Written By : Terry Turner
This page features 22 Cited Research Articles
Fact-Checked

Consumernotice.org adheres to the highest ethical standards for content production and distribution. All content is thoroughly researched and verified at each stage of the publication process.

Our writers and editors follow strict guidelines for written and visual content, including vetting all sources and verifying quotes and statistics, to guarantee honesty and integrity in our reporting.

We collaborate with legal and medical experts and consumer safety professionals to further ensure the accuracy of our content.

Data breaches that expose your private health information can be particularly damaging. If someone steals your credit card information, you can always cancel the card and get a new one. You can’t do that with your medical history.

Your medical records also contain sensitive information about you. You may not want people to know about treatments you’ve received or conditions you have. That information could hurt your chances to get certain jobs or insurance.

Health information breaches can also expose other information useful for identity theft. Your medical records can contain your address, social security number and financial information.

According to the National Cyber Security Alliance, in 2016, there were 450 breaches that exposed the private health information of 27 million Americans.

A federal law commonly referred to as HIPAA protects your rights and sets rules for health care providers and insurers to follow in protecting your privacy.

What Is HIPAA?

HIPAA is the acronym for the Health Insurance Portability and Accountability Act, signed into law in 1996. This law gives you the right to view and receive a copy of your personal healthcare information, but it also limits who else can see, collect or use your information.

Facts about people and their knowledge of their online medical records
Expand
Americans find their online medical records useful, but some people have never seen their health information or are unaware they have access to online records.

The HIPAA privacy rule requires health insurers, most health care providers and organizations that process health information to protect the privacy of your health information. This includes any information that doctors, nurses or other people put in your medical records. It also includes any conversations or other communications they have about your condition or treatment.

Your personal and billing information stored by your health care provider or your health insurer is also protected. Hospitals, insurers, doctors and others may face fines if this information is disclosed or breached.

How Health Information Breaches Happen

HIPAA requires anyone who handles or stores your digital health information to protect it with passwords, encryption or other technology. But there are several ways a data breach of medical records can happen.

The all-time largest health information breach was the 2015 spear phishing attack on Anthem, a licensee of Blue Cross and Blue Shield. The attack exposed tens of millions of patients’ records and cost the insurance company more than $130 million in penalties and settlements.

Fact
The 2015 Anthem health information breach exposed names, social security and medical ID numbers, employment information and addresses of 79 million people.

Spear phishing, used in the Anthem cyberattack, involves sending emails that appear to be from a trusted sender — often someone in the same company. When an employee clicks on a link or attachment in the email, the scammers gain access to the company’s network.

But some breaches are less sophisticated.

In 2015, medical records company Filefax reported it had potentially exposed the personal health information of 2,150 people after medical records were left in an unlocked truck in its parking lot.

The University of Texas MD Anderson Cancer Center reported a breach after the theft of a center-owned laptop from an employee’s home and the loss of two thumb drives. The devices contained the personal information of more than 33,000 people.

Even Small Breaches Can Be Devastating

It doesn’t take a breach of thousands of patient records to be harmful. Sometimes a leak that affects just one or two people can have serious consequences.

This can happen when a doctor, nurse or other health care worker shares a patient’s medical information without their permission.

There have been cases where health workers posted patients’ lab results to social media. A New Jersey hospital worker was accused of leaking medical records of an 11-year-old’s suicide attempt to people at his school. As a result, the boy’s peers bullied him.

In 2013, a Florida nurse found records showing that a relative had secretly given birth and put a baby up for adoption. She shared the information with family members.

Leaking a single patient’s medical information can have serious consequences. The nurse in Florida was fired and forced to surrender her nursing license.

A medical group was sued when it took a patient to court over a $326 debt. In the public court filing, the company mentioned that the man had been diagnosed with HIV. The man was able to get the court record sealed and a jury awarded him $1.25 million.

Settlements and Judgments for Breaches

Most attention surrounding HIPAA privacy violations goes to large breaches that reveal a lot of people’s personal or medical information — and there have been quite a few of them. The U.S. Department of Health and Human Services has a long list on its website of agreements and penalties it has won and collected from major health care providers, going all the way back to 2008.

The largest was a $16 million penalty that insurer Anthem paid in October 2018. It was one of 11 settlements or judgments that HHS’s Office of Civil Rights collected from companies that breached HIPAA privacy that year.

HIPAA Enforcement Judgments & Settlements, 2018
Company or OrganizationIssuesAmount of Settlement or Judgment
Filefax, Inc.Failing to secure patient health information $100,000
Fresenius Medical Care North America5 breaches reported in 6 months$3,500,000
MD Anderson Loss of a computer and thumb drives containing information on 33,500 people$4,348,000
Boston Medical CenterAllowing ABC-TV crews to film a documentary without patient authorization$100,000
Brigham and Women’s HospitalAllowing ABC-TV crews to film a documentary without patient authorization$384,000
Massachusetts General HospitalAllowing ABC-TV crews to film a documentary without patient authorization$515,000
Advanced Care HospitalistsFailure to comply with multiple HIPAA requirements for more than 8 years$500,000
Allergy Associates of HartfordDoctor improperly revealed patient information during television news interview$125,000
Anthem, Inc.Cyberattack exposed personal information of 79 million people$16,000,000
Pagosa Springs Medical CenterFormer employee continued to have access to personal health information of 557 patients$111,400
Cottage HealthTwo breaches that exposed information of 62,500 people$3,000,000
TOTAL$28,683,400

In addition to the penalty Anthem paid to the federal government, it paid another $115 million to settle lawsuits filed by people who had their information exposed.

Protecting Your Health Information

HIPAA lets you send your health information to anyone you want. This can be helpful if you are sending it to a trusted family member or another health care provider.

However, you should be careful storing or sharing your health information on a mobile app, on your computer or with other people. Once you share it, your health care provider is no longer responsible for its security.

How to Protect Your Health Information
  • Never post any medical information online unless you want the whole world to know
  • Use passwords or encryption to protect health information on your computer or in emails
  • Beware of free medical services or other attempts to pry private medical information from you
  • Shred insurance forms, prescriptions and physician documents to prevent medical identity theft

HIPAA only requires that health care workers, institutions and health insurance-related industries protect your medical privacy. If you share your health information with anyone else, they may not be covered by the law. They could share your information without fearing penalties or prosecution.

Beware of Sharing on Health Care Apps

New health-focused phone apps are showing up almost daily. But HIPAA privacy protections don’t cover a lot of them. It’s important that you read any privacy policy before downloading and using a health-related app.

There aren’t a lot of federal regulations on what an app maker can do with your health information once you upload it. In many cases, it may be legal for the app maker to sell, re-purpose or share your information with others.

What to Do If Your Health Information Is Breached

If you think your health information has been compromised, you should contact your insurance company or health care provider. You can also file a complaint with the Office for Civil Rights in the U.S. Health and Human Services Department, or by contacting the Attorney General’s Office in your state.

If the company or person responsible for exposing or sharing your health information is not covered by HIPAA, you may be able to file a complaint with the Federal Trade Commission.

You may also be able to file a health information breach lawsuit. Patients can’t sue directly for HIPAA violations. But you may be able to sue under other laws for the damage that a breach causes you. Talking with a lawyer who specializes in privacy issues could help you decide if you have a case.

Last Modified: January 16, 2020

22 Cited Research Articles

  1. Alvarez, B., McGlaughlin, C., and Wirth, A. (2017, November 9). Health Information Privacy – Why Should We Care? National Cyber Security Alliance. Retrieved from https://staysafeonline.org/blog/health-information-privacy-care/
  2. Becker’s Healthcare. (2019, January 19). Healthcare Breaches Cost $6.2B Annually. Retrieved from https://www.beckershospitalreview.com/healthcare-information-technology/healthcare-breaches-cost-6-2b-annually.html
  3. Chard Snyder Benefit Solutions. (2018, November 27). What Is Considered a HIPAA Breach? Retrieved from https://www.chard-snyder.com/employers-and-advisors/compliance-watch/what-is-considered-a-hipaa-breach
  4. Davis, J. (2018, December 19). The 10 Biggest U.S. Healthcare Data Breaches of 2018. Health IT Security. Retrieved from https://healthitsecurity.com/news/the-10-biggest-u.s.-healthcare-data-breaches-of-2018
  5. Donovan, F. (2018, August 27). Oklahoma Hospital Sued for Alleged HIPAA Violation Over Drowning. Health IT Security. Retrieved from https://healthitsecurity.com/news/oklahoma-hospital-sued-for-alleged-hipaa-violation-over-drowning
  6. Experian. (2010, April). The Potential Damages and Consequences of Medical Identity Theft and Healthcare Data Breaches. Retrieved from https://www.experian.com/assets/data-breach/white-papers/consequences-medical-id-theft-healthcare.pdf
  7. Fliszar, G.M. (2014, June 1). New Risks Following a Health Care Data Breach – It’s Not Just the OCR Anymore. American Bar Association. Retrieved from https://www.americanbar.org/groups/health_law/publications/aba_health_esource/2013-14/june/new_risks/
  8. HIPAA Journal. (2017, November 7). Can a Patient Sue for a HIPAA Violation? Retrieved from https://www.hipaajournal.com/sue-for-hipaa-violation/
  9. HIPAA Journal. (2019, April 26). The Most Common HIPAA Violations You Should Be Aware Of. Retrieved from https://www.hipaajournal.com/common-hipaa-violations/
  10. NBC News. (2017, June 23). Anthem to Pay Record $115M to Settle Lawsuits Over Data Breach. Reuters. Retrieved from https://www.nbcnews.com/news/us-news/anthem-pay-record-115m-settle-lawsuits-over-data-breach-n776246
  11. Ornstein, C. (2015, December 10). Small Violations of Medical Privacy Can Hurt Patients and Erode Trust. NPR. Retrieved from https://www.npr.org/sections/health-shots/2015/12/10/459091273/small-violations-of-medical-privacy-can-hurt-patients-and-corrode-trust
  12. Ravindranath, M. (2019, July 15). Some Providers Fear “Brave New World” of Freed Patient Health Data. Politico. Retrieved from https://www.politico.com/story/2019/07/15/patient-health-data-regulations-1573633
  13. Stein, L. (2013, June 29). Medical Records Breach at Tampa General, USF Exposes Woman’s Secrets. Tampa Bay Times. Retrieved from https://www.tampabay.com/news/health/medical-records-breach-at-tampa-general-usf-exposes-womans-secrets/2129083/
  14. U.S. Department of Health and Human Services. (2017, September 5). What You Can Do to Protect Your Health Information. HealthIT.gov. Retrieved from https://www.healthit.gov/topic/privacy-security/what-you-can-do-protect-your-health-information
  15. U.S. Department of Health and Human Services. (2018, October 15). Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History. Retrieved from https://www.hhs.gov/about/news/2018/10/15/anthem-pays-ocr-16-million-record-hipaa-settlement-following-largest-health-data-breach-history.html
  16. U.S. Department of Health and Human Services. (n.d.). Breach Notification Rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
  17. U.S. Department of Health and Human Services. (n.d.). Filing a Complaint. Retrieved from https://www.hhs.gov/hipaa/filing-a-complaint/index.html
  18. U.S. Department of Health and Human Services. (n.d.). HIPAA for Individuals. Retrieved from https://www.hhs.gov/hipaa/for-individuals/index.html
  19. U.S. Department of Health and Human Services. (n.d.). How to File a Health Information Privacy or Security Complaint. Retrieved from https://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html
  20. U.S. Department of Health and Human Services. (n.d.). Resolution Agreements. Retrieved from https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
  21. U.S. Department of Health and Human Services. (n.d.). Your Health Information, Your Rights. HealthIT.gov. Retrieved from https://www.healthit.gov/sites/default/files/YourHealthInformationYourRights_Infographic-Web.pdf
  22. U.S. Department of Health and Human Services. (n.d.). Your Rights Under HIPAA. Retrieved from https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html