More great reporting and analysis by Therese Defino of the Health Care Compliance Association (HCCA):
A single incident that may have started as a personal vendetta or an extortion threat seven years ago has cost a Florida health care system $800,000, and comes on the heels of an unrelated breach suffered by a different hospital in the same organization just last year.
The payment by Clearwater, Fla.-based BayCare Health System, which the HHS Office for Civil Rights (OCR) announced May 15,[1] was the third priciest of 2025, following a $3 million settlement with a diabetes supply firm and a $1.5 million fine OCR imposed on eyewear vendor Warby Parker.[2]
BayCare’s was one of three OCR enforcement actions the agency made public in May; all were accompanied by two-year corrective action plans (CAPs).
On May 30, two days after the BayCare announcement, OCR said a business associate (BA) in Rowley, Mass., agreed to a $75,000 settlement stemming from a 2022 ransomware attack that encrypted the protected health information (PHI) of nearly 560,000 patients of 70 covered entities (CEs) it served.[3]
All three settlements contribute to the long-standing puzzle of how OCR determines financial payment amounts, bedeviling CEs, BAs, attorneys and experts alike. Vision Upright MRI of San Jose, Calif., agreed to pay just $5,000 to settle allegations that it failed both to conduct a security risk analysis and didn’t notify the 22,000 affected individuals within the required 60 days.[4]
As of June 1, OCR had issued 15 enforcement actions this year, nine of which were announced by former OCR Director Melanie Fontes Rainer, a Biden appointee who resigned in mid-January and later shared exclusively with RPP her concerns about the future of the agency.[5] OCR has collected a total of $7,610,316 from its enforcement actions so far this year.
Read more at JDSupra.