$11 Million False Claims Act Cybersecurity Settlement Reminds Health Plas HIPAA Isn’t Only Cyberbreach Exposure

March 17, 2025

The more than $11 million Health Net Federal Services Inc. (“HNFS”) and its corporate parent Centene Corporation, have agreed to pay under a settlement resolving claims that HNFS falsely certified compliance with cybersecurity requirements in a contract with the U.S. Department of Defense (“DoD”) reminds health industry organizations that Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is only one of many federal statutes under which their organizations and their leaders can incur liability for cybersecurity breaches or other deficiencies. As the HNFS settlement makes clear, for instance, HIPAA Entities and other businesses that violate conditions of participation or contractual requirements for federal program participation also risk potential significant liability for deficiency in their compliance with data security, privacy or other cybersecurity requirements of those programs.

HIPAA Important But Not Only Cyber Liability Risk For Health Industry Organizations

Most health care providers, health insurers and other health plans, healthcare clearinghouses (“Covered Entities”) and their business associates (collectively, “HIPAA Entities”) recognize the importance of complying with the national standards for the protection of individuals’ electronic protected health information (“ePHI”) set forth in HIPAA Privacy, Security, and Breach Notification Rules (the “HIPAA” Rules”) to minimize or avoid painful civil monetary penalties or even criminal liability HIPAA authorizes for violations of HIPAA.

While the lengthy and growing list of HIPAA civil monetary penalties and resolution agreements obtained by the Department of Health and Human Services (“HHS”) Office of Civil Rights found to have violated the Security or other requirements of the HIPAA Rule shows the continued importance for HIPAA Entities to maintain HIPAA compliance, enforcement actions like the HNFS drive home that HIPAA Entities should not ignore other important cybersecurity obligations arising from the cybersecurity requirements created under terms of participation applicable to federal programs, or other applicable laws or statutes.

HNFS False Claims Act Cyber Liability Settlement

The HNFS enforcement action and settlement reveals False Claims Act liability as another significant cyber liability risk for health care providers, health care exchange insurers, Medicare Advantage, Medicaid Advantage, SCHIP, TRICARE and other military health, health technology, and other health industry organizations and their business associates and other subcontractors, who are government contractors or grant recipients.

The Justice Department previously has warned federal contractors that failing to fulfill or falsely certifying their compliance with required cybersecurity standards applicable to their contracts or programs could expose them to civil liability for violation of the False Claims Act[1] (“FCA”).  On October 6, 2021, then Deputy Attorney General Lisa O. Monaco announced a Civil Cyber-Fraud Initiative would use the FAC to hold accountable government contractors and grant recipients that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches applicable to their federal contracts or programs.

To violate the FCA, the government contractor or other accused person must have submitted, or caused the submission of, the false claim or made a false statement or record with knowledge of the falsity.  Under Section 3729(b)(1), knowledge of false information is defined as being (1) actual knowledge, (2) deliberate ignorance of the truth or falsity of the information, or (3) reckless disregard of the truth or falsity of the information.

The Department of Justice obtained more than $2.9 billion in settlements and judgments from civil cases involving fraud and false claims against the government in the fiscal year ending Sept. 30, 2024.   Under the FCA, government contractors or other persons violating the FCA generally are liable to pay the United States three times the government’s damages plus a penalty that is linked to inflation for knowingly submitting or causing another to submit a false claim to the government; making a false record or statement to get a false claim paid by the government; acting improperly to avoid having to pay money to the government; or conspiring to violate the FCA.  In addition to allowing the United States to pursue FCA violations on its own, the FCA allows private citizens to file “qui tam” suits on behalf of the government against violators of the FCA.  Private citizens who successfully bring qui tam actions may receive a portion of the government’s recovery. Many Justice Department FCA and other fraud  investigations and lawsuits arise from such qui tam actions.

While the Justice Department’s announcement of the HNFS settlement did not expressly reference the Civil Cyber-Fraud Initiative, the action and statements made by Justice Department officials in connection with its announcement reflect that the Justice Department remains committed to using the False Claims Act to hold federal government health care and other contractors, subcontractors, and grant recipients accountable for failing to comply with applicable federal cybersecurity requirements.

Beginning in 2010, HNFS contracted with the DOD to provide managed healthcare support services for the TRICARE program in approximately 22 states. The support services included administrative support services, provider network development, referral management, enrollment support, and claims processing services. In 2016, Centene succeeded to these contractual obligations when it acquired all of the shares of Health Net Inc., HNFS’s corporate parent, and assumed the liabilities of HNFS. Consistent with applicable conditions for participation in the program, HNFS’s contract with the DOD required HNFS to comply with DOD data security and privacy requirements and to periodically certify that compliance.

The TRICARE contract required HNFS to “provide information management and information technology support as needed to accomplish the stated functional and operational requirements of the TRICARE program” and to adhere to certain privacy standards and cybersecurity requirements, including but not limited to 48 C.F.R. § 252.204-7012 and 51 security controls listed in the National Institute of
Standards and Technology Special Publication 800-53 (NIST 800-53), Security and Privacy Controls for Information Systems, Revision 4. The annual certification requirement included in the contract also required HNFS annually to certify both compliance with the standards and “that the security controls required by the contract are implemented correctly, operating as intended, and support the security policies of the Defense Health Agency.”

The settlement resolves DOD and Justice Department allegations that, between 2015 and 2018, HNFS failed to provide the cybersecurity controls required under its contract. Specifically, Justice Department charged that:

  • HNFS failed to timely scan for known vulnerabilities and remedy security flaws on its networks and systems, in accordance with its System Security Plan and response times established by HNFS;
  • HNFS ignored reports from third-party security auditors and its internal audit department of cybersecurity risks on HNFS’ networks and systems related to asset management; access controls; configuration settings; firewalls; end-of-life hardware and software in use; patch management (i.e., installing critical security updates released by vendors to counter known threats); vulnerability scanning; and password policies; and
  • HNFS falsely attested to DHA that it was in compliance with at least seven of the NIST 800-53 security controls listed in the NIST Compliance Certifications when it submitted those certifications to DHA

The Justice Department and DOD also charged HNFS with falsely certifying compliance with these controls in annual reports to DHA that were required under its contract to administer the TRICARE program.

As a result of these deficiencies, the Justice Department and Department of Defense claimed that HNFS’ claims for reimbursement under the Tricare contract were false, regardless of whether there was any exfiltration or loss of servicemember data or protected health information.

To resolve the alleged False Claims Act liability asserted by the government, HNFS and Centene Corporation agreed to pay $11,253,400 to the Department of Justice. The settlement agreement also expressly reserves the United States’ right to pursue any criminal charges arising from the conduct and limits HNFS and Centene from raising the settlement as a bar to any such criminal charges.

Statements made by Justice Department officials in its announcement of the HNFS settlement signal that the Justice Department remains committed to using the False Claims Act to hold government contractors and other recipients of federal funds accountable for failing to comply with cybersecurity requirements of their contracts.

The press release announcing the settlement quotes Acting Assistant Attorney General Brett A. Shumate, head of the Justice Department’s Civil Division as warning, “We will continue to pursue knowing violations of cybersecurity requirements by federal contractors and grantees to protect Americans’ privacy and economic and national security.”

Meanwhile, Cyber Field Office Special Agent in Charge Kenneth DeChellis of the Defense Criminal Investigative Service (DCIS), the law enforcement arm of the DoD Office of Inspector General also is quoted as stating, “DCIS will not be deterred from investigating contractors that fail to comply with federal cybersecurity requirements and risk exposing protected information vulnerable to criminal hackers. The U.S. taxpayers who fund these government contracts expect no less.”

Taken together with the HNFS enforcement action and resulting settlement, these statements provide a strong warning for health industry and other government contractors that their failure to comply with cybersecurity requirements in their federal contracts or grants could lead to prosecution under the False Claims Act in addition to otherwise applicable liabilities arising under HIPAA or other federal or state laws. Accordingly, health care organizations; Medicare, Medicaid, SCHIP, TRICARE and Federal Health Insurance Exchange program contractors; and other federal government contractors, subcontractors and grant recipients also should ensure their ability to defend their ongoing compliance with any data security, privacy or other federal cybersecurity requirements to guard against potential False Claims Act liability for noncompliance with these contractual responsibilities.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, who has decades of experience advising health care providers, Medicare and Medicaid Advantage and other public and private health plans and plan sponsors, government contractors and grant recipients, and their technology, data, third party administrators, and other managed care and other health care, defense, technology, life sciences and other clients about HIPAA and other protected health information, trade secret, personal information and other cybersecurity and other data and systems use, protection, andthese and other federal and state program design, contracting, quality, technology, reimbursement, licensing and accreditation, compliance, enforcement, governmental affairs, dispute resolution, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her. 

For More Information

We hope this update is helpful. For more information about the  or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on workforce and other risk management and compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with health care, health insurance and managed care, insurance and financial services, defense contractors, and other workforce and data sensitive businesses domestically and internationally on employment, benefits, data and other knowledge use and protection, Federal Sentencing Guidelines and other workforce and heath care management, internal and operational controls, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has had extensive involvement in the design, enforcement, investigation, mitigation and defense of trade secret and other information privacy and confidentiality, HRIS, claims, electronic medical records, payment, and other systems and technologies; HIPAA and other health industry, DOD,  FACTA, GLB, EU, and other data privacy and security, trade secret and other confidential information; and other information privacy and security laws, policies, practices, contracts and requirements. 

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. 

Author of many highly regarded compliance, training and other resources on cybercrime and other data privacy and security, health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy in these matters.  

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides health care, human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on health care, leadership, governance, human resources, employee benefits, data security and privacy, insurance, and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

[1]31 U.S.C. §§ 3729 – 3733.

Leave a Comment » | CHIP, Cyber crime, data breach, data security, Department of Defense, DOD, false claims act, Government contractor, Grant recipients, Health Care, Heath Care Exchange, HHS, HIPAA Cyber Crime, Medicaid Advantage, Medicare Advantage, TRICARE | Tagged: , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Texas Pharmacist Gets 17+ Years Prison Sentence & To Forfeit $405M in Assets For Making False Federal Health Plan & Worker’s Comp Claims

March 17, 2025

Texas pharmacist Dehshid “David” Nourian was sentenced to 17 years and six months in prison and ordered to pay over $115 million in restitution for his role in a $145 million scheme to defraud the Department of Labor by submitting fraudulent claims for prescription compound creams on February 21, 2025On March 6, the court also forfeited $405 million in assets tied to Nourian’s fraud and money laundering schemes.

According to court documents and evidence presented at trial, Nourian and others conspired to pay doctors to prescribe medically unnecessary compound creams to injured federal workers. Nourian and others owned and operated three pharmacies located in Fort Worth and Arlington, Texas. Over the course of the scheme, they paid doctors millions of dollars in illegal bribes and kickbacks for referring expensive compound medications to be filled by those pharmacies. Evidence at trial showed these compounds were being mixed in the back rooms of the pharmacies by untrained teenagers at a cost to the defendants of around $15 per prescription and then billed to the Department of Labor’s Office of Workers’ Compensation Programs (DOL-OWCP) for as much as $16,000 per prescription. Patients who received the creams testified at trial to the creams’ ineffectiveness and, in some instances, that using the creams resulted in painful, irritating skin rashes.

In less than three years, between May 2014 and March 2017, the pharmacies billed the DOL-OWCP and Blue Cross Blue Shield more than $145 million and were paid more than $90 million for unnecessary prescriptions referred by medical providers in exchange for the illegal bribes and kickbacks. Nourian and others then attempted to conceal their ill-gotten gains by laundering the money through purported holding companies and attempted to evade paying $24 million in federal income taxes on the illicit proceeds.

In November 2023, a federal jury in the Northern District of Texas convicted Nourian of one count of conspiracy to commit health care fraud, eight counts of health care fraud, one count of conspiracy to launder money, five counts of money laundering, and one count of conspiracy to defraud the United States by failing to report and attempting to evade the collection of taxes owed to the IRS.

In an order issued following Nourian’s sentencing, the court also ruled that Nourian will forfeit $405 million in seized assets tied to his crimes. Evidence at trial demonstrated that Nourian and his co-conspirators used a complex web of bank accounts and shell companies to launder their fraud proceeds, ultimately depositing tens of millions of dollars into Nourian’s and other family members’ bank and investment accounts. The forfeiture order returned that money to the taxpayers and included the forfeiture of $395 million in brokerage accounts, over $2 million in bank accounts, real estate in Dallas and Austin worth $8 million, and a BMW luxury vehicle.

The $400+ million forfeiture ordered by the court is the highest forfeiture ever obtained in a health care fraud case in the Justice Department’s history.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, who has decades of experience advising health care providers and their technology and other service providers health plans and insurers, third party administrators, managed care and other health care industry clients about Medicare another healthcare quality, technology, reimbursement,compliance, enforcement, governmental affairs, dispute resolution, compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her. 

For More Information

We hope this update is helpful. For more information about the  or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on workforce and other risk management and compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with businesses domestically and internationally on employment, benefits, Federal Sentencing Guidelines and other workforce management, regulatory and public policy and other legal and operational concerns.  

Author of many highly regarded compliance, training and other resources on health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy on these matters.  

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides health care, human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on health care, leadership, governance, human resources, employee benefits, data security and privacy, insurance, and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any  fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | Health Care | Permalink
Posted by Cynthia Marcotte Stamer

$1.5 Million Warby Parker Penalty Latest Reminder Of Cyberattack HIPAA Liability Risks

March 13, 2025

The $1,500,000 civil monetary penalty (“CMP”) the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) imposed against online prescription and nonprescription eyewear manufacturer and online retailer Warby Parker, Inc., for Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule violations warns other HIPAA-covered health care providers health plans, healthcare clearinghouses (“covered entities”) and their business associate service providers (collectively, “HIPAA Entities”) to protect electronic systems with electronic protected health information (“ePHI”) from ransomware and other hacking attacks.

HIPAA Hacking Responsibilities & Risks

The HIPAA Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) set requirements that HIPAA Entities must follow to protect the privacy and security of protected health information (“PHI”).

The HIPAA Security Rule establishes national standards to protect individuals’ ePHI created, received, used, disclosed, maintained, or transmitted by a HIPAA Dntity. It also requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, availability, and security of ePHI.

OCR guidance and enforcement make clear it considers protecting ePHI from improper access, use, disclosure, and destruction of other unavailability due to ransomware and other hacking threats.

Violation of HIPAA can trigger either civil monetary penalties or criminal penalties under HIPAA. As amended by the the HITECH Act, HIPAA provides for the following civil monetary penalties for HIPAA violations:

  • A minimum of $100 for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000
  • A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.
  • A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
  • A minimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.

As required by law, OCR adjusts the CMP ranges for each penalty tier for inflation3 for violations after November 2, 2015.

Along with these potentially substantial civil penalty exposures, HIPAA’s potential criminal penalties make HIPAA compliance a required element of the Federal Sentencing Guideline Compliance programs Covered Entities and their leaders need to mitigate their exposures to organizational liability under the Guidelines. 

HIPAA breaches also generally expose HIPAA Entities and their leaders to potential liability for breach liability under federal and state electronic crimes and other data breach and security laws; Federal Trade Commission and other federal and state fraud and deceptive business laws; securities laws; Federal Sentencing Guideline and other liability for health care or other fraud and other crimes enabled by inadequate compliance or response; create licensing or ethical sanctions; create shareholder, tort or contractual liabilities; trigger public company disclosure and executive compensation clawback responsibilities; and a host of other legal, operational and business partner and public relations headaches.

Warby Parker’s Hard Lesson

Warby Parker is the latest in a fast-mounting list of HIPAA Entities nailed for hacking-related HIPAA breaches

The $1.5 million Warby Parker civil money penalty announced February 20, 2025 resulted from an OCR investigation of a December 2018 breach report of a hacking incident involving customer accounts filed by Warby Parker. The report stated that in November 2018, Warby Parker became aware of unusual, attempted log-in activity on its website. Warby Parker reported that between September 25, 2018, and November 30, 2018, unauthorized third parties gained access to Warby Parker customer accounts by using “credential stuffing.” Hackers used usernames and passwords obtained from other, unrelated websites that were presumably breached to access the Warby Parker data.

In September 2020, Warby Parker filed an addendum to its December 2018 breach report, updating the number of individuals affected by the breach to 197,986.

The compromised ePHI included customer names, mailing addresses, email addresses, certain payment card information, and eyewear prescription information.

Warby Parker also filed subsequent breach reports (each breach report affecting fewer than 500 persons) in April 2020, and June 2022, following similar attacks.

OCR’s investigation of the breach reports found evidence of three violations of the HIPAA Security Rule. These included:

  • Failure to conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in Warby Parker’s systems;
  • Failure to implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level; and
  • Failure to implement procedures to regularly review records of information system activity.

Based on these findings, OCR’s Notice of Final Determination imposed a $1,500,000 civil money penalty.

Ransomware & Other Hacking Now OCR #1 HIPAA Enforcement Priority

All HIPAA Entities should learn from the costly lessons of Warby Parker and the many other HIPAA Entities sanctioned or awaiting their consequences for hacking incidents and consult with qualified legal counsel for assistance in conducting an assessment of the adequacy of their current compliance.

Hacking, ransomware and other cyberattacks collectively and individually account for the breaches of ePHI affecting the largest number of individuals by far and away.

OCR announced various other hacking or other cyberattack related large breaches intermittently across the years.

Hacking-related HIPAA investigations and enforcement actions date back to the 2015 hacking breach at Premera Blue Cross that impacted more than 10.4 million individuals’ records and led to Premera paying OCR $6.85 million to settle resulting OCR HIPAA charges.

After periodically warning HIPAA Entities to address ransomware and hacking through its announcement of occasional hacking-related breach enforcement actions and other guidance, epidemic ransomware and other large scale cyber breaches targeting UnitedHealthcare subsidiary Change Health, Ascension Health, and many other large health care and health insurance organizations prompted OCR to identify HIPAA Security Rule breaches involving ransomware and other cyberattacks a top prevention, investigation and enforcement priority. Since then, the list of HIPAA entities paying OCR civil monetary penalties or settlements to resolve cyberattack related HIPAA charges has quickly and steadily grown. with the number of cyber attacks, impacting HIPAA entities accelerating, the number and magnitude of penalties assessed will only grow.

OCR has published a long list of guidance and alerts to help HIPAA Entities fulfill their HIPAA duties to safeguard their ePHI from ransomware and other cyberattacks and resulting HIPAA liabilities.

Among other things, OCR recommends that HIPAA Entities take the following steps to mitigate or prevent cyber-threats:

  • Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems;
  • Integrate risk analysis and risk management into the organization’s business processes;
  • Ensure that audit controls are in place to record and examine information system activity;
  • Implement regular reviews of information system activity;
  • Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI;
  • Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate;
  • Incorporate lessons learned from incidents into the organization’s overall security management process; and
  • Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

OCR regulations, resolution agreements, civil monetary penalty, assessments, also make clear HIPAA Entities must carefully document their original risk assessments, their timely monitoring and response to new threats, the analysis underlying their risk assessments and response, and other critical details and be prepared to produce that risk assessment in the event of an OCR investigation or audit.

This guidance also reflects HIPAA Entities should capture their ongoing use of appropriate procedures to monitor and respond to signs of threat or compromise to their own systems as well as OCR and other agency and industry alerts about emerging threats and susceptibilities as part of their ongoing risk assessment and response process.

Given the high threat environment and the growing HIPAA and other liabilities that commonly follow a cyberattack breach, HIPAA entities and their leaders should consider the advisability of conducting these assessments and any known or suspected breach investigation and response with the benefit of guidance from HIPAA experienced legal counsel within the scope of attorney-client privilege

HIPAA entities also should ensure appropriate plans and resources to investigate and respond to any breach that might occur promptly. Most entities will want to secure liability insurance coverage as well as require suitable credential information, indemnification, insurance and other assurances from their business associates and other vendors with access to systems or data that includes electronic PHI.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, who has decades of experience advising health care providers, health plans and insurers, third party administrators, managed care and other health care payers and providers, technology, and other businesses about crisis preparedness and response and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her. 

For HIPAA Help or Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, public policy leadership and advocacy, coaching, teachings, and publications including leading-edge work on crisis preparedness, response and recovery.

Author of many highly regarded compliance and risk management tools, training and other resources on health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy on these matters.  

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | Academic medicine, ambulance, business associate, Childrens Health Insurance Program, Conditions of Participation, Cyber crime, data security, Electronic Health Records, Emergency Care, Employee Benefits, GINA, Health Care, Health Care, Health Care Finance, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HIPAA, HIPAA Cyber Crime, HITECH Act, home health, Hospital, Medicaid, NIST, Physician, Physician Licensing | Permalink
Posted by Cynthia Marcotte Stamer