Privacy & Information Security Law Blog

On September 30, 2025, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) announced a settlement with five affiliated health care providers collectively known as Cadia Healthcare Facilities (“Cadia”) for potential violations of the HIPAA Privacy and Breach Notification Rules.

The OCR investigation followed a complaint that Cadia had impermissibly disclosed a patient’s protected health information (“PHI”), including the individual’s name, photograph, and details about their treatment and recovery, by posting the information as part of a “success story” on its website.

The investigation confirmed that Cadia published the patient’s PHI without a valid, written HIPAA authorization and had similarly disclosed the PHI of approximately 150 patients through other “success story” posts. OCR determined that Cadia violated the Privacy Rule by impermissibly disclosing PHI and failing to implement adequate safeguards, and the Breach Notification Rule by not notifying affected individuals.

To resolve the matter, Cadia agreed to pay $182,000 and implement a two-year corrective action plan monitored by OCR. The plan requires the facilities to:

• Review and update HIPAA policies and procedures.
• Provide workforce training, including for marketing staff.
• Notify all affected individuals whose PHI was posted online or in marketing materials without valid authorization.

This case demonstrates that OCR remains active in enforcing HIPAA requirements, including the Privacy, Security and Breach Notification Rules.