HIPAA Bares Its Teeth: $4.3m Fine For Privacy Violation

The health care industry’s toothless tiger finally bared its teeth, as the U.S. Department of Health and Human Services issued a $4.3 m fine to a Maryland health care provider for violations of the HIPAA Privacy Rule. The action is the first monetary fine issued since the Act was passed in 1996. 

The health care industry’s toothless tiger finally bared its teeth, as the U.S. Department of Health and Human Services issued a $4.3 m fine to a Maryland health care provider for violations of the HIPAA Privacy Rule. The action is the first monetary fine issued since the Act was passed in 1996. 

The U.S. Department of Health and Human Services (HHS) issued a Notice of Final Determination to Cignet Health care of Temple Hills, Maryland on February 4. The notice followed a finding by HHS’s Office of Civil Rights that Cignet failed to provide 41 patients with copies of their medical records and for failing to respond to requests from HHS’s Office of Civil Rights for information related to the complaints. 

A copy of a penalty notice against Cignet depicts a two year effort in which HHS struggled with what appears to be a dysfunctional Maryland provider unaware of the potential impact of HIPAA non compliance, and unwilling or unable to cooperate with HHS in any way. 

Following patient complaints, repeated efforts by HHS to inquire about the missing health records were ignored by Cignet, as was a subpoena granted to HHS’s Office of Civil Rights ordering Cignet to produce the records or defend itself in any way. When the health care provider was ordered by a court to respond to the requests, it disgorged not just the patient records in question, but 59 boxes of original medical records to the U.S. Department of Justice, which included the records of 11 individuals listed in the Office of Civil Rights Subpoena, 30 other individuals who had complained about not receiving their medical records from Cignet, as well as records for 4,500 other individuals whose information was not requested by OCR. 

In the end, HHS’s Office of Civil Rights found that Cignet showed “willful neglect of its obligation to comply with the requirement of the Privacy Rule and, in essence, threw the book at the Maryland provider. 
HIPAA has been a force in the health care industry for more than a decade: forcing health care providers of all stripes to institute tighter controls over patient data. However, for years after its passage, HIPAA lacked strong language about enforcement and penalties for non compliance. That changed with the passage of the HITECH Act, part of the American Recovery and Reinvestment Act of 2009. That law strengthened privacy and information security provisions of HIPAA and expanded the list of entities covered by the law. 

Suggested articles


  • eeb2 on

    It is about time...I like the title of this article....

  • A Private Citizen on

    They should be suing their attorney for malpractice.

  • Another Priavate Citizen on

    damages should be on a time based scale.

    the LONGER it take a violator(s) to respond, repair, disclose, etc., the GREATER the penalty there should be

    rob k



  • Anonymous on

    Fine and regulate people, businesses, and all to death! The quicker the system fails and falls... the quicker the restart.  Are you prepared?

  • Anonymous on

    So, is the wrongdoing not giving patients their records, or giving the DoJ records not covered by the Subpoena.  I'd say the latter is a more serious offense.

  • Anonymous on

    both woulod be in violation,  I actually find it very funny that in the F You way they replied to the subpoena, i.e. dig through all this, they actually created a greater violation.  way to go Cigna 

  • Anonymous on

    To whoever is bitching about fines and regulations, what else is a patient supposed to do when a monopoly business (insurance companies are allowed to collude on prices) fails to provide even the most minimal of services?

    I hope you enjoy your rebooted future where businesses are welcome to take your money and there is no government to force them to provide the services they're obligated to.

  • Stephen Cobb, CISSP on

    Sorry, but in what sense is the fine you refer "the first monetary fine issued since the Act was passed in 1996."

    July 19, 2008: A Seattle-based health system has agreed to pay a $100,000 HIPAA fine to HHS--as well as improve its medical data security--after failing to properly secure data backup tapes, disks and laptops. This marks the first time HHS has agreed to a Resolution Agreement. During 2005 and 2006, medical data was stolen from Providence Health & Services several times, with backup tapes, optical disks and laptops being lost or stolen repeatedly. All told, the unencrypted personal health information of more than 386,000 patients was compromised.

  • Anonymous on

    Who gets the money?? Thats the real question...ill bet its the government.

  • Anonymous on

    I think this is the first time an organization's been fined since the passage of the HITECH act.
  • Anonymous on

    The purpose of the law is to keep electronic health information as secure as your electronic banking .  Violators deserve the fines and consumers deserve the protection.  Refusing to provide a patient with access to their own medical records is pathetic and inept.

  • Anonymous on

    I think the real issue here was their attitude and response.  It appears they were given plenty of chances to resolve the issue.  It's things like this though that will lead to the regulators being less patient and more aggressive

  • Anonymous on

    The bottom line is that companies are allowing our records to fall into the wrong hands even though there is technology that will prevent it. They simply don't want to spend the money on fully encrypting their stored records and communications. Many aren't even encrypting stored data, but the real vulnerability few are addressing is in transmitted data.

    Perhaps this will be a wakeup call for companies to start implementing encryption for all data storage and communications - as they should have been doing in the first place.

  • Anonymous on

    the question should be how do you secure something when there are those out there that can break it the encryption is like a fence it only keeps the honest people out put tracker software in and find the people doing it and arrest them send a message to the people using the info for illegal puposes

  • Anonymous on

    They should use some encrypting software to protect data.

    There are a lot of available software and they are reliable and easy to use like TrueCrypt, McAfee, etc...

  • Singerbear on

    As someone who works in a health care field, I think it's kind of unfair to assume all healthcare providers or organizations are as bad as this. While I can't mention which company I work for, I do know we have exceeded the requirements for HIPAA for as long as I can remember. The gross mishandling of data by this particular provider did indeed warrant the fines levied.

    As far as encrypting information goes, I totally agree that bare naked information shoud never be transmitted or transported.  That's just asking for trouble.

  • Anonymous on

    "The action is the first monetary fine issued since the Act was passed in 1996."

    Not true. In 2008, Providence Health & Services of Seattle was fined $100,000 for negligence resulting in the theft of electronic media containing sensitive information. In 2009, CVS was fined $2.25 million for improperly disposing PHI in public dumpsters, and in 2010 Rite Aid was fined $1 million for similar violations. Also, in 2010, Management Services Organization Washington was fined $35,000 for using PHI for marketing purposes. Please get your facts straight.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.