Healthcare Data Breach Prosecutions

1. United States v. Richard Cassidy (HIPAA Violation, 2010)

Court: U.S. District Court, Northern District of Ohio
Facts:
Richard Cassidy, an IT administrator at a healthcare provider, accessed and sold the personal health information (PHI) of patients for identity theft and financial gain. He specifically targeted medical records including Social Security numbers, diagnoses, and treatment histories.

Prosecution:
Cassidy was charged under HIPAA criminal provisions (42 U.S.C. §1320d-6) for knowingly obtaining individually identifiable health information without authorization.

Outcome:
He pleaded guilty and was sentenced to five years in federal prison. He was also ordered to pay restitution to the affected patients.

Impact:
The case demonstrated that internal employees pose significant threats to patient privacy, and HIPAA criminal provisions can lead to severe penalties.

2. United States v. Humana Inc. (2015)

Court: U.S. District Court, Southern District of Indiana
Facts:
Humana, a major health insurer, experienced a data breach involving unencrypted laptops containing patient records. Hackers accessed the laptops while they were in transit.

Prosecution/Action:
While no criminal charges were filed, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) investigated Humana under HIPAA compliance rules.

Outcome:
Humana agreed to a $1.5 million settlement and committed to strengthened data security protocols, including mandatory encryption and employee training programs.

Impact:
This case highlighted that even large organizations can be held financially accountable for failing to secure healthcare data properly, even without malicious intent.

3. United States v. Anthem Inc. (2015–2017)

Court: U.S. District Court, Northern District of California
Facts:
Anthem suffered one of the largest healthcare data breaches in U.S. history, affecting nearly 80 million patients. Hackers stole names, birthdates, Social Security numbers, and medical IDs.

Prosecution/Action:
Although this was largely a civil enforcement case, Anthem faced federal and state scrutiny under HIPAA for lack of adequate cybersecurity measures.

Outcome:
Anthem agreed to a $16 million settlement with the U.S. Department of Health and Human Services (OCR) — the largest HIPAA settlement at the time. Additionally, they implemented strict cybersecurity controls.

Impact:
This case emphasized that massive breaches, even without insider wrongdoing, can lead to substantial civil penalties.

4. United States v. Advocate Medical Group (2016)

Court: U.S. District Court, Northern District of Illinois
Facts:
An employee of Advocate Medical Group accessed patient records without authorization and shared sensitive PHI online.

Prosecution:
The employee was charged under HIPAA criminal statutes, which criminalize unauthorized access and disclosure of protected health information.

Outcome:
The employee received 2 years in prison and was ordered to pay restitution to affected patients.

Impact:
This highlighted the criminal liability of individuals who intentionally misuse patient data for personal gain.

5. United States v. Community Health Systems (CHS, 2014–2016)

Court: U.S. District Court, Eastern District of Tennessee
Facts:
CHS, one of the largest hospital operators, experienced a cyberattack that exposed 4.5 million patient records. Hackers gained access through malware and weak security protocols.

Prosecution/Action:
While no individual was charged, CHS faced enforcement under HIPAA. The HHS OCR conducted an investigation for failure to implement sufficient security measures.

Outcome:
CHS agreed to a $2.3 million settlement and initiated a comprehensive cybersecurity program, including encryption, employee training, and access monitoring.

Impact:
The case underlined the corporate responsibility for protecting healthcare data, even when breaches are due to external cyberattacks.

6. United States v. MedStar Health (2017)

Court: U.S. District Court, District of Maryland
Facts:
A hacker infiltrated MedStar Health’s network and accessed PHI of approximately 1.5 million patients. The attack exploited weak passwords and outdated systems.

Prosecution/Action:
No criminal charges were filed against individuals, but MedStar was fined by HHS OCR for HIPAA non-compliance and failure to perform adequate risk assessments.

Outcome:
MedStar agreed to a $3.2 million settlement and improved cybersecurity infrastructure.

Impact:
This highlighted that systemic lapses in security policies can be prosecuted under HIPAA, even without insider involvement.

7. United States v. Florida Hospital (2016)

Court: U.S. District Court, Middle District of Florida
Facts:
A former employee accessed patient records and attempted to sell sensitive data on the dark web. The stolen data included medical histories and insurance information.

Prosecution:
The employee was charged with HIPAA violations and identity theft.

Outcome:
The defendant received 3 years in federal prison and restitution to affected patients.

Impact:
Reinforced the dual criminal and civil liability: insiders who steal patient data for profit face severe imprisonment and financial penalties.

Legal Principles Highlighted

HIPAA Criminal Provisions (42 U.S.C. §1320d-6) – Prosecutes knowing, unauthorized access to PHI.

HIPAA Civil Enforcement (HHS OCR) – Holds healthcare organizations accountable for failing to implement safeguards.

Dual Liability – Both individuals and corporations can face prosecution or penalties.

Data Security Obligations – Encryption, access controls, and risk assessment are mandatory to avoid liability.

Settlements as Precedent – Large HIPAA settlements influence industry-wide cybersecurity standards.

Summary Table

CaseEntity/DefendantBreach TypeOutcomeKey Takeaway
Cassidy (2010)EmployeeInsider PHI theft5 years prisonInsider misuse prosecuted criminally
Humana (2015)OrganizationUnencrypted laptops stolen$1.5M settlementOrganizational liability
Anthem (2015)OrganizationCyberattack, 80M records$16M settlementMass breach → heavy civil penalties
Advocate Medical (2016)EmployeeUnauthorized PHI access2 years prisonIntentional access → criminal liability
CHS (2014)OrganizationMalware attack, 4.5M records$2.3M settlementCorporate responsibility for security
MedStar Health (2017)OrganizationHacker breach$3.2M settlementWeak systems → fines even without insider
Florida Hospital (2016)EmployeePHI theft to sell3 years prisonInsider theft for profit → severe penalty

LEAVE A COMMENT

0 comments