Cadia Healthcare hit with $182K penalty for online patient privacy lapse

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a $182,000 settlement with Cadia Healthcare Facilities, a group of skilled nursing and rehabilitation providers in Delaware, for potential violations of federal patient privacy rules.

The agreement resolves allegations that Cadia Healthcare improperly disclosed patients’ protected health information (PHI) on its public website as part of a marketing campaign that featured patient “success stories.” OCR said the provider posted names, photos, and details about patient conditions, treatments, and recoveries without obtaining written authorization from the individuals involved.

An investigation began in September 2021 after a complaint alleged the unauthorized disclosure of one patient’s information. OCR later determined that PHI for 150 patients had been posted online without consent.

Under the settlement, Cadia Healthcare must implement a corrective action plan and will be monitored by OCR for two years. The organization is required to revise its privacy and breach notification policies, train staff—including marketing personnel—on HIPAA compliance, and notify affected patients that their data was exposed.

“The internet and social media are important business development tools,” said OCR Director Paula M. Stannard in a statement. “But before disclosing PHI through social media or public-facing websites, covered entities and business associates should ensure that the HIPAA Privacy Rule permits the disclosure. Generally, a valid, written HIPAA authorization from an individual is necessary before a covered entity or business associate can post that individual’s PHI.”

OCR said Cadia Healthcare lacked adequate safeguards to protect PHI and failed to provide required breach notifications.

The case highlights the risks healthcare organizations face when using patient information in marketing or social media without proper authorization. HHS urged covered entities to review policies to ensure compliance with the HIPAA Privacy and Breach Notification Rules.