USA Leads the Way with the Most Expensive Healthcare Data Breaches

The cost of not adequately protecting healthcare information comes at a high cost to the healthcare industry. According to the most recent annual Cost of a Data Breach Report, the average total cost of a data breach is up to $3.92 million. Healthcare is now the most expensive industry coming in at a staggering $6.45 million. And the United States is the most expensive country - a whopping $8.19 million.

Protect Privacy or Pay the Price - Enforcement Actions by OCR through 2019

As of December 31, 2019, the Office for Civil Rights (OCR) reports since the compliance date of the Privacy Rule, OCR has settled or imposed a civil money penalty in 73 cases resulting in a total dollar amount of $111,855,582.00. OCR has investigated complaints against many different types of entities including national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.

In 2019 alone, over $12 million in fines were paid to OCR. OCR settled with 8 entities and had two civil monetary penalties that year. Just like in 2018, failure to complete a HIPAA compliant Security Risk Analysis was the top compliance deficiency, followed next by failure to comply with breach notification rule requirements.

Top 5 Investigated Compliance Issues

From the compliance date to the present, the following are the top 5 compliance issues investigated most, in order of frequency:

Impermissible uses and disclosures of protected health information;

  1. Lack of safeguards of protected health information;
  2. Lack of patient access to their protected health information;
  3. Lack of administrative safeguards of electronically protected health information.
  4. Use or disclosure of more than the minimum necessary protected health information

How are HIPAA Penalties Calculated?

Tier 1 - $100-$50,000 per incident up to $1.5million: the entity did not know and could not reasonably be known of the breach.

Tier 2 - $1000 - $50,000 per incident up to $1.5 million - the entity knew or by exercising reasonable diligence would have known of the violation though they did not act with willful neglect.

Tier 3 - $10,000 - $50,000 per incident up to $1.5 million - the entity acted with will fully neglect ad corrected the problem within a 30-day time period.

Tier 4 - $50,000 per incident up to $1.5 million - the entity acted with willful neglect and failed to make a timely correction.

Did you know?

Since the compliance date OCR has investigated 39,698 complaints:

  • 70% - Corrective action was obtained
  • 30% - No violation was found

Have any questions or comments? Contact us by email: or phone: 855-427-0427.