Since the HIPAA Enforcement Rule took effect, the HHS Office for Civil Rights has collected tens of millions of dollars in civil monetary penalties from healthcare organizations that failed to safeguard medical data. In 2018, OCR settled 10 cases totaling $28.7 million — a record that still stands. But the federal fines are only part of the picture. State attorneys general imposed $19.56 million across nine actions in 2024, and a single 49-state settlement against Blackbaud reached $49.5 million.
These healthcare data breach statistics and HIPAA statistics make one thing clear: the financial exposure from a healthcare data breach now extends well beyond what most covered entities and their business associates budget for. Whether the data breach involves stolen healthcare records, a ransomware attack, or a misdirected fax containing PHI, HIPAA penalties follow.
Key Takeaways
$28.7 million — OCR's record enforcement total in 2018, including the $16 million Anthem data breach settlement, the largest single HIPAA fine in history.
21 OCR settlements in 2025 — the second-highest annual total. HIPAA violations tied to ransomware and missing security assessments drove most actions against healthcare providers and business associates.
$49.5 million — the Blackbaud 49-state attorney general settlement, the largest state-level penalty tied to a healthcare data breach.
55% of 2022 OCR settlements targeted small practices, proving that practice size does not shield healthcare providers from HIPAA enforcement.
Current HIPAA Penalty Tiers (2026 Amounts)
Civil monetary penalties for HIPAA violations are adjusted annually for inflation. As of January 28, 2026, per 45 CFR Part 102:
Tier | Culpability | Min per Violation | Max per Violation | Annual Cap |
|---|---|---|---|---|
1 | Lack of knowledge | $145 | $73,011 | $2,190,294 |
2 | Reasonable cause | $1,461 | $73,011 | $2,190,294 |
3 | Willful neglect, corrected | $14,602 | $73,011 | $2,190,294 |
4 | Willful neglect, not corrected | $73,011 | $2,190,294 | $2,190,294 |
Source: Federal Register.
In practice, OCR's 2019 Notice of Enforcement Discretion applies lower annual caps: $36,506 (Tier 1), $146,053 (Tier 2), $365,052 (Tier 3), and the full $2,190,294 (Tier 4).
Beyond civil monetary penalties, criminal HIPAA violations carry prison time: up to 1 year for unknowing offenses, 5 years for obtaining individually identifiable health information under false pretenses, and 10 years for intent to sell or use health information for personal gain or healthcare fraud. OCR has made 2,419 criminal referrals since 2003, per HHS Enforcement Highlights. State attorneys general can impose additional HIPAA penalties of up to $25,000 per violation category per year under HITECH.
The 15 Largest HIPAA Fines in History
The HHS Resolution Agreements page maintains the official record. Here are the largest civil monetary penalties and settlements ever imposed on HIPAA covered entities:
Rank | Entity | Amount | Year | Individuals | Key Violation |
|---|---|---|---|---|---|
1 | Anthem Inc. | $16,000,000 | 2018 | 78,800,000 | Anthem data breach — multiple privacy and security rule failures |
2 | Premera Blue Cross | $6,850,000 | 2020 | 10,466,692 | Healthcare data breach, safeguard failures |
3 | Advocate Health Care | $5,550,000 | 2016 | 4,000,000 | Data breach via stolen laptops with electronic protected health information |
4 | Memorial Healthcare System | $5,500,000 | 2017 | 115,143 | Insufficient access controls on healthcare data |
5 | Excellus Health | $5,100,000 | 2021 | 9,358,891 | Multi-year risk analysis failures at a health plan |
6 | NY-Presbyterian / Columbia | $4,800,000 | 2014 | 6,800 | Server exposed medical records online |
7 | Montefiore Medical Center | $4,750,000 | 2024 | 12,517 | Insider theft of patient data, no audit controls |
8 | MD Anderson Cancer Center* | $4,348,000 | 2018 | 33,500 | Unencrypted devices, impermissible disclosure of medical data |
9 | Cignet Health Plan | $4,300,000 | 2011 | 41 | Right of access denial |
10 | Fresenius Medical Care | $3,500,000 | 2018 | 521 | Security breaches across five facilities |
11 | Triple-S Management | $3,500,000 | 2015 | 70,000 | Mailing exposed health plan member PHI |
12 | Children's Medical Center | $3,200,000 | 2017 | 3,800 | Years of noncompliance, unencrypted devices |
13 | Solara Medical Supplies | $3,000,000 | 2025 | 114,007 | Phishing data breach, HIPAA breach notification rule failures |
14 | Cottage Health | $3,000,000 | 2018 | 62,500 | Server misconfiguration exposed medical records |
15 | Banner Health | $1,250,000 | 2023 | 2,810,000 | Healthcare data breach, risk analysis failures |
*CMP later vacated by the Fifth Circuit.
Patterns across the largest fines:
Risk analysis failures appear in nearly every case — OCR has stated that inadequate risk analysis is involved in roughly 90% of HIPAA security rule enforcement actions
Breach size drives settlement size — large healthcare data breaches involving millions of exposed medical records draw the biggest fines
Small record counts don't guarantee small fines — the Cignet case cost $4.3 million for denying just 41 patients access to their personal health records
Insiders trigger million-dollar penalties — Montefiore's $4.75M stemmed from a single employee's six-month data theft, not an external attack
OCR Enforcement by Year
Year | Settlements | Notable Context |
|---|---|---|
2016 | 12 | $23.5M total; Advocate $5.55M |
2017 | 9 | Memorial Hermann Health System and Memorial Healthcare settlements |
2018 | 11 | $28.7M record; Anthem data breach $16M |
2019 | 10 | Right of Access Initiative launched |
2020 | 19 | Right of Access fines accelerate across healthcare providers |
2021 | 14 | Excellus Health Plan $5.1M |
2022 | 22 | Record count; 55% targeted small medical practices |
2023 | 13 | Banner Health $1.25M |
2024 | 22 | Montefiore $4.75M; 14 of 22 for security rule compliance failures |
2025 | 21 | Solara $3M; Warby Parker $1.5M; Top of the World Ranch Treatment Center $103K |
The data breach investigations backlog remains large — 978 large healthcare data breaches were under active investigation as of January 2026. Additional fines from incidents in 2023–2024 are still coming.
Key enforcement trends:
2018 remains the record dollar year at $28.7M, driven by the Anthem settlement
2022 holds the record for most settlements (22), with 55% targeting small practices
2024–2025 shifted toward HIPAA security rule enforcement — 14 of 22 actions in 2024 resolved security failures
Right of Access fines are declining as HIPAA compliance improves (the initiative worked), while risk analysis fines are accelerating
HIPAA violation penalties now target covered entities of all sizes — OCR applies the same HIPAA compliance standards whether the entity is a solo practice or a large health system
2024–2025 Notable Settlements
Beyond the headline amounts, these cases show what triggers OCR action across the healthcare sector:
Montefiore Medical Center — $4,750,000 (2024). Insider threat: employee stole healthcare data for six months. No audit controls on electronic health records.
Solara Medical Supplies — $3,000,000 (2025). Phishing healthcare data breach plus delayed breach notification. Missing administrative safeguards.
Warby Parker — $1,500,000 CMP (2025). Credential stuffing. No security awareness training documentation.
Gulf Coast Pain Consultants — $1,190,000 CMP (2024). Multiple HIPAA violations of security rule requirements.
LA Care — $1,300,000 (2024). Mailing error exposed health plan member data for 1,400+ individuals.
BayCare Health System — $800,000 (2025). Healthcare data breach, multiple security failures.
Children's Hospital Colorado — $548,265 CMP (2024). HIPAA privacy rule and security violations.
Northeast Radiology — $350,000 (2025). PACS server exposure; no documented assessment. 298,532 patients affected by the data breach.
USR Holdings — $337,750 (2025). Assessment failures discovered after a data breach.
Health Fitness Corporation — $227,816 (2025). Server exposed healthcare data online from 2015 to 2018.
BST & Co. CPAs — $175,000 (2025). Ransomware attack on a business associate handling medical records.
Oregon Health Sciences University — $200,000 CMP (2025). Right of access violation involving health sciences records.
Guam Memorial Hospital Authority — $25,000 (2025). No assessment despite operating as a HIPAA-covered entity serving healthcare providers in the region.
Virtual Private Network Solutions — $90,000 (2024). Ransomware; no documented assessment at the time of the data breach.
Small Practice Fines: OCR Investigates All Sizes
One of the most common HIPAA violations myths: OCR only targets large healthcare systems. In 2022, 55% of settlements hit small practices. Since 2019, OCR has imposed 50+ penalties under the Right of Access Initiative — most against smaller healthcare organizations and mid-size healthcare providers. These are HIPAA statistics that compliance officers at every practice size should know.
Examples:
Manasa Health Center — $30,000 (2024)
Gums Dental Care — $70,000 CMP (2024)
Three dental practices — $25,000–$80,000 each for Right of Access failures
Small dermatology practice — $150,000 for unauthorized disclosure of patient data on social media
Concentra Inc. — $112,500 (2025), OCR's 54th Right of Access action
Every covered entity handling health data must comply with HIPAA rules regardless of size. OCR investigates HIPAA violations at solo practices with the same enforcement bar applied to large healthcare systems. Covered entities cannot claim ignorance of HIPAA rules as a defense.
State Attorney General Fines: The Parallel Exposure
State attorneys general represent a separate — and sometimes larger — financial exposure for healthcare organizations and business associates. These HIPAA statistics are often overlooked:
Blackbaud — $49,500,000 (2023, 49-state). Largest state-level penalty from a healthcare data breach.
Anthem Inc. — $39,500,000 in multistate AG settlements on top of the $16M OCR fine. Total exposure from the Anthem breach: $48.2M+ in penalties alone.
Enzo Biochem — $4,500,000 (2024, NY/NJ/CT). Shared credentials; one password unchanged for a decade. Data breach affected 2.4M patients.
Albany ENT & Allergy — $1,000,000 fine ($500K suspended) plus $2,250,000 required cybersecurity investment (2024). Two ransomware attacks in 10 days. NY AG found missing MFA and inadequate logging across healthcare systems.
Orthopedics NY — $500,000 (2025). Data breach affecting 656,086 individuals.
Comstar — $515,000 state AG fine (MA/CT, 2026) PLUS $75,000 OCR settlement for the same data breach.
The Comstar case shows the dual-fine pattern: business associates can face civil monetary penalties from both OCR and state enforcement agencies for the same healthcare breach. In 2024, state AGs collected $19,560,000 across nine actions. New York was the most active, followed by California. Group health plans, healthcare providers, and business associates all face this parallel exposure from every healthcare breach and HIPAA violations investigation.
The Real Cost Beyond the Fine
The OCR settlement is typically the smallest piece. The healthcare industry's average cost of a data breach reached $7.42 million in 2025, per the IBM Cost of a Data Breach Report — the highest of any sector for 14 consecutive years. Exposed medical records continue to drive costs above every other industry, and data breach costs in the healthcare sector keep climbing.
Where the money goes beyond HIPAA penalties:
Breach notification: $3–$5 per affected individual under the HIPAA breach notification rule and stricter breach notification requirements at the state level. A breach affecting 100,000 people costs $300K–$500K in notifications alone.
Forensic investigation: $50,000–$500,000+, depending on the scope of the data breach
Legal defense: class-action settlements can reach tens of millions — Anthem's total legal exposure exceeded $115M beyond its OCR and state AG fines
Corrective Action Plan: every OCR settlement includes 2–3 years of mandated security investments, risk management reviews, and monitoring. These are not optional.
Reputational damage: patient attrition and declining volumes post-breach, visible through data analytics
The Albany ENT case makes the math explicit: $1M fine + $2.25M required cybersecurity investment = $3.25M actual cost — before legal fees, breach notification, and lost revenue. That investment covered technical safeguards the practice should have had in place before the attacks.
To prevent data breaches and the penalties that follow, healthcare providers need encrypted transport for protected health information, annual risk analysis, security awareness training, signed business associate agreements with every vendor touching PHI, and audit trails for systems containing electronic protected health information.
For healthcare organizations transmitting protected health information by fax, the same HIPAA-compliant requirements apply. Cloud fax with TLS encryption, configurable retention, audit trails, and a signed BAA meets the administrative safeguards and technical safeguards that OCR expects. Improper disposal incidents involving paper fax are nearly eliminated when transmission and storage happen in electronic form through a cloud platform.
FaxSIPit provides HIPAA-compliant cloud fax with TLS 1.3 in transit, AES 256-bit at rest, retention up to 7 years, full audit trails, and business associate agreements on all plans. See our HIPAA compliance page for architecture details or request a fax security posture assessment.
Frequently Asked Questions
What is the largest HIPAA fine ever imposed?
The $16 million OCR settlement with Anthem Inc. in 2018 following the Anthem data breach that exposed medical records of 78.8 million health plan members. Total enforcement exposure, including state AG actions, exceeded $48 million.
Can small practices be fined?
Yes. OCR has fined solo dental practices as low as $25,000 for HIPAA violations. The Manasa Health Center paid $30,000 in 2024. Practice size provides no immunity — the Office for Civil Rights applies the same HIPAA regulations to every covered entity in the healthcare sector.
Can you be fined by both OCR and a state attorney general?
Yes. Comstar paid $75,000 to the office for civil rights and $515,000 to state attorneys general for the same data breach. Business associates and HIPAA-covered entities face parallel investigations by the Department of Health and Human Services and state enforcement agencies.
What triggers a HIPAA investigation?
Complaints filed with the Department of Health and Human Services, breach notification reports (large healthcare data breaches of 500+ individuals almost always trigger a formal investigation of potential HIPAA violations by the Office for Civil Rights), and compliance reviews. Improper disposal incidents, unauthorized disclosure of health information, and failure to protect patient information also prompt action by healthcare data breach investigators across the healthcare industry.
Conclusion
The numbers tell a consistent story. OCR files 15–22 settlements per year, state attorneys general add millions more in parallel penalties, and the average healthcare data breach costs $7.42 million when notification, forensics, legal defense, and lost revenue are included. The fine itself is rarely the largest expense — corrective action plans and forced cybersecurity investments routinely exceed the settlement amount.
For healthcare organizations that transmit medical records, claims, or privileged documents via fax, compliance begins at the transmission layer. A signed BAA, encrypted transport, configurable retention, and audit trails are the minimum OCR expects to see when it opens an investigation. Assess your fax security posture here.
