Date

Entity Name

Payment Amount

Allegation of Wrong-Doing

1/3/23

Life Hope Labs

$16,500

Right-of-access violation

2/2/23

Banner Health Affiliated Covered Entities

$1,200,000

Hacking led to impermissible disclosure of protected health information (PHI) of 2.81 million individuals; security rule compliance failures

5/8/23

David Mente

$15,000

Right-of-access violation

5/16/23

MedEvolve

$350,000

Impermissible disclosure of PHI of 230,725 individuals due to an unsecured server on the internet; lack of risk analysis and business associate agreement

6/5/23

Manasa Health Center

$30,000

Impermissible disclosure in response to a bad review

on social media

6/15/23

Yakima Valley Memorial Hospital

$240,000

Inappropriate access to 419 individuals’ medical records by 23 emergency department security guards

6/28/23

iHealth Solutions

$75,000

Exfiltration from an unsecured server of electronic PHI of 267 individuals; lack of risk analysis

8/24/23

UnitedHealthCare

$80,000

Right-of-access violation

9/11/23

L.A. Care Health Plan

$1,300,000

Inappropriate disclosure of members’ PHI via a patient portal; inappropriate disclosure of PHI of 1,498 individuals due to a mailing error

10/31/23

Doctors’ Management Services

$100,000

Ransomware attack exposed 1,200,000 ePHI of 206,695 individuals; security rule failures

11/20/23

St. Joseph’s Medical Center

$80,000

Disclosure of COVID-19 patients’ PHI to national media outlet without prior authorization

12/7//23

Lafourche Medical Group

$480,000

Phishing attack via email led to inappropriate disclosure of PHI of 34,862 individuals; lack of risk analysis

12/15/23

Optum Medical Care of New Jersey

$16,000

Right-of-access violation

Total

$3,982,500