In September 2021, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) received a complaint alleging that Cadia Healthcare Facilities, a group of five rehabilitation, skilled nursing, and long-term care providers in Delaware, had impermissibly disclosed a patient’s protected health information (PHI) on its public-facing website.
OCR’s investigation confirmed that Cadia had posted the patient’s name, photograph, and details about the patient’s medical condition, treatment, and recovery in the form of a ‘success story’ without first obtaining the patient’s valid, written HIPAA authorization. Further review revealed that between 2021 and 2025, Cadia Healthcare Facilities had posted the PHI of a total of 150 patients across its websites as part of its ‘success story’ program, again without obtaining legally required authorizations.
OCR determined that Cadia impermissibly disclosed PHI and failed to maintain appropriate safeguards and did not provide breach notifications to affected individuals as required under the HIPAA Breach Notification Rule. On September 30, 2025, OCR announced a settlement with Cadia Healthcare Facilities, which included a payment of $182,000, a two-year corrective action plan, and mandatory steps such as revising policies, training workforce members (including marketing staff), and notifying all individuals whose PHI had been improperly disclosed.
According to OCR Director Paula M. Stannard, “The internet and social media are important business development tools. But before disclosing PHI through social media or public-facing websites, covered entities and business associates should ensure that the HIPAA Privacy Rule permits the disclosure. Generally, a valid, written HIPAA authorization from an individual is necessary before a covered entity or business associate can post that individual’s PHI in a website testimonial or through a social media campaign.”
More than half of insider fraud incidents within the healthcare sector involve the theft of customer data, according to the Carnegie Mellon University Software Engineering Institute (CMU SEI). Security experts stress that no amount of training can completely eliminate human error, emphasizing the necessity of automated safeguards.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
An insider threat occurs when a person within an organization, such as an employee, contractor, or business partner, misuses their authorized access to harm the organization’s systems, data, or reputation.
Insiders include anyone with legitimate access to an organization’s systems or facilities. This may include full-time staff, temporary workers, contractors, vendors, or even former employees who still have access rights.
Motivations can vary. Some insiders act out of financial gain, revenge, or coercion by outsiders. Others may unintentionally cause harm due to negligence, lack of training, or falling victim to phishing and social engineering.