Cadia Healthcare reaches settlement for improper patient disclosuresv

On September 30, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), led by Director Paula M. Stannard, announced a settlement with five Delaware-based providers operating as Cadia Healthcare Facilities after confirming they unlawfully disclosed patients’ protected health information online.

What happened 

The case began in September 2021 when OCR received a complaint alleging that Cadia posted details on its public website as part of a “success story” campaign without first obtaining a valid HIPAA authorization. OCR’s investigation later revealed that Cadia had posted the PHI of approximately 150 patients across its websites and social media accounts, again without proper consent, and had not issued breach notifications to those affected. 

As part of the settlement, Cadia agreed to pay $182,000, implement a corrective action plan monitored by OCR for two years, retrain staff, including marketing personnel, and notify all individuals whose PHI had been improperly shared. 

What was said 

According to OCR Director Paula M. Stannard, “The internet and social media are important business development tools. But before disclosing PHI through social media or public-facing websites, covered entities and business associates should ensure that the HIPAA Privacy Rule permits the disclosure. Generally, a valid, written HIPAA authorization from an individual is necessary before a covered entity or business associate can post that individual’s PHI in a website testimonial or through a social media campaign.”

The bigger picture 

Unlike high-profile cases such as Solara Medical Supplies, where a phishing attack exposed over 114,000 patient records and resulted in a $3 million OCR penalty and a $9.76 million class-action settlement, Cadia’s violation stemmed from improper public disclosure of approximately 150 patients’ photos and medical details on its website and social media “success story” pages. 

Yet even without a cybersecurity component or massive data loss, Cadia still paid $182,000 and entered a two-year corrective action plan, reinforcing OCR’s message that impermissible disclosures and marketing misuse of PHI are enforcement priorities, not just hacking incidents. In 2025, OCR demonstrated a similar stance across the enforcement spectrum. Vision Upright MRI in California received a $5,000 fine plus two years of monitoring for failing to secure a medical imaging server that exposed more than 21,000 patients’ PHI.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

What counts as a healthcare data breach?

A healthcare data breach happens when protected health information is accessed, used, or disclosed without authorization, whether through hacking, accidental release, or improper sharing, such as posting patient stories online without valid consent.

Do small breaches still lead to penalties?

Yes. Even breaches affecting a small number of patients can lead to fines and corrective action plans. 

How can healthcare providers prevent data breaches?

Strong access controls, encryption, employee training, authorization management, and routine risk assessments help reduce the risk of leaks.