OCR Fines Resulting from Data Breaches Can Cost You Millions — Investing in Penetration Testing Is Way Less

Updated April 12, 2025

Healthcare organizations have many reasons for remaining compliant with HIPAA. Keeping ePHI (electronic protected health information) secure ensures their partners and patients trust them. Data breaches, all too common in the industry, come with many costs, both financial and reputational. One is the possible fines that the HHS (Department of Health and Human Services) OCR (Office of Civil Rights) can levy against them as the agency enforces HIPAA.

Unfortunately, many organizations have incurred these fines along with public disclosure of their non-compliance. Ultimately, it can cost them millions, and that’s a much greater cost than performing cybersecurity best practices, including penetration testing.

In this post, we’ll review the penalties for HIPAA violations, look at some recent cases, and discuss the value of penetration testing in healthcare.

OCR Fines and Penalties: What Are They?

The OCR can issue financial penalties to any organization that must abide by HIPAA rules regarding the collection, use, transmission, or storage of ePHI. The fines deter organizations from failing to comply and ensure accountability. A penalty structure is based on an entity’s knowledge of the violation. So, what constitutes a HIPAA violation?

When Does a HIPAA Violation Occur?

A violation means that a HIPAA-covered entity doesn’t comply with one or more provisions in the HIPAA Privacy, Security, or Breach Notification Rules. Violations can be deliberate or unintentional. A deliberate violation could be if an employee knowingly shares ePHI with someone who should not have access to this information. An unintentional act could be if a hacker can infiltrate a hospital’s network via phishing or some other tactic and then steal ePHI.

While the unintentional example isn’t the result of deliberate actions, it’s negligence. It indicates that the organization wasn’t following best practices relating to cybersecurity, such as conducting risk assessments and pen tests.

So, what happens if a violation happens? What could you have to pay?

The Tiers of HIPAA Fines and Penalties

The severity of the violation corresponds to the tier of fines. The OCR uses penalties as a last resort for the most egregious incidents. They often work on voluntary compliance programs or deliver technical advice to correct noncompliance. Should they decide to hand down fines, here are the tiers:

Tier 1: A covered entity was unaware of or couldn’t avoid it but showed reasonable diligence to comply with HIPAA rules. The minimum fine is $100 per violation up to $50,000.
Tier 2: The organization should have been aware of but couldn’t avoid the violation even with reasonable care. It’s not a willful neglect of HIPAA rules. The minimum fine is $1,000 per violation up to $50,000.
Tier 3: In this category, the violation is the direct result of “willful neglect” of HIPAA rules in cases where organizations attempted to correct the violation. The minimum fine is $10,000 per violation up to $50,000.
Tier 4: The final tier is the most serious, with willful neglect confirmed and no effort made by the entity to correct the violation within the 30 days provided. The minimum fine is $50,000 per violation.

The OCR can waive fines for those under unknown violations, but there is no waiver for those committing willful neglect. The OCR adjusts these numbers annually to consider inflation. The 2023 update from the OCR disclosed these numbers.

Tier 1: $127 as the minimum penalty, with the maximum set at $63,973
Tier 2: $1,280 as the minimum penalty, with the maximum set at $63,973
Tier 3: $12,794 as the minimum penalty, with the maximum set at $63,973
Tier 4: $63,973 as the minimum penalty, with the maximum set at $1,919,173

Additionally, the OCR 2019 Notice of Enforcement Discretion applied new maximum annual penalties for those violating HIPAA. The annual caps are:

Tier 1: $31,987
Tier 2: $127,974
Tier 3: $319,865
Tier 4: $1,919,173

Since 2008 penalties became leviable, few organizations have had to pay up. However, 2022 had a high case number of 22, the most of any year yet. Let’s look at some cases and explore why OCR fined these entities and what the lessons are.

Recent HIPAA Violations and Fines

Banner Health (2023)

Banner Health paid a $1,250,000 fine for a HIPAA violation. The settlement resulted from a 2016 hack. After the breach, the OCR began an investigation. They found “long-term, pervasive noncompliance with the HIPAA Security Rule.” The company did not analyze risks and vulnerabilities, performed insufficient monitoring, did not implement authentication processes, and lacked security measures to protect ePHI.

While not all organizations are culpable for hacks, the OCR found Banner Health didn’t have the proper mechanisms in place to defend against them. The company could have avoided this debacle with proper risk assessments and pen tests.

Oklahoma State University Center for Health Sciences (2022)

Oklahoma State University Center for Health Sciences received an $875,000 fine. The cause was again a hacking breach. The investigation uncovered violations, including:

Impermissible use and disclosure of PHI
Failure to conduct a risk analysis
Lack of audit controls, security incident response and reporting, and performing evaluations

Again, the organization could have prevented this cyberattack with the right cybersecurity practices. Their failures exposed the ePHI of nearly 280,000 people.

Excellus Health Plan (2021)

The OCR levied its heftiest fine to date of $5.1 million. It stemmed from a data breach that impacted 9.3 million people. The OCR investigation found the organization to violate five standards from the HIPAA rules. OCR’s investigation revealed potential violations of the HIPAA Rules, including failure to perform an enterprise-wide risk analysis and implement risk management, information system activity review, and access controls.

If the insurer had followed best practices around assessments and pen testing, they could have determined the vulnerabilities present before hackers did.

The Best Way to Avoid HIPAA Fines? A Strong Cybersecurity Program with Risk Assessments and Penetration Testing

If you don’t want to be on the other end of an investigation by OCR, your best option to avoid this is to develop and maintain a strong cybersecurity plan. As part of this, you should focus on what will best support compliance—risk assessments and pen testing.

HIPAA Risk Assessments Are Required

HIPAA risk assessments are a requirement of the HIPAA Security Rule and appear in the Breach Notification Rule. The goal is to find weaknesses and correct them. The OCR has requirements for these evaluations. It includes six steps:

Collecting data and classifying the location of ePHI
Identifying and documenting potential threats and vulnerabilities
Evaluating current security measures
Determining the likelihood of a threat occurrence
Assessing the possible impact of such an occurrence
Defining the level of risk

You’ll also want to perform penetration testing with the risk assessment.

HIPAA Penetration Testing Is a Smart Investment

HIPAA doesn’t require pen testing, but it can reveal valuable information about how your organization complies with the HIPAA Security, Privacy, and Breach Notification Rules. Pen tests simulate a cyber incident with ethical hackers attempting to penetrate your network and access ePHI.

You’ll engage with an experienced, trusted partner to conduct a HIPAA penetration test. There are several provisions within the rules that align with pen testing:

A pen test should assess the risks and vulnerabilities relating to the confidentiality, integrity, and availability of ePHI.
Organizations should regularly review the mechanisms they have to be HIPAA compliant.
A pen test should identify how you create, receive, transmit, and maintain ePHI.
Entities must also be aware of how their vendors and partners access, create, receive, and maintain ePHI.
You need to define all the threats to data security, including human, natural, and environmental.
A pen test should review if there are any irregularities internally relating to the privacy of ePHI.
A response to a simulated breach can be critical to complying with the Breach Notification Rule.
Testers should know what transforms general health information to ePHI according to the 18 identifiers that HHS specifies.
A pen test may need special approaches for some applications because of how they use or embed data.

A thorough pen test ends with a report of all the vulnerabilities that must be addressed at a priority level. You’ll then form a remediation plan to execute within your organization, and you can often rely on your pen testing provider to assist with this to ensure the corrective action is speedy.

The bottom line is that health entities must be vigilant not to become headlines. The team at Blue Goat Cyber can help you do this with our assessments and pen testing services. To start the conversation, schedule a discovery call with us today.

HIPAA and OCR FAQs

How do I get a quote from Blue Goat for HIPAA compliance help?

Please schedule a 30-minute Discovery Session with us.

What are the uses of HIPAA identifiers?

HIPAA identifiers serve various important purposes within the healthcare industry. These identifiers are essential for ensuring easy access to information to provide high-quality care services.

One key use of HIPAA identifiers is to balance protecting patient rights and enabling efficiency for covered entities. HIPAA compliance outlines specific circumstances where using and disclosing protected health information (PHI) without patient authorization is permissible. These circumstances include:

1. Conducting quality assessment and improvement activities: HIPAA identifiers allow healthcare organizations to assess and enhance patient care quality.

2. Developing clinical guidelines: With HIPAA identifiers, healthcare professionals can create evidence-based guidelines to promote efficient and effective medical practices.

3. Conducting patient safety activities per applicable regulations: HIPAA identifiers help perform activities that aim to ensure patient safety and adhere to relevant regulations.

4. Conducting population-based activities to improve health or reduce healthcare costs: By utilizing HIPAA identifiers, healthcare entities can engage in initiatives to improve public health or reduce healthcare expenses at a broader level.

5. Developing protocols: HIPAA identifiers enable the development of protocols that assist healthcare providers in delivering consistent and standardized care.

6. Conducting case management and care coordination: HIPAA identifiers facilitate effective case management and coordination of care among different healthcare professionals involved in a patient's treatment.

7. Contacting healthcare providers and patients to inquire about treatment alternatives: With the help of HIPAA identifiers, healthcare organizations can reach out to providers and patients to discuss alternative treatment options or gather additional information relevant to patient care.

8. Reviewing qualifications of healthcare professionals: HIPAA identifiers play a role in evaluating the qualifications and competence of healthcare professionals to ensure the delivery of high-quality care.

9. Evaluating the performance of healthcare providers or health plans: HIPAA identifiers assist in assessing the performance and effectiveness of healthcare providers and health plans to ensure optimal outcomes and patient satisfaction.

10. Conducting training programs or credentialing activities: Utilizing HIPAA identifiers, healthcare organizations can organize training programs and activities to enhance the skills and qualifications of healthcare professionals.

11. Supporting fraud and abuse detection and compliance programs: HIPAA identifiers aid in implementing fraud detection and compliance programs to safeguard against unlawful activities within the healthcare sector.

Why has the "Wall of Shame" received criticism?

The "Wall of Shame" has faced criticism due to concerns over the way it handles organizations' cybersecurity breaches. Some argue that the portal tends to focus solely on the negative aspects of a breach, potentially causing long-term damage to a company's reputation. Critics suggest that the "Wall of Shame" fails to acknowledge or emphasize the positive steps that organizations may have taken to rectify their cybersecurity vulnerabilities after experiencing an incident. This lack of recognition for corrective actions and good-faith efforts to enhance cybersecurity practices could be seen as unfair and unbalanced in portraying organizations in the aftermath of a breach.

How does the Health Insurance Portability and Accountability Act (HIPAA) regulate data breach reporting?

HIPAA, the Health Insurance Portability and Accountability Act, is the cornerstone of patient privacy in the United States. It sets the standard for protecting sensitive patient data. Any entity covered by HIPAA must ensure the confidentiality, integrity, and availability of all the protected health information (PHI) it handles.

When there’s a breach, HIPAA requires these entities to report it, especially if it affects many individuals. That’s where the OCR Wall of Shame comes into play. It’s a transparency tool, showing the public how and where PHI breaches happen.

Furthermore, under the Health Insurance Portability and Accountability Act (HIPAA), covered entities and their business associates are mandated to report any breaches to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). If the reported breach impacts more than 500 individuals, additional ramifications and consequences are triggered. This stringent regulation ensures that breaches are promptly reported and dealt with in accordance with HIPAA guidelines.

What is considered a patient identifier?

Under HIPAA, 18 identifiers classify data as Protected Health Information (PHI). These identifiers encompass a wide range of information that can be used to identify an individual. The list includes commonly recognized identifiers such as names, addresses, and social security numbers. However, it goes beyond these basic details and encompasses other data points like geographic information smaller than a state, dates (excluding year) related to an individual, phone numbers, fax numbers, email addresses, and more.

In addition to these, the list also includes less commonly known identifiers such as medical record numbers, health insurance beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial numbers, device identifiers and serial numbers, web URLs, IP addresses, biometric identifiers like finger and voiceprints, and full-face photographic images. It even encompasses any unique identifying number, characteristic, or code associated with an individual.

By providing this comprehensive list, Your article ensures that all relevant and potential patient identifiers are covered. It offers a thorough understanding of PHI under HIPAA regulations, highlighting the importance of safeguarding these identifiers to protect patient privacy and confidentiality.

What is not considered a HIPAA identifier?

In the intricate landscape of healthcare data and privacy, understanding and correctly handling Protected Health Information (PHI) is crucial for adherence to regulations and preserving patient trust and safety. This is particularly vital in light of the Health Insurance Portability and Accountability Act (HIPAA). Let's explore PHI, its 18 identifiers, the potential repercussions of non-compliance, and the specific data not considered a HIPAA identifier.

PHI encompasses any data in a healthcare context that can be used to identify an individual, combined with information about their health status, provision of healthcare, or payment for healthcare services. Under HIPAA, 18 identifiers classify data as PHI, including names, geographic information smaller than a state, dates (excluding year) related to an individual, phone numbers, fax numbers, email addresses, social security numbers, medical record numbers, health insurance beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial numbers, device identifiers and serial numbers, web URLs, IP addresses, biometric identifiers like finger and voiceprints, full-face photographic images, and any unique identifying number, characteristic, or code.

However, it is important to note that not all data falls within the scope of HIPAA identifiers. De-identified data or health information that cannot be used to identify an individual or provide a reasonable base to identify them is not considered a HIPAA identifier. This type of data, known as de-identified data, does not fall within the 18 identifiers specified by HIPAA. Additionally, de-identified data has been determined by an expert using a statistical or scientific method to have a very low chance of being used individually or in combination with others to identify a person. As a result, HIPAA laws do not apply to de-identified data.

Understanding the distinction between PHI and de-identified data is essential for healthcare organizations and individuals who handle health information. It ensures compliance with HIPAA regulations and safeguards patient privacy while balancing the need for data utilization in healthcare research and analysis.

Who does HIPAA compliance apply to?

HIPAA, or the Health Insurance Portability and Accountability Act, is a U.S. law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. Developed by the Department of Health and Human Services, these standards aim to improve the efficiency and effectiveness of the health care system.

Who Needs to Comply with HIPAA?

Covered Entities: This is the primary group that needs to adhere to HIPAA. They include:
- Health Plans: Insurance companies, health maintenance organizations (HMOs), employer-sponsored health plans, and government programs like Medicare and Medicaid.
- Healthcare Providers: This encompasses doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies that transmit health information in electronic form in connection with transactions for which HHS has adopted standards.
- Healthcare Clearinghouses: Entities that process nonstandard health information they receive from another entity into a standard format or vice versa.
Business Associates: These are individuals or entities that perform certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. This could include consultants, billing companies, IT service providers like Blue Goat Cyber, especially when dealing with medical device security assessment and testing services, and others who have access to protected health information (PHI).

What are some common causes of data breaches in the healthcare industry?

Common causes of data breaches in the healthcare industry include a significant number of breaches resulting from outside theft and considerable breaches being caused by internal mistakes or neglect. Insider mistakes leading to data breaches often involve mailing or email errors, such as employees clicking on phishing emails, forwarding emails with sensitive information to personal accounts, and accessing protected health information without authorization. These actions contribute to a notable portion of data breaches in the healthcare sector.

What is HIPAA and why does it matter for medical device cybersecurity?

HIPAA (Health Insurance Portability and Accountability Act) sets national standards for protecting sensitive patient health information. Medical device manufacturers that collect, transmit, or store PHI must ensure devices and supporting systems comply with HIPAA’s Security and Privacy Rules to prevent breaches and regulatory penalties.

What is the role of the Office for Civil Rights (OCR)?

The U.S. Department of Health and Human Services' OCR is responsible for enforcing HIPAA regulations. This includes investigating complaints, conducting audits, and issuing penalties for noncompliance. OCR also provides guidance on how covered entities and business associates can meet HIPAA obligations.

What are the most common HIPAA violations reported to OCR?

Top violations include:

Unauthorized access or disclosure of PHI
Inadequate administrative or technical safeguards
Failure to provide timely breach notifications
Lack of staff training
Lost or stolen unencrypted devices

These issues often arise from poor access controls or insufficient cybersecurity measures.

Are medical device companies considered covered entities under HIPAA?

Not typically. However, medical device manufacturers may be classified as business associates if their devices or services involve access to PHI on behalf of a covered entity (like a hospital). In such cases, they must sign Business Associate Agreements (BAAs) and meet HIPAA compliance obligations.

What happens if a HIPAA breach occurs?

If a breach of unsecured PHI affects 500 or more individuals, the organization must notify affected individuals, the OCR, and sometimes the media within 60 days. OCR may investigate and impose civil monetary penalties, which can range from thousands to millions of dollars depending on severity and negligence.