[kevinmershon]

So would this count as 1 instance or 100M instances of HIPAA violations? Last I checked the penalty is $50k per violation...

[whoitwas]

Seriously. From what I've learned United needs the axe more than many corporations. Somewhere below Nestle, but above BP maybe?

[oefrha]

It’s *up to* 50k per violation. Like most large scale violations of anything, it’s effectively “we’ll fine whatever we want”.

[nashashmi]

First it would have to be proven that data is leaked. Each proven leak is worth $50k. Mass leak is a compromise of data security. And that comes under a different classification.

[gruez]

Does getting data stolen through no fault of your own count as a HIPPA violation? If negligent security counts, what's the bar?

[sgarland]

It does, actually. There are four tiers [0], with unknowing violation at the bottom, followed by reasonable cause. Personally I’d place this at least at the reasonable cause tier.

[0]: https://www.ama-assn.org/practice-management/hipaa/hipaa-vio...