The biggest data breach fines, penalties and settlements so far

Hacks and data thefts, enabled by weak security, cover-ups or avoidable mistakes have cost these companies a total of nearly $1.2 billion and counting.

1 2 Page 2
Page 2 of 2

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) fined Premera after it discovered breach affecting over 10.4 million people. PBC filed a breach report in March 2015 after cyber-attackers had gained unauthorized access to its systems. A phising attack from 2014 went undetected for nearly nine months and resulted in the disclosure of more than 10.4 million individuals’ protected health information including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information.

OCR’s investigation found “systemic noncompliance” with the HIPAA requirements, including failure to conduct an risk analysis, implement risk management, or put in audit controls in place. These failures resulted in the OCR issuing the second-largest HIPAA fine on record.

The University of Texas MD Anderson Cancer Center: $4.3 million

In June 2018 a judge upheld the decision to fine the University of Texas MD Anderson Cancer Center $4.3 million for HIPAA violations. The cancer center suffered three data breaches between 2012 and 2013, which resulted in the loss of health information ofover 33,500 individuals. In one case an unencrypted laptop was stolen from an employee’s residence. The other two breaches involved the loss of unencrypted USBs.

Fresenius Medical Care North America: $3.5 million

HIPAA failures strike again. In February 2018 Fresenius Medical Care North America (FMCNA) was slapped with a bill for $3.5 million after suffering five separate breaches at different company locations between February and July of 2012. An investigation by the Office for Civil Rights found FMCNA had failed to “conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the health information it was storing across its different entities.”

These failures include not preventing unauthorized access to facilities and equipment, failing to encrypt health data, not governing the removal of electronic media holding health data, and having a lack of security incident procedures.

Cottage Health, Touchstone Medical Imaging, and University of Rochester Medical Center (URMC): $3 million each

2019 saw three large HIPAA violations; $3 million each for Cottage Health & Touchstone Medical Imaging.

Cottage health was fined for two breaches — one in 2013 and another in 2015 — resulting in electronic protected health information (ePHI) affecting over 62,500 individuals being leaked. Both incidents involved servers holding ePHI being accessible over the internet.

Tennessee-based Touchstone Medical Imaging was fined after leaving the protected health information (PHI) of over 300,000 patients available online through an exposed FTP server. Touchstone was notified about this exposure by the FBI in 2014 but claimed no patient PHI was exposed.

The US Department of Health and Human Services (HHS) found that Touchstone “did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR.” In addition, the HHS said that notification to individuals affected by the breach was “untimely,” that Touchstone “failed to conduct an accurate and thorough risk analysis of potential risks,” and the company “failed to have business associate agreements in place with its vendors.”

In November 2019 The University of Rochester Medical Center (URMC) was also fined $3 million for failing to encrypt mobile devices. The center, which includes the School of Medicine and Dentistry and Strong Memorial Hospital, lost an unencrypted flash drive in 2013 and had an unencrypted laptop stolen in 2017. URMC was fined for failing to properly protect personal health information despite previously reporting a breach through an unencrypted drive in 2010.

Jackson Health System: $2.15 million

Another large HIPAA violation, this time for Miami nonprofit academic medical system Jackson Health System (JHS), which runs a number of hospitals and care centers in Florida. JHS was fined $2.15 million by DHS over several incidents between 2013 and 2016.

Although JHS did report the loss of paper records on 756 patients to DHS in 2013, it failed to report the loss of an additional three boxes of patient records after an internal investigation. In 2015 JHS discovered two employees had accessed a patient’s electronic medical record without a job-related purpose. In 2016 JHS reported a breach after finding that an employee had been selling patient data totaling 24,000 patients' records since 2011.

Equifax, Facebook, DSG Retail Limited, and Cathay Pacific: $650,000 each

Four companies in the UK can count themselves lucky. In 2018 the UK Information Commissioner’s Office fined Equifax and Facebook or data failures under the pre-GDPR Data Protection Act, in which the highest possible fine is just £500,000 (~$650,000). Under GDPR, the penalties could have been much higher. Facebook was slapped with the bill in October over the Cambridge Analytica data scandal, while Equifax was handed the maximum penalty in September for its 2017 breach.

In early 2020 – almost two years after the introduction of GDPR – the regulator fined two more companies under the old DPA. UK retailer DSG Retail Limited (DSG) received the fine after point-of-sale malware was discovered on over 5,000 machines at its Currys PC World and Dixons Travel stores. However, as the attack started in July 2017 -- before the implementation of GDPR – the company was fined the old maximum of £500,000 despite the fact the attackers were reportedly still collecting information until April 2018, after the implementation of the new regulations.

The attack enabled unauthorized access to 5.6 million payment card details and personal information of approximately 14 million people, including full names, postcodes, email addresses, and failed credit checks from internal servers. The ICO claimed the company had” poor security arrangements” and failed to take adequate steps to protect personal data, including inadequate patching, absence of a local firewall, lack of network segregation, and no routine security testing. The ICO had previously fined DSG’s Carphone Warehouse £400,000 [~$520,000] for similar failings in January 2018.

Chinese airline Cathay Pacific was fined the DPA maximum in March 2020 for "failing to protect the security of its customers’ personal data." The ICO ruled that between October 2014 and May 2018 Cathay Pacific’s systems "lacked appropriate security measures," leading to customers’ personal details being exposed.

Copyright © 2020 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies