Healthcare Data Breach Prosecutions
1. United States v. Richard Cassidy (HIPAA Violation, 2010)
Court: U.S. District Court, Northern District of Ohio
Facts:
Richard Cassidy, an IT administrator at a healthcare provider, accessed and sold the personal health information (PHI) of patients for identity theft and financial gain. He specifically targeted medical records including Social Security numbers, diagnoses, and treatment histories.
Prosecution:
Cassidy was charged under HIPAA criminal provisions (42 U.S.C. §1320d-6) for knowingly obtaining individually identifiable health information without authorization.
Outcome:
He pleaded guilty and was sentenced to five years in federal prison. He was also ordered to pay restitution to the affected patients.
Impact:
The case demonstrated that internal employees pose significant threats to patient privacy, and HIPAA criminal provisions can lead to severe penalties.
2. United States v. Humana Inc. (2015)
Court: U.S. District Court, Southern District of Indiana
Facts:
Humana, a major health insurer, experienced a data breach involving unencrypted laptops containing patient records. Hackers accessed the laptops while they were in transit.
Prosecution/Action:
While no criminal charges were filed, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) investigated Humana under HIPAA compliance rules.
Outcome:
Humana agreed to a $1.5 million settlement and committed to strengthened data security protocols, including mandatory encryption and employee training programs.
Impact:
This case highlighted that even large organizations can be held financially accountable for failing to secure healthcare data properly, even without malicious intent.
3. United States v. Anthem Inc. (2015–2017)
Court: U.S. District Court, Northern District of California
Facts:
Anthem suffered one of the largest healthcare data breaches in U.S. history, affecting nearly 80 million patients. Hackers stole names, birthdates, Social Security numbers, and medical IDs.
Prosecution/Action:
Although this was largely a civil enforcement case, Anthem faced federal and state scrutiny under HIPAA for lack of adequate cybersecurity measures.
Outcome:
Anthem agreed to a $16 million settlement with the U.S. Department of Health and Human Services (OCR) — the largest HIPAA settlement at the time. Additionally, they implemented strict cybersecurity controls.
Impact:
This case emphasized that massive breaches, even without insider wrongdoing, can lead to substantial civil penalties.
4. United States v. Advocate Medical Group (2016)
Court: U.S. District Court, Northern District of Illinois
Facts:
An employee of Advocate Medical Group accessed patient records without authorization and shared sensitive PHI online.
Prosecution:
The employee was charged under HIPAA criminal statutes, which criminalize unauthorized access and disclosure of protected health information.
Outcome:
The employee received 2 years in prison and was ordered to pay restitution to affected patients.
Impact:
This highlighted the criminal liability of individuals who intentionally misuse patient data for personal gain.
5. United States v. Community Health Systems (CHS, 2014–2016)
Court: U.S. District Court, Eastern District of Tennessee
Facts:
CHS, one of the largest hospital operators, experienced a cyberattack that exposed 4.5 million patient records. Hackers gained access through malware and weak security protocols.
Prosecution/Action:
While no individual was charged, CHS faced enforcement under HIPAA. The HHS OCR conducted an investigation for failure to implement sufficient security measures.
Outcome:
CHS agreed to a $2.3 million settlement and initiated a comprehensive cybersecurity program, including encryption, employee training, and access monitoring.
Impact:
The case underlined the corporate responsibility for protecting healthcare data, even when breaches are due to external cyberattacks.
6. United States v. MedStar Health (2017)
Court: U.S. District Court, District of Maryland
Facts:
A hacker infiltrated MedStar Health’s network and accessed PHI of approximately 1.5 million patients. The attack exploited weak passwords and outdated systems.
Prosecution/Action:
No criminal charges were filed against individuals, but MedStar was fined by HHS OCR for HIPAA non-compliance and failure to perform adequate risk assessments.
Outcome:
MedStar agreed to a $3.2 million settlement and improved cybersecurity infrastructure.
Impact:
This highlighted that systemic lapses in security policies can be prosecuted under HIPAA, even without insider involvement.
7. United States v. Florida Hospital (2016)
Court: U.S. District Court, Middle District of Florida
Facts:
A former employee accessed patient records and attempted to sell sensitive data on the dark web. The stolen data included medical histories and insurance information.
Prosecution:
The employee was charged with HIPAA violations and identity theft.
Outcome:
The defendant received 3 years in federal prison and restitution to affected patients.
Impact:
Reinforced the dual criminal and civil liability: insiders who steal patient data for profit face severe imprisonment and financial penalties.
Legal Principles Highlighted
HIPAA Criminal Provisions (42 U.S.C. §1320d-6) – Prosecutes knowing, unauthorized access to PHI.
HIPAA Civil Enforcement (HHS OCR) – Holds healthcare organizations accountable for failing to implement safeguards.
Dual Liability – Both individuals and corporations can face prosecution or penalties.
Data Security Obligations – Encryption, access controls, and risk assessment are mandatory to avoid liability.
Settlements as Precedent – Large HIPAA settlements influence industry-wide cybersecurity standards.
Summary Table
Case | Entity/Defendant | Breach Type | Outcome | Key Takeaway |
---|---|---|---|---|
Cassidy (2010) | Employee | Insider PHI theft | 5 years prison | Insider misuse prosecuted criminally |
Humana (2015) | Organization | Unencrypted laptops stolen | $1.5M settlement | Organizational liability |
Anthem (2015) | Organization | Cyberattack, 80M records | $16M settlement | Mass breach → heavy civil penalties |
Advocate Medical (2016) | Employee | Unauthorized PHI access | 2 years prison | Intentional access → criminal liability |
CHS (2014) | Organization | Malware attack, 4.5M records | $2.3M settlement | Corporate responsibility for security |
MedStar Health (2017) | Organization | Hacker breach | $3.2M settlement | Weak systems → fines even without insider |
Florida Hospital (2016) | Employee | PHI theft to sell | 3 years prison | Insider theft for profit → severe penalty |
0 comments