$6.6M in HIPAA Fines in 2025: Who Got Caught

The Office for Civil Rights had a year. Twenty enforcement actions. Settlements and civil monetary penalties ranging from $25,000 to $3 million. A brand-new Risk Analysis Initiative that generated seven enforcement actions in its first six months. And a continuing Right of Access Initiative that hit its 54th case by December.

The groups that got caught weren’t all large hospital systems. A medical billing company. An eyewear retailer. An ambulance authority. A wellness program vendor. A radiology practice. If you think HIPAA enforcement only targets big players, 2025 should change your mind.

Here’s who paid, what they did wrong, and what your practice can learn from each case.

The Biggest HIPAA Settlements of 2025

1. Solara Medical Supplies – $3,000,000

The year’s largest settlement arrived on January 14, 2025. Solara Medical Supplies, a California-based supplier of insulin pumps and continuous glucose monitors, agreed to pay $3 million for HIPAA Security Rule and Breach notice Rule breaches.

In 2019, a phishing attack compromised multiple employee email accounts. Attackers had access for months before anyone noticed. The breach exposed ePHI for about 114,000 patients – names, Social Security numbers, financial accounts, health insurance information, and clinical details.

OCR’s problem wasn’t that Solara got phished. Phishing happens. The problem was that Solara hadn’t ran a thorough risk analysis before the attack, hadn’t implemented enough email tracking, and then took too long to notify patients after discovery.

Three million dollars. For a breach that started with one employee clicking one link. The phishing email was the trigger; the missing risk analysis was the HIPAA breach.

2. Warby Parker – $1,500,000

On February 20, 2025, OCR slapped a $1.5 million civil monetary penalty on Warby Parker, the eyewear company. As a provider of prescription eyewear, Warby Parker handles prescriptions and vision records. That makes them a covered group under HIPAA.

The penalty stemmed from a 2018 credential stuffing attack. Attackers took username/password combinations from other breaches and tried them on Warby Parker’s systems. Because people reuse passwords, roughly 200,000 customer accounts were compromised.

OCR found Warby Parker hadn’t ran an enough risk analysis, hadn’t implemented enough access controls, and didn’t keep proper audit logs to detect unapproved access quickly. The $1.5 million penalty arrived six years after the breach. OCR has a long memory.

3. Heritage Valley Health System – $950,000

Heritage Valley, a Pennsylvania health system, paid $950,000 to settle alleged HIPAA Security Rule breaches tied to the 2017 NotPetya malware attack. The malware entered Heritage Valley’s network through a connection with its business associate, Nuance Communications, as part of the global NotPetya outbreak.

OCR’s review found the usual suspects: no enough risk analysis, and no backup plan for responding to an emergency that damages systems containing ePHI. The case is a reminder that you don’t have to be the direct target of an attack – your vendor’s compromise can become your rule-keeping failure.

4. BayCare Health System – $800,000

BayCare, a large Florida-based health system, settled in May 2025 for $800,000 over a malicious insider incident. An employee accessed patient records without access rights – classic insider threat.

The fine wasn’t for having a bad employee. It was for not catching them. BayCare hadn’t implemented enough controls to track who was accessing patient records and flag unusual access patterns. An authorized user was viewing records they had no business reason to see, and the group’s systems weren’t catching it.

The settlement included a two-year corrective action plan tracked by OCR. That tracking is its own burden – regular reporting, audits, and the constant knowledge that OCR is watching everything you do.

5. PIH Health – $600,000

PIH Health, a Southern California health system, settled for $600,000 in May 2025 following a phishing breach. OCR’s review found that PIH had failed to conduct a thorough security risk analysis and hadn’t implemented enough protections to protect ePHI.

Another phishing case. Another missing risk analysis. The pattern is getting repetitive because the underlying failure is the same.

OCR’s Risk Analysis Initiative: 7 Enforcement Actions and Counting

In late 2024, OCR formally launched the Risk Analysis Initiative – a targeted enforcement campaign focused namely on groups that haven’t ran enough security risk analyses. By mid-2025, seven enforcement actions had come out of this effort alone. By early 2026, that number hit 11 with the Top of the World Ranch settlement.

OCR made the reasoning explicit: the risk analysis is the foundation of HIPAA Security Rule rule-keeping. Everything else – access controls, team training, incident response – is supposed to flow from a written down understanding of where your ePHI lives and what threatens it. Skip the risk analysis, and your entire rule-keeping program is built on sand. If you haven’t done one, the risk review guide is where to start.

Here are the groups caught in the effort:

6. Northeast Radiology – $350,000

On April 10, 2025, OCR announced a $350,000 settlement with Northeast Radiology, a Connecticut-based imaging practice. The case involved a PACS server exposure that left imaging records accessible. OCR’s review found the practice hadn’t ran an enough risk analysis. Two-year corrective action plan.

A radiology practice. Not a hospital system. Not a national health plan. A specialty practice that handles imaging data. If they can get hit, so can you.

7. USR Consulting – $337,750

Announced January 8, 2025, this settlement involved a business associate whose database was accessed by an unapproved third party. The attacker not only accessed but deleted ePHI belonging to over 2,900 people. USR agreed to pay $337,750 and submit to two years of OCR tracking.

8. Syracuse ASC – $250,000

On July 24, 2025, OCR settled with an ambulatory surgery center in Syracuse for $250,000 following a ransomware breach affecting 24,891 people. The review found insufficient risk analysis and inadequate protections. Two-year corrective action plan.

An ambulatory surgery center. Not a massive operation. The kind of facility that exists in every mid-sized city in America.

9. Health Fitness Corporation – $227,816

Health Fitness Corporation, an Illinois-based employer wellness program company, settled for $227,816 as the fifth action under the Risk Analysis Initiative. The case stemmed from a 2019 breach affecting roughly 4,300 people.

OCR’s review found the company had never ran a thorough risk analysis. Not an outdated one. Not an incomplete one. Never done it at all. Health Fitness Corporation is a business associate – a mid-size company that probably assumed HIPAA rule-keeping was primarily the covered group’s problem. OCR disagrees.

10. Behavioral Health Solution of Deer Oaks – $225,000

On July 7, 2025, OCR reached a $225,000 settlement with Deer Oaks, a behavioral health provider, for failing to conduct a enough risk analysis and lacking right protections for ePHI. Two-year corrective action plan.

11. Cadia Healthcare Facilities – $182,000

On September 30, 2025, OCR settled with five healthcare providers collectively known as Cadia Healthcare Facilities for $182,000 over HIPAA Privacy Rule and Breach notice Rule breaches. The case involved not allowed sharing of patients’ health data. Two-year corrective action plan.

12. Bryan County Ambulance Authority – $90,000

An Oklahoma EMS provider hit by ransomware. No enough risk analysis before the attack. OCR settled for $90,000 with a three-year corrective action plan. An ambulance authority. A small emergency services operation in rural Oklahoma. OCR doesn’t care about your size.

13. Elgon Information Systems – $80,000

A business associate that provides IT services, hit by ransomware affecting patient data. Settlement: $80,000 plus three years of OCR tracking. Another example of why business associate agreements need teeth – and why BAs need their own rule-keeping programs.

14. Comstar – $75,000

Comstar, a Massachusetts EMS billing company, paid $75,000 in May 2025. Another business associate. Gaps in risk management habits following not allowed sharing of patient ePHI.

15. Guam Memorial Hospital Authority – $25,000

A public hospital in Guam hit by ransomware, with a secondary incident involving two former employees accessing systems after their ending. Settlement: $25,000 plus three years of OCR tracking.

Twenty-five thousand dollars. For a public hospital on a Pacific island territory. OCR’s enforcement reach has no geographic boundaries and no minimum threshold for action.

16. Vision Upright MRI – $25,000

Fined $25,000 after failing to perform any risk analysis whatsoever and delaying breach notice following a server attack. The smallest fine on the list, but the message is clear: even $25,000 hurts when you’re a small imaging facility, and the corrective action plan duties hurt more.

The Right of Access Cases Keep Coming

On December 16, 2025, OCR reached a $112,500 settlement with Concentra, a Texas-based occupational health company operating urgent care clinics nationwide. The case came from OCR’s Right of Access Initiative.

A patient first requested his health records in February 2018. He made six separate requests over the following months. He didn’t receive his records until March 2019 – more than a year after his initial request. HIPAA requires you to fulfill records requests within 30 days.

This was the 54th enforcement action under the Right of Access Initiative, which has now been running under three HHS secretaries and across two presidential administrations. It’s one of OCR’s most reliable enforcement pipelines because the cases are easy to prove: patient asked for records, didn’t get them in time, complained to OCR. The paper trail writes itself.

If your practice has any ambiguity about your records request process – who receives requests, who fulfills them, what the turnaround time is, what happens when it slips – fix it before a patient files a complaint.

The 3 Patterns Behind Every HIPAA Fine in 2025

Look across all 20 enforcement actions and the same failures show up in different combinations.

Pattern 1: No Adequate Risk Analysis (13 of 20 Cases)

This appeared in 13 of the 20 enforcement actions. Thirteen out of twenty. OCR’s corrective action plans almost universally require groups to conduct a new, thorough risk analysis as step one. The Security Rule has required this since 2003. groups are still getting caught without one in 2025.

A in line risk analysis isn’t a form you fill out once and file away. It’s a written down process that identifies where all your ePHI exists – in your EHR, yes, but also in email, billing systems, backup drives, paper files, cloud storage, mobile devices, and every other place data touches. It assesses threats and weak spots, evaluates likelihood and impact, identifies existing controls, and produces a fixes plan with timelines.

Most habits that claim they’ve “done” a risk analysis have done something lighter than this. OCR knows the difference. The ‘addressable’ doesn’t mean ‘optional’ principle applies here – every rule needs written down factor.

Pattern 2: No Monitoring or Access Controls

The BayCare insider case. The Warby Parker credential stuffing attack. Gulf Coast Pain Consultants, hit with a $1.19 million penalty in late 2024 for failing to end a former employee’s access to systems containing ePHI. If you can’t see who’s accessing records and you can’t revoke access when someone leaves, you’re exposed.

You don’t need AI-powered tracking tools. You need audit logs, someone who reviews them, and a process for terminating access on the same day an employee departs. MFA is about to be required across the board – get ahead of it now.

Pattern 3: Slow or Missing Breach notice

Solara took too long to notify patients. Vision Upright MRI delayed notice after a server attack. The clock under HIPAA starts when you discover the breach, not when your review is complete. You have 60 days. Most groups that miss the deadline aren’t being malicious – they’re scrambling to understand what happened and hoping the timeline hasn’t expired. It usually has.

The March 1 small breach reporting deadline catches many habits off guard too – smaller breaches affecting fewer than 500 people have their own annual reporting rule that’s easy to miss.

It’s Not Just Hospitals Getting HIPAA Fines

Here’s what stands out about the 2025 enforcement list: the diversity of groups that got caught.

A medical device supplier (Solara)
An eyewear retailer (Warby Parker)
A health system (BayCare, Heritage Valley, PIH Health)
An ambulatory surgery center (Syracuse ASC)
A behavioral health provider (Deer Oaks)
An EMS billing company (Comstar)
An ambulance authority (Bryan County)
A wellness program company (Health Fitness)
An IT services company (Elgon)
A consulting firm (USR)
A radiology practice (Northeast Radiology)
An occupational health company (Concentra)
A public hospital in Guam

If you handle ePHI in any capacity – as a covered group or a business associate – OCR can and will look into you. The $25,000 fine for Vision Upright MRI and the $3 million fine for Solara came from the same enforcement program, applied to the same fundamental failures, scaled to the size and severity of the case.

What These HIPAA Fines Signal for 2026

The Risk Analysis Initiative is not winding down. OCR has said explicitly that it will continue prioritizing Security Rule rule-keeping. The new administration has kept enforcement pace – something that surprised observers who expected a rule-based pullback.

The proposed HIPAA Security Rule updates, if finalized, will raise the baseline greatly: mandatory MFA, mandatory data scrambling, mandatory annual weak spot scanning, technology asset lists. groups that haven’t started moving toward these controls will face a rule-keeping cliff. And as of January 2026, HIPAA penalty amounts increased again with inflation adjustments pushing the maximum annual cap to $2,190,294 per breach category.

The Change Healthcare breach put vendor management in OCR’s crosshairs. Expect enforcement actions related to inadequate business associate oversight to increase.

Here’s how to read OCR’s direction: they will keep finding groups that haven’t done the foundational work, and they will keep making examples of them.

The foundational work isn’t complicated. A risk analysis. Documented policies that people actually follow. Staff training that’s current and recorded. Audit logs that get reviewed. Breach notice steps that are tested before you need them. Access ending that happens on day one, not day thirty.

In 2025, groups that skipped this work wrote checks ranging from $25,000 to $3 million. The only question is whether your practice has done the work to stay off next year’s list.

Need help with your risk analysis or rule-keeping program? One Guy Consulting offers affordable HIPAA rule-keeping packages starting at affordable – including the risk review that OCR keeps fining people for not doing. Explore HIPAA rule-keeping services Run your risk assessment now HIPAA compliance consulting

Related: OCR audit program