Can I Sue for a HIPAA Breach? (w/Examples) + FAQs

No, you cannot sue directly under HIPAA itself, because the Health Insurance Portability and Accountability Act does not give patients a private right of action. That means the statute you are probably searching for is not the statute that will get you a check. Federal courts, starting with cases like Acara v. Banks, have repeatedly held that only the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services can enforce HIPAA.

But that is not the end of the story. Patients routinely win money for medical privacy breaches by using state laws like California’s Confidentiality of Medical Information Act, Texas HB 300, New York’s SHIELD Act, and common-law theories like negligence, invasion of privacy, and breach of fiduciary duty. The U.S. Department of Health and Human Services reported that more than 168 million people were affected by healthcare data breaches in 2023 alone, the largest year on record, so the pool of potential plaintiffs is enormous.

In this guide, you will learn:

• ⚖️ Why HIPAA itself blocks direct lawsuits, and the exact workaround courts accept
• 🏛️ Which state laws and common-law claims give you a real path to damages
• 💰 Realistic settlement ranges, from small nosy-employee cases to nine-figure class actions
• 📝 How to file an OCR complaint, preserve evidence, and meet the 180-day deadline
• 🚫 The seven most common mistakes that kill otherwise strong HIPAA breach cases

The Core Rule: HIPAA Has No Private Right of Action

HIPAA is a federal law passed in 1996 that sets national standards for protecting health information. The rule that matters most for lawsuits is simple: Congress did not write a section that lets you, the patient, sue a hospital or insurer directly under HIPAA. That missing section is called a private right of action, and every federal appellate court to look at the question has confirmed it does not exist in HIPAA.

The consequence is direct. If you walk into federal court and file a complaint that says “Defendant violated HIPAA, pay me damages,” a judge will dismiss your case within weeks. The Fifth Circuit in Acara v. Banks and the Eleventh Circuit in Sneed v. Pan American Hospital both made that ruling. The consequence of filing a direct HIPAA suit is dismissal, plus possible sanctions if your attorney should have known better.

A common misconception is that the HITECH Act of 2009 changed this. It did not. HITECH boosted penalties that OCR can impose and created the Breach Notification Rule, but it still routes enforcement through the federal government, not private plaintiffs. A patient named Maria who learns her gynecologist’s office emailed her records to the wrong person cannot file a federal HIPAA suit. Maria can, however, file an OCR complaint and a state-law lawsuit, and that is the path every successful plaintiff takes.

The practical effect is that HIPAA becomes a standard of care, not a cause of action. Lawyers use HIPAA’s rules to show what a reasonable healthcare provider should have done, then plug that standard into a state-law negligence claim. This move is called negligence per se or HIPAA as the standard of care, and it is the engine behind almost every winning patient privacy case in the United States.

Who Can Be Sued for a Medical Privacy Breach

The universe of defendants is wider than most patients realize. HIPAA applies to covered entities, which include health plans, healthcare clearinghouses, and most healthcare providers who transmit data electronically. It also applies to business associates, which are vendors that handle protected health information on behalf of a covered entity. Both groups can be sued under state law when a breach happens.

Covered Entities

Covered entities are the front-line defendants. Hospitals, doctor’s offices, dentists, pharmacies, health insurers, and HMOs all qualify. When a covered entity lets your records leak, you can pursue it under state negligence law using HIPAA as the standard of care. The consequence of a data leak for a covered entity often includes OCR fines, state attorney general penalties, and class-action settlements.

Consider James, a veteran whose mental health records were mailed to his employer by mistake. The hospital is a covered entity, so James can file an OCR complaint and sue under his state’s negligence and invasion-of-privacy laws. A common misconception is that only hospitals qualify; in reality, solo dental practices and small chiropractic offices are equally on the hook.

Business Associates

Business associates include billing companies, cloud storage vendors, shredding services, and IT contractors. After HITECH, business associates face direct OCR liability, and they also face state-law claims from patients. The 2023 MOVEit supply-chain breach hit dozens of healthcare business associates and triggered hundreds of class actions.

If a billing vendor named DataCare loses a laptop with 50,000 patient records, the patients can sue DataCare directly. The consequence for the business associate is often a larger settlement share than the hospital itself, because the vendor caused the actual breach. Many patients mistakenly believe they can only sue the hospital; suing the vendor is usually the better move.

Rogue Employees and Third Parties

Rogue employees are a special case. A nurse who peeks at a celebrity’s chart, or a billing clerk who sells records on the dark web, can be personally sued and criminally prosecuted under 42 U.S.C. § 1320d-6. The employer is also usually liable under the doctrine of respondeat superior.

Take the example of Priya, whose coworker at a clinic pulled up her STD results out of curiosity. Priya can sue the coworker personally and the clinic as employer. The consequence for the snooping employee can include termination, criminal charges up to 10 years in prison, and personal civil liability. A common misconception is that “the hospital did not authorize it, so they are not liable,” but employers are almost always on the hook for employee snooping that occurs on the job.

State Laws That Give You a Private Right of Action

Because HIPAA blocks direct suits, state law does the heavy lifting. Every state has some combination of medical privacy statutes, data breach notification laws, and consumer protection acts that can be used against a covered entity.

California CMIA

The Confidentiality of Medical Information Act gives California patients a statutory right to sue for $1,000 per violation in nominal damages, plus actual damages and attorney fees. No proof of harm is required for the nominal amount. The consequence for a California hospital that leaks 10,000 records can be $10 million in statutory damages before any actual harm is counted.

Patients like Marcus, whose UCLA Medical Center records were viewed without cause, have used CMIA to win class-action settlements. A common misconception is that CMIA only applies to doctors; it also reaches insurers, contractors, and corporations that receive medical information.

Texas HB 300

Texas House Bill 300 expanded HIPAA-style protections and gave the Texas Attorney General authority to impose civil penalties up to $1.5 million per year per covered entity. Texas also allows private deceptive-trade-practices claims through the Texas DTPA.

The consequence for a Texas clinic that mishandles records can include AG fines and a patient lawsuit on the same set of facts. A common misconception is that Texas is a “light touch” state; HB 300 is actually stricter than HIPAA in several places, including the training requirement.

New York SHIELD Act

The Stop Hacks and Improve Electronic Data Security Act requires reasonable security safeguards and expands breach-notification duties. While SHIELD itself does not have a clean private right of action, patients pair it with New York’s GBL § 349 consumer protection statute and common-law negligence.

A New York patient named Sarah whose fertility clinic leaked her IVF records used GBL § 349 and common-law negligence to reach a settlement. The consequence of ignoring SHIELD is both AG enforcement and indirect exposure to private suits.

Illinois and Other Key States

Illinois offers several paths, including the Biometric Information Privacy Act for fingerprint or face-scan data in healthcare settings, and strong common-law invasion-of-privacy doctrine. Florida, Washington, and Connecticut also have patient-friendly regimes. The patchwork matters: your zip code often decides whether you have a slam-dunk case or an uphill fight.

Common-Law Theories That Work

Even without a specific state statute, patients use centuries-old tort theories to get relief. Each theory has its own elements and consequences.

Negligence and Negligence Per Se

Negligence means the defendant breached a duty of care and caused you harm. HIPAA sets the duty. If a hospital fails to encrypt its laptops and a thief grabs one, the hospital breached the HIPAA Security Rule, which equals a breach of the duty of care. The Connecticut Supreme Court in Byrne v. Avery Center formally recognized HIPAA as the standard of care for negligence claims.

The consequence is that plaintiffs do not have to prove the standard from scratch. A common misconception is that negligence requires a “major” harm; in many states, even anxiety and time spent on credit monitoring now count after certain rulings.

Invasion of Privacy

Four sub-torts exist: intrusion upon seclusion, public disclosure of private facts, false light, and appropriation. Medical breach cases usually fit intrusion upon seclusion or public disclosure. The Restatement (Second) of Torts § 652 lays out the elements.

An example is Dr. Lee’s dental assistant who posted a patient’s panoramic x-ray to TikTok. That is intrusion and public disclosure. The consequence is emotional distress damages and, in some states, punitive damages. A common misconception is that you need to be famous; ordinary patients regularly win these cases.

Breach of Fiduciary Duty and Breach of Contract

Doctors and hospitals owe fiduciary duties to patients. A breach of that duty can trigger damages independent of negligence. Many patient-intake forms also include promises to keep data confidential, turning the relationship into a contract.

The consequence of stacking fiduciary and contract claims is broader damages and sometimes a longer statute of limitations. A common misconception is that “I didn’t sign a contract” defeats the claim; intake forms, privacy notices, and even websites can form the contract.

Three Breach Scenarios and Their Likely Outcomes

The scenarios below show how the same core facts shift depending on the type of breach and the defendants involved.

Real Case Examples and Named Plaintiffs

Case law is where theory meets the real world. These rulings and settlements are the backbone of modern medical privacy litigation.

Byrne v. Avery Center for Obstetrics

In Byrne v. Avery Center, the Connecticut Supreme Court held that HIPAA does not preempt state negligence claims and that HIPAA can define the standard of care. The case involved a clinic that released Emily Byrne’s records to her ex-boyfriend’s attorney in a paternity suit.

The consequence was enormous: courts across the country cite Byrne to let patients use HIPAA as the yardstick for negligence. A common misconception is that federal preemption blocks state privacy cases; Byrne rejected that view.

Dinerstein v. Google

In Dinerstein v. Google, the Seventh Circuit dismissed a class action over the University of Chicago Medical Center’s data-sharing deal with Google because the plaintiff could not show a concrete injury. Matt Dinerstein’s case remains the leading authority that no harm equals no standing in federal court.

The consequence is that patients must show something beyond theoretical risk to win in federal court post-TransUnion v. Ramirez. A common misconception is that every leak equals a viable case; you still need an injury or a statute that grants automatic damages.

Anthem and Premera Settlements

The Anthem breach settlement reached $115 million, and the Premera Blue Cross settlement hit $74 million. Both involved hacking incidents that exposed tens of millions of records.

The consequence for large health plans is clear: a single breach can produce nine-figure payouts. A common misconception is that only “harmed” plaintiffs share in the money; in these class deals, credit monitoring and nominal cash payments went to every class member.

Recent Meta Pixel and Tracking Technology Cases

Advocate Aurora Health paid $12.225 million to settle claims that its website used tracking pixels to send patient data to Facebook and Google. Dozens of hospitals have faced similar suits after the OCR’s 2022 bulletin on online tracking.

The consequence is a whole new litigation front. A common misconception is that aggregated or anonymized tracking data is safe; OCR treats IP address plus health-page content as protected health information in many cases.

How to Take Action After a Breach

If you think your records have been exposed, act fast. Procedural deadlines are short, and evidence disappears.

Step 1: Preserve and Document

Save every letter, email, and notice. Take screenshots of web-portal messages. Write a short timeline while memory is fresh. The consequence of losing documents is a weaker case and lower settlement value.

Step 2: File an OCR Complaint

Use the OCR Complaint Portal within 180 days of when you knew, or should have known, about the breach. OCR can extend the deadline for good cause, but do not count on it. The consequence of missing the 180-day window is that OCR will not investigate, though you can still pursue state claims.

Step 3: Notify Your State Attorney General

Most states allow or invite patient complaints to the AG. The National Association of Attorneys General directory links to every office. The consequence of AG involvement is often faster investigation and a public enforcement action that supports your private case.

Step 4: Talk to a Plaintiffs’ Privacy Lawyer

Most privacy attorneys work on contingency, meaning no fee unless you win. Ask about HIPAA standard-of-care strategy, class-action potential, and fee arrangements. The consequence of going it alone is usually a much smaller result. A common misconception is that you need money upfront; contingency fees are the norm.

Step 5: Watch the Statute of Limitations

State statutes of limitations for privacy claims typically run from one to six years. In California, the CMIA limit is generally two years. The consequence of missing the clock is complete loss of the claim, even on perfect facts.

Damages You Can Recover

Damages fall into several buckets, and most plaintiffs seek a combination.

Actual and Economic Damages

These include identity-theft losses, lost wages from dealing with the breach, and the cost of credit monitoring. The Federal Trade Commission’s identity theft resource tracks typical recovery costs. The consequence of documenting every expense is a higher settlement figure.

Statutory Damages

Statutes like California CMIA set fixed amounts per violation. A single mail misdirection exposing 5,000 patients at $1,000 per person equals $5 million in statutory exposure. The consequence for defendants is massive pressure to settle class cases quickly.

Emotional Distress and Non-Economic Damages

Anxiety, humiliation, and loss of trust can be compensable, especially when records involve mental health, HIV, substance abuse, or reproductive care. The consequence of strong emotional distress proof is often a doubled or tripled settlement.

Punitive Damages

Reserved for egregious conduct, like a hospital that ignored known security holes. The U.S. Supreme Court’s ruling in State Farm v. Campbell capped most punitives at a single-digit multiplier of compensatory damages. The consequence is that punitives can turn a modest verdict into a headline number.

Mistakes to Avoid

Even strong cases die from avoidable errors. Dodge these seven pitfalls.

• Filing in federal court under HIPAA only. The case will be dismissed, and you may owe the defendant’s fees in some circuits.
• Waiting past the 180-day OCR window. Missing the deadline shuts the federal complaint door and signals to courts that the breach did not concern you.
• Posting about the breach on social media. Defense lawyers screenshot everything, and loose posts undercut emotional distress claims.
• Signing the breach-notification settlement offer without counsel. The $25 gift card often includes a release of all claims, even million-dollar ones.
• Throwing away breach letters. Those letters are the single best piece of evidence of notice, timing, and scope.
• Ignoring state statutes of limitations. Each claim has its own clock, and courts do not toll them for ignorance of the law.
• Suing only the hospital, not the vendor. The business associate often has separate insurance and deeper pockets for the specific breach.
• Assuming small breaches are not worth pursuing. Statutory damages and class aggregation turn small breaches into major cases.
• Failing to request your HIPAA accounting of disclosures, which is free and shows who touched your records.

Do’s and Don’ts

Smart moves and clear traps, side by side.

Do’s

• Do file the OCR complaint early, because OCR records often trigger the provider’s insurance to reserve funds.
• Do request your full medical records under the HIPAA Right of Access, since gaps reveal unauthorized viewing.
• Do freeze your credit at all three bureaus to limit identity-theft damages and strengthen mitigation.
• Do keep a written log of every phone call, letter, and symptom of stress, because contemporaneous notes beat courtroom memory.
• Do consult a specialized privacy attorney, because general personal-injury lawyers often miss statutory-damage tools like CMIA.

Don’ts

• Don’t sign any release from the breached entity without legal review, since releases often extinguish class-action rights.
• Don’t post breach details online, because public posts can destroy the “private facts” element of an invasion-of-privacy claim.
• Don’t delete emails or texts about the breach, since spoliation can sink an otherwise strong case.
• Don’t assume HIPAA is the only law, because state laws usually provide the actual path to money.
• Don’t skip credit monitoring even if it feels useless; courts view unused monitoring as failure to mitigate damages.

Pros and Cons of Suing for a Medical Privacy Breach

Weighing the trade-offs helps set expectations before you commit.

Pros

• You can force systemic change, because lawsuits often drive encryption upgrades and better training.
• Statutory damages create leverage, letting small individual harms aggregate into real settlements.
• Contingency fees reduce risk, because most privacy lawyers work without upfront cost.
• Discovery exposes the truth, revealing how many people saw your records and why.
• Class actions spread the cost, since one lead plaintiff can vindicate thousands of others.

Cons

• Litigation takes years, often three to five, from filing to settlement.
• Federal standing is tough after TransUnion v. Ramirez, especially for data-exposure-only cases.
• Emotional toll is real, because depositions force you to relive the breach.
• Recoveries in class cases can be small, sometimes under $100 per class member after fees.
• Defendants fight hard, because insurers know a loss invites copycat suits.

Key Entities to Know

These are the players you will encounter at every step.

• Office for Civil Rights: The federal HIPAA cop inside HHS that investigates complaints and imposes fines.
• HHS Office of Inspector General: Pursues criminal HIPAA cases under 42 U.S.C. § 1320d-6 alongside the Department of Justice.
• State Attorneys General: Have HITECH-granted power to sue providers for HIPAA violations on behalf of residents.
• Federal Trade Commission: Enforces the Health Breach Notification Rule against non-HIPAA health apps like fitness trackers.
• American Health Information Management Association: Sets industry standards often used by courts to define reasonable practices.
• National Association of Insurance Commissioners: Coordinates state oversight of health insurer privacy practices.

Forms and Process Walkthrough

The OCR complaint form is the single most important document patients file. It lives on the HHS portal, and every line item matters.

• Complainant information: Use your legal name and a stable address, because OCR mails decisions.
• Covered entity information: Use the correct legal name, not a DBA, or the complaint will be misrouted.
• Description of acts: Stick to facts and dates, because legal arguments slow down investigators.
• Date of incident: Required for the 180-day computation; if unknown, use the date of the breach letter.
• Requested relief: Patients often ask for corrective action, employee discipline, and referral to OCR’s audit team.
• Authorization for release: Signing lets OCR share the complaint with the provider, which is usually required to investigate.

After filing, OCR opens a case number and may close, investigate, or refer the complaint. The consequence of a referral to DOJ is a possible criminal case. A common misconception is that OCR will pay you; OCR only enforces public-interest penalties, so civil recovery still requires a state lawsuit.

Recent Rulings That Shape Today’s Cases

Recent federal and state decisions have sharpened the rules.

• In TransUnion LLC v. Ramirez, the Supreme Court limited federal standing, pushing many privacy cases into state courts.
• In In re Meta Pixel Healthcare Litigation, a California federal court allowed Wiretap Act claims to proceed against Meta for receiving health-page data.
• In Cotter v. Checkers Drive-In Restaurants, courts reinforced that breach-notice letters alone do not cure a breach.
• In Doe v. Guthrie Clinic, the Second Circuit limited vicarious liability for rogue employees under New York law, highlighting how state choice matters.
• In Acosta v. Byrum, a North Carolina court used HIPAA as the standard of care in a negligence claim against a psychiatrist’s office.

The consequence of this evolving landscape is that forum choice, pleading strategy, and class structure now drive outcomes as much as the underlying facts.

FAQs

Can I sue my doctor directly under HIPAA?

No. HIPAA has no private right of action. You must use state negligence, privacy, or consumer-protection laws, often citing HIPAA as the standard of care.

Can I recover money if my records were viewed but not stolen?

Yes. Many states, especially California under CMIA, provide statutory damages for unauthorized viewing even if the records were never used for harm.

Can I sue for emotional distress after a HIPAA breach?

Yes. Emotional distress is compensable under invasion-of-privacy and negligent-infliction theories, especially when records involve mental health, HIV, or reproductive care.

Can I file an OCR complaint and a lawsuit at the same time?

Yes. The two tracks are independent, and OCR findings can support your civil case. Filing both is standard practice among experienced privacy attorneys.

Can my employer be sued if an employee snooped on my records?

Yes. Under respondeat superior, employers are usually liable for employee actions taken in the course of employment, including unauthorized record access.

Can a business associate vendor be sued directly?

Yes. Since the HITECH Act, business associates face direct liability to OCR and are regularly named as defendants in state-law privacy class actions.

Can I sue over tracking pixels on a hospital website?

Yes. Recent cases like In re Meta Pixel Healthcare Litigation show that Wiretap Act and state-privacy claims over tracking technologies are moving forward.

Can I still sue if I only got a breach-notification letter and no harm?

Yes. State courts often accept the risk of harm or statutory damages as enough, though federal standing after TransUnion v. Ramirez requires more concrete injury.

Can I sue if the breach happened years ago?

No. Statutes of limitations usually run one to six years depending on the state and theory, and untimely claims are dismissed regardless of the merits.

Can I join a class action if one is already filed?

Yes. Class members are typically included automatically and receive a notice explaining opt-out rights and claim-submission deadlines.

Can OCR force the provider to pay me directly?

No. OCR collects civil money penalties that go to the U.S. Treasury, not to individual patients, so direct recovery requires a separate lawsuit.

Can I sue if the breach involved paper records instead of electronic ones?

Yes. HIPAA and state medical-privacy laws cover paper, oral, and electronic protected health information equally, and misrouted mail is a common claim.