HIPAA Horror Stories: 5 True HIPAA Violation Cases


Between April 2003 and August 2019, there have been 39,132 HIPAA violation complaints made. Out of those complaints, 30% were found to have no violations.

70% made corrective actions. While it’s great that most HIPAA violation cases end up being corrected, no patient should have to file a complaint in the first place.

Yes, companies in violation are subject to fines and penalties. They may even have to pay a certain amount in settlement fees. 

But the damage to the patient is already done. And there’s not much that can make up for that. 

To help you understand better what happens when a breach of confidentiality happens, keep reading. We’re sharing with you five HIPAA violation stories. 

1. Some HIPAA Violation Cases Can Send a Person to Prison

It all began when a cardiothoracic surgeon from China named Huping Zhou was fired from his job. Huping Zhou had been working as a researcher at the UCLA School of Medicine.

It was there that Zhou received a notice of dismissal due to job performance issues. After he was dismissed, he decided to illegally access the UCLA medical records system.

And he didn’t just access it once or twice. He illegally accessed the system over 300 times. Zhou viewed not only the health records of his immediate supervisor and co-workers, but he also accessed the health records of celebrities, such as Drew Barrymore and Tom Hanks. 

Zhou’s crimes were discovered. He pled guilty and was sentenced to four months in jail along with a $2,000 fine. 

2. HIV Status Revealed to Employer

Here is one of the HIPAA violation lawsuit examples that shows how easily mistakes are made when medical employees are not trained properly. Especially when they work in a hospital setting. 

Mount Sinai St. Luke’s Hospital faxed a document to the mailroom of the patient’s employer. The patient had signed an Authorization for Release Medical Information form to have his information sent to a post office box. 

The patient filed a lawsuit for $2.5 million dollars in damages after he was forced to quit his job and lost most of his health benefits. The hospital made no attempt to compensate the patient but did agree to review its policies and procedures. 

3. 19 People Fired for Snooping into Britney Spears’ Mental Health Status

It’s been widely documented that pop singer Britney Spears has struggled with mental health issues for some time. This is one of those HIPAA violation examples where temptation proves to be too great and resulted in a mass firing. 

Six doctors and 13 employees at the UCLA Medical Center decided to take a look at Britney Spears’ medical records after her 2008 psychiatric hospitalization. While it’s customary to look at a patient’s records, none of them had a legitimate medical reason to view her records. 

In fact, many of the employees were not doctors, nor were they even medical support staff. This is one of those HIPAA violation stories that could have been avoided if they had followed the Principle of Least Privilege concept

This principle only lets those employees access data that is necessary to perform their jobs. 

4. HIPAA Violation Examples on Social Media

Unfortunately, there are many HIPAA violation stories that include social media. While social media can be a positive place to share information that can help saves lives, you also need to be very careful about what you share. 

In 2010, a nurse treated a patient with a gunshot wound. The patient was also accused of killing a cop. 

The nurse took to social media to express her thoughts about the patient on social media. While she left out names, she did post enough details that other social media users could quickly connect her post with news coverage. 

The nurse was fired from her job as a result. 

Med Tech in 2017 Who Also Posted Too Many Identifying Details

You’d think we’d learn, but in 2017, a med technician wrote a post on Facebook about a car crash victim. Her direct quote was, “Should have worn her seatbelt…”

While this may seem vague and, yes, seatbelts should be worn, the comment contained enough information that the patient was identified. The med technician was immediately fired for a HIPAA violation. 

5. Not Okay to out Medical Information to Anyone

While we all know it’s not okay to share private medical information to a patient’s employer, it’s also a breach of confidentiality to share private medical information to a patient’s family without consent. 

A nurse working at a clinic in New York became one of many HIPAA violation examples when her sister-in-law’s boyfriend was diagnosed with an STD (sexually transmitted disease). The nurse in question sent out six text messages to warn the patient’s girlfriend about his STD. 

The patient sued, but the trial court judge dismissed the claim on the grounds that the nurse’s actions were both based on personal reasons and unforeseeable. However, the patient appealed the court’s decision. 

While this example does seem unavoidable, the clinic should never have let the nurse treat a close personal acquaintance either. 

HIPAA Violation Cases Aren’t Worth the Fines and Lawsuits

While HIPAA laws and policies have been around for a while, violations still occur. In fact, in 2018, the largest HIPAA settlement to date happened. 

In October 2018, Anthem Inc settled a HIPAA violation case for $16 million dollars. This hefty fine was due to the extent of HIPAA violations alone with the scale of its 2015 data breach.

The 2015 data breach involved protected health information of approximately 78.8 million plan members stolen by hackers. 

Learn from Their Mistakes

Sometimes honest mistakes do happen. But there should be fewer HIPAA violation cases as more people receive proper training. 

The more staff that are trained properly and have better access to the right solutions means less worry and fewer costs for your business. Don’t wait until there’s a problem.  Contact us today to find out how we can help make sure your business is HIPAA compliant. 

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top