and insufficient safeguards for ePHI.
Penalty: $337,750 settlement with required corrective actions.
The lesson: Even organizations with relatively small patient populations face six-figure penalties. The size of your practice does not determine the size of your fine.
6. Yakima Valley Memorial Hospital , $240,000 (June 2023)
What happened: Twenty-three security guards at this Washington state hospital used their login credentials to access the medical records of 419 patients. None of the access was related to their job duties.
What OCR found wrong: The hospital failed to implement policies and procedures to prevent, detect, contain, and correct security violations. It also failed to implement procedures for regularly reviewing information system activity.
Penalty: $240,000 settlement plus a corrective action plan.
The lesson: Access to ePHI must follow the minimum necessary standard. Security guards, front desk staff, billing clerks, and anyone else who does not need patient records for their specific job function should not have access to them. Role-based access controls prevent this violation entirely.
7. Bryan County Ambulance Authority , $90,000 (October 2024)
What happened: This Oklahoma ambulance service was hit by a ransomware attack that encrypted the ePHI of 14,273 patients. The attack was the trigger for OCR's investigation, but the underlying problem was more fundamental.
What OCR found wrong: Bryan County Ambulance Authority had never conducted a security risk analysis. Not an outdated one. Not an incomplete one. They had never performed one at all.
Penalty: $90,000 settlement, corrective action plan, and the distinction of being the first penalty under OCR's new Risk Analysis Initiative.
The lesson: A risk analysis is the single most fundamental requirement of the HIPAA Security Rule. It is the foundation everything else is built on. If you have not done one, you are exposed on every front.
8. Elgon Information Systems , $80,000 (January 2025)
What happened: Elgon, a Massachusetts-based business associate providing EMR and billing support to covered entities, was hit by a ransomware attack.
What OCR found wrong: Elgon had failed to conduct an accurate and thorough risk analysis of potential risks to the confidentiality, integrity, and availability of ePHI. This was OCR's second enforcement action under the Risk Analysis Initiative.
Penalty: $80,000 settlement plus a three-year corrective action plan.
The lesson: Business associates are directly liable under HIPAA. If your practice uses a third-party billing service, IT vendor, or cloud platform that handles ePHI, that vendor must be HIPAA-compliant and you must have a Business Associate Agreement in place. Their failure is your exposure.
9. Gums Dental Care , $70,000 (October 2024)
What happened: A patient requested copies of her and her children's medical records. The dental practice did not provide them. After OCR intervened and the patient resubmitted the request, the practice still did not respond. OCR sent a data request letter. Gums Dental did not reply. OCR followed up twice and sent a certified letter. Still no response.
What OCR found wrong: Willful neglect of the HIPAA Right of Access rule. The violation persisted from August 2019 through March 2022.
Penalty: $70,000 civil monetary penalty, classified at the willful neglect level.
The lesson: Patients have a legal right to their records within 30 days. Ignoring requests, even from a single patient, can trigger an OCR investigation. A $70,000 penalty for failing to hand over a file is one of the most avoidable fines in healthcare.
The Five Most Common Violations in Small Practices
Large health systems make headlines, but small and mid-sized practices are increasingly in the crosshairs. These are the violations OCR finds most often:
1. No security risk analysis. This is the number one finding in OCR investigations. The Risk Analysis Initiative launched in 2024 specifically targets this gap. Every covered entity and business associate is required to conduct one, regardless of size.
2. No Business Associate Agreements. If your billing company, IT provider, shredding service, or cloud storage vendor touches PHI, you need a signed BAA. Providence Medical Institute paid $240,000 in 2024 in part because of a missing BAA. MedEvolve paid $350,000 in 2023 for the same failure.
3. Unencrypted devices and systems. Stolen or lost laptops, tablets, and USB drives account for a disproportionate share of reported breaches. Encryption is an addressable safeguard under the Security Rule, meaning if you choose not to implement it, you must document why and implement an equivalent alternative.
4. Insufficient workforce training. Staff who do not understand HIPAA are staff who will violate it. Snooping, phishing susceptibility, improper disposal of paper records, and accidental disclosures all trace back to inadequate training. Annual training is the minimum. High-risk roles need more.
5. Failure to provide patient records. OCR's Right of Access Initiative has resulted in over 50 enforcement actions since its launch. Penalties range from $3,500 to $240,000. The rule is simple: provide records within 30 days, charge a reasonable cost-based fee, and do not obstruct the request.
How BayArea Compliance Prevents These Failures
Every case above shares a common thread: the violation was preventable. The controls exist. The policies are well-established. What was missing was implementation, and that is exactly where BayArea Compliance operates.
HIPAA risk analysis and risk management. We conduct the thorough, documented risk analysis that OCR requires, then build a risk management plan that addresses every identified vulnerability. This is the single control that would have changed the outcome in the majority of cases listed above.
Policy development and BAA management. We draft, review, and maintain your HIPAA policies, including Business Associate Agreements with every vendor that handles PHI. No gaps, no missing signatures, no exposure.
Workforce training. Our HIPAA training programs cover the Privacy Rule, Security Rule, and Breach Notification Rule, tailored to each role in your practice. Staff learn to recognize phishing, handle records requests, and understand why snooping ends careers.
Access controls and audit procedures. We help implement role-based access, multi-factor authentication, and regular audit log review, the exact controls that Montefiore, Gulf Coast Pain, and Yakima Valley were missing.
Ongoing compliance monitoring. HIPAA compliance is not a one-time project. Regulations change, staff turns over, and new threats emerge. Our COMPLIANCE|360 program provides continuous monitoring, annual reassessment, and direct support when issues arise.
The practices that avoid these headlines are not lucky. They are prepared.
Call 833-247-OSHA to schedule a HIPAA compliance assessment. We will identify your gaps before OCR does, and build a plan to close them. Every case in this article was preventable. Yours can be too.
BayArea Compliance provides HIPAA compliance services, security risk analysis, workforce training, and ongoing compliance management for healthcare practices across 44 states. To learn how COMPLIANCE|360 protects your practice, call 833-247-OSHA or request a compliance assessment today.