top of page

HIPAA Radar

HIPAA Radar tracks publicly disclosed enforcement actions, settlements, corrective action plans, and penalty decisions under the Health Insurance Portability and Accountability Act (HIPAA). Its purpose is to provide a clear, practical view of how U.S. regulators enforce healthcare privacy and security obligations in real cases.

 

The radar brings together key information on enforcement trends, including the regulator, the covered entity or business associate involved, the financial penalty or settlement amount, the legal basis of the violation, and the core compliance failures identified in each matter. By presenting these cases in one place, HIPAA Radar helps privacy, legal, compliance, and security teams better understand which weaknesses most often lead to regulatory scrutiny and enforcement.

 

More than a list of enforcement outcomes, HIPAA Radar is designed as a working compliance resource. It shows how regulators approach issues such as risk analysis, access controls, business associate agreements, impermissible disclosures, breach notification, workforce training, and safeguards for protected health information. This makes it easier to translate enforcement activity into practical lessons for internal compliance programs, privacy governance, and healthcare risk management.

MMG Fusion, LLC

Public penalty

$10 000

Date

March 5, 2026

Core issue

Impermissible disclosure of PHI

Main public findings

OCR publicly concluded that PHI was impermissibly exposed or disclosed and safeguards were not sufficient.

Read More

Concentra, Inc.

Public penalty

$112 500

Date

December 16, 2025

Core issue

Patient right of access

Main public findings

OCR publicly found a failure to provide requested records on time, which resulted in a settlement.

Read More

BST & Co. CPAs, LLP

Public penalty

$175 000

Date

August 18, 2025

Core issue

Phishing / email compromise

Main public findings

OCR publicly cited missing or inadequate risk analysis and related HIPAA Security Rule controls.

Read More

Deer Oaks – The Behavioral Health Solution

Public penalty

$225 000

Date

July 7, 2025

Core issue

Impermissible disclosure of PHI

Main public findings

OCR publicly concluded that PHI was impermissibly exposed or disclosed and safeguards were not sufficient.

Read More

BayCare Health System

Public penalty

$800 000

Date

May 28, 2025

Core issue

Insider access and monitoring failures

Main public findings

OCR publicly cited weak workforce access controls, insufficient monitoring, and failures to detect or prevent improper PHI access.

Read More

Comprehensive Neurology

Public penalty

$25 000

Date

April 25, 2025

Core issue

Ransomware / cybersecurity safeguards

Main public findings

OCR publicly cited missing or inadequate risk analysis and related HIPAA Security Rule controls.

Read More

Guam Memorial Hospital Authority

Public penalty

$25 000

Date

April 17, 2025

Core issue

Ransomware / cybersecurity safeguards

Main public findings

OCR publicly cited weak workforce access controls, insufficient monitoring, and failures to detect or prevent improper PHI access.

Read More

Health Fitness Corporation

Public penalty

$227 816

Date

March 21, 2025

Core issue

Security Rule noncompliance

Main public findings

OCR publicly cited missing or inadequate risk analysis and related HIPAA Security Rule controls.

Read More

Warby Parker, Inc.

Public penalty

$1 500 000

Date

February 20, 2025

Core issue

Security Rule noncompliance

Main public findings

OCR publicly cited missing or inadequate risk analysis and related HIPAA Security Rule controls.

Read More

Memorial Health System

Public penalty

$60 000

Date

January 15, 2025

Core issue

Patient right of access

Main public findings

OCR publicly found a failure to provide requested records on time, which resulted in a settlement.

Read More

USR Holdings, LLC

Public penalty

$337 750

Date

January 8, 2025

Core issue

Loss / deletion of ePHI

Main public findings

OCR publicly described deletion of ePHI and related safeguards failures, including lack of retrievable exact copies and audit activity records and identified compliance failures under Security Rule (risk analysis; activity records; contingency/copies); Privacy Rule.

Read More

Elgon Information Systems

Public penalty

$80 000

Date

January 7, 2025

Core issue

Ransomware / cybersecurity safeguards

Main public findings

OCR publicly cited missing or inadequate risk analysis and related HIPAA Security Rule controls.

Read More

Children’s Hospital Colorado Health System

Public penalty

$548 265

Date

December 5, 2024

Core issue

Insider access and monitoring failures

Main public findings

OCR publicly cited weak workforce access controls, insufficient monitoring, and failures to detect or prevent improper PHI access.

Read More

Holy Redeemer Family Medicine

Public penalty

$35 581

Date

November 26, 2024

Core issue

Impermissible disclosure of PHI

Main public findings

OCR publicly concluded that PHI was impermissibly exposed or disclosed and safeguards were not sufficient.

Read More

Bryan County Ambulance Authority

Public penalty

$90 000

Date

October 31, 2024

Core issue

Ransomware / cybersecurity safeguards

Main public findings

OCR publicly cited missing or inadequate risk analysis and related HIPAA Security Rule controls.

Read More

Gums Dental Care

Public penalty

$70 000

Date

October 17, 2024

Core issue

Patient right of access

Main public findings

OCR publicly found a failure to provide requested records on time, which resulted in a civil money penalty.

Read More

Cascade Eye and Skin Centers

Public penalty

$250 000

Date

September 26, 2024

Core issue

Ransomware / cybersecurity safeguards

Main public findings

OCR publicly cited missing or inadequate risk analysis and related HIPAA Security Rule controls.

Read More

Essex Residential Care (Hackensack Meridian Health / West Caldwell Care Center)

Public penalty

$100 000

Date

April 1, 2024

Core issue

Patient right of access

Main public findings

OCR publicly found a failure to provide requested records on time, which resulted in a civil money penalty.

Read More

Montefiore Medical Center

Public penalty

$4 750 000

Date

February 6, 2024

Core issue

Insider access and monitoring failures

Main public findings

OCR publicly cited weak workforce access controls, insufficient monitoring, and failures to detect or prevent improper PHI access.

Read More

Top of the World Ranch Treatment Center

Public penalty

$103 000

Date

February 19, 2026

Core issue

Phishing / email compromise

Main public findings

OCR publicly described phishing incident involving unauthorized access to an email account containing patient PHI and identified compliance failures under Security Rule (risk analysis).

Read More

Cadia Healthcare Facilities

Public penalty

$182 000

Date

September 30, 2025

Core issue

Impermissible disclosure of PHI

Main public findings

OCR publicly concluded that PHI was impermissibly exposed or disclosed and safeguards were not sufficient.

Read More

Syracuse ASC (Specialty Surgery Center of Central New York)

Public penalty

$250 000

Date

July 23, 2025

Core issue

Ransomware / cybersecurity safeguards

Main public findings

OCR publicly described ransomware attack; delayed notices to affected individuals and HHS Secretary and identified compliance failures under Security Rule (risk analysis); Breach Notification Rule.

Read More

Comstar LLC

Public penalty

$75 000

Date

May 30, 2025

Core issue

Security Rule noncompliance

Main public findings

OCR publicly cited missing or inadequate risk analysis and related HIPAA Security Rule controls.

Read More

Vision Upright MRI

Public penalty

$5 000

Date

May 15, 2025

Core issue

Exposed system / misconfiguration

Main public findings

OCR cited inadequate risk analysis and related security controls, together with delayed or missing breach notifications.

Read More

PIH Health, Inc.

Public penalty

$600 000

Date

April 23, 2025

Core issue

Phishing / email compromise

Main public findings

OCR publicly described phishing attack compromised 145 employee email accounts; delayed notices to OCR, individuals, and media and identified compliance failures under Security Rule (risk analysis); Privacy Rule (impermissible disclosure); Breach Notification Rule.

Read More

Northeast Radiology

Public penalty

$350 000

Date

April 4, 2025

Core issue

Exposed system / misconfiguration

Main public findings

OCR publicly cited missing or inadequate risk analysis and related HIPAA Security Rule controls.

Read More

Oregon Health & Science University

Public penalty

$200 000

Date

March 6, 2025

Core issue

Patient right of access

Main public findings

OCR publicly found a failure to provide requested records on time, which resulted in a civil money penalty.

Read More

Northeast Surgical Group

Public penalty

$10 000

Date

January 15, 2025

Core issue

Ransomware / cybersecurity safeguards

Main public findings

OCR publicly cited missing or inadequate risk analysis and related HIPAA Security Rule controls.

Read More

Solara Medical Supplies, LLC

Public penalty

$3 000 000

Date

January 14, 2025

Core issue

Impermissible disclosure of PHI

Main public findings

OCR cited inadequate risk analysis and related security controls, together with delayed or missing breach notifications.

Read More

Virtual Private Network Solutions

Public penalty

$90 000

Date

January 7, 2025

Core issue

Ransomware / cybersecurity safeguards

Main public findings

OCR publicly cited missing or inadequate risk analysis and related HIPAA Security Rule controls.

Read More

Inmediata Health Group

Public penalty

$250 000

Date

December 10, 2024

Core issue

Impermissible disclosure of PHI

Main public findings

OCR publicly cited missing or inadequate risk analysis and related HIPAA Security Rule controls.

Read More

Gulf Coast Pain Consultants dba Clearway Pain Solutions Institute

Public penalty

$1 190 000

Date

December 3, 2024

Core issue

Security Rule noncompliance

Main public findings

OCR publicly cited missing or inadequate risk analysis and related HIPAA Security Rule controls.

Read More

Rio Hondo Community Mental Health Center

Public penalty

$100 000

Date

November 19, 2024

Core issue

Patient right of access

Main public findings

OCR publicly found a failure to provide requested records on time, which resulted in a civil money penalty.

Read More

Plastic Surgery Associates of South Dakota

Public penalty

$500 000

Date

October 31, 2024

Core issue

Ransomware / cybersecurity safeguards

Main public findings

OCR publicly described ransomware investigation found multiple HIPAA Security Rule failures and identified compliance failures under Security Rule.

Read More

Providence Medical Institute

Public penalty

$240 000

Date

October 3, 2024

Core issue

Ransomware / cybersecurity safeguards

Main public findings

OCR publicly described ransomware cybersecurity investigation found inadequate restriction of PHI access and business associate agreement failures and identified compliance failures under Security Rule; Business Associate Agreement requirements.

Read More

Heritage Valley Health System

Public penalty

$950 000

Date

July 1, 2024

Core issue

Security Rule noncompliance

Main public findings

OCR publicly described oCR identified multiple HIPAA Security Rule failures and identified compliance failures under Security Rule.

Read More

Phoenix Healthcare

Public penalty

$35 000

Date

March 29, 2024

Core issue

Patient right of access

Main public findings

OCR publicly found a failure to provide requested records on time, which resulted in a settlement.

Read More
bottom of page