Violations —
Learning from HIPAA Violations: Key Cases and Lessons
HIPAA cases show how weak controls and delays cause fines, highlighting the need for training and risk monitoring.
Share this article
Learning from HIPAA Violations: Key Cases and Lessons
Anonymized "a major healthcare system" examples are easy to write and easy to forget. Named OCR settlements, with real dollar figures and the specific failure that triggered them, are harder to dismiss — and they're public record, searchable directly through HHS's Resolution Agreements database. Here are two of the clearer examples, with what actually made each one worse than it needed to be.
Failure to Encrypt: University of Rochester Medical Center, $3 Million (2019)
URMC, one of New York's largest health systems, lost an unencrypted laptop and flash drive containing patient information. On its own, a stolen device is a security incident, not necessarily a $3 million one. What made this case far more costly: OCR had already provided URMC with technical assistance following a prior, similar breach, and the organization continued using unencrypted mobile devices anyway. OCR's investigation also found URMC hadn't conducted an adequate risk analysis or implemented policies addressing the use of mobile devices and removable media.
The lesson here isn't really about encryption as a technology — it's about what happens when a known, previously-flagged risk goes unaddressed. OCR settlements consistently penalize repeat or ignored risks more heavily than first-time, good-faith incidents. A single encrypted laptop policy failure is a finding; the same failure after OCR already told you about it is a multi-million dollar one.
Improper Disposal: New England Dermatology and Laser Center, $300,640 (2022)
This case involved something far less dramatic than a hack or stolen device: specimen containers with patient name, date of birth, and provider information, thrown into a regular dumpster in the practice's parking lot. A third-party security guard patrolling the lot found them. What turned this into a $300,640 settlement rather than a quiet correction was the duration — OCR's investigation found this had been the practice's standard disposal method for over a decade, from 2011 to 2021, affecting 58,106 patients' information by the time it was caught.
The lesson: HIPAA violations don't require a breach of electronic systems to trigger serious penalties. A physical disposal practice that nobody questioned for ten years is exactly the kind of "we've always done it this way" gap that an internal audit — not a hacker — should have caught years earlier.
The Broader Patterns Behind These and Similar Cases
Beyond these two specific examples, OCR's enforcement history shows consistent patterns worth understanding even without a named case attached to each:
Unauthorized access tends to escalate quickly into multi-million dollar territory when it involves large patient volumes or repeated/systemic access control failures, rather than a single isolated incident — OCR's largest settlements (Anthem's $16 million settlement following its 2015 breach affecting tens of millions of records is the largest on record) tend to involve breadth and duration, not just the existence of unauthorized access.
Delayed breach notification compounds the underlying violation. The Breach Notification Rule requires reporting within 60 days, and OCR has stated explicitly that failing to report on time can constitute "willful neglect," which triggers a different, often harsher penalty tier than the original breach itself.
Insufficient or absent risk analysis is the single most common factor underlying OCR's largest settlements. Across many of OCR's published resolution agreements, the root cause cited isn't usually the specific attack vector (phishing, lost device, improper disposal) — it's that the organization never adequately assessed its risk in the first place, which is why a single missing or stale Security Risk Analysis tends to surface as an aggravating factor across multiple unrelated incident types.
What This Means for Ongoing Compliance
The common thread across OCR's published settlements isn't dramatic technical failure — it's the gap between a known or knowable risk and an organization's actual response to it. URMC knew about its device risk and didn't fix it. NEDLC's disposal practice was never questioned for a decade. Both gaps would have been caught by routine, honest internal review long before OCR got involved.
Conducting a HIPAA Risk Assessment covers the risk analysis work that, in case after case, OCR cites as either present and adequate or the central thing missing. Aligning this work with ISO 27001 and SOC 2 frameworks — both of which require their own ongoing risk assessment and control evidence — can extend the same risk-review discipline across multiple compliance obligations rather than treating HIPAA's risk analysis as an isolated exercise.
In the Spotlight

Start your HIPAA compliance journey with DSALTA's complete checklist.
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive health information. Any organization handling protected health information (PHI)— from hospitals to SaaS vendors serving healthcare—must comply.
HIPAA compliance may feel overwhelming, but with DSALTA®’s automation, you can reduce manual work, continuously monitor safeguards, and stay prepared for audits. This checklist outlines the essential steps to meet HIPAA requirements.
Read more about HIPAA compliance with DSALTA.
Stop losing deals to compliance.
Get compliant. Keep building.
Join 100s of startups who got audit-ready in days, not months.




