State Attorney General HIPAA Enforcement: Fines, Active States & Real Cases

Last updated: 2026-04-05 — ComplianceStack Editorial Team

Before the HITECH Act (2009), only the federal government could enforce HIPAA. HITECH changed that: under 42 U.S.C. § 17951, state attorneys general gained concurrent enforcement authority to bring civil actions on behalf of their state's residents for HIPAA Privacy and Security Rule violations. State AG penalties are capped at $100 per affected person per violation per calendar year, with an annual maximum of $25,000 per violation category. These caps are additive with HHS OCR penalties — a covered entity can face simultaneous OCR enforcement and multi-state AG actions for the same breach. Six states (New York, Connecticut, Massachusetts, California, Texas, and Indiana) have filed the most HIPAA-related AG enforcement actions.

Regulatory Authority: 42 U.S.C. § 17951 (HITECH state AG enforcement authority); 45 CFR §§ 164.400–414 (Breach Notification Rule); 45 CFR Parts 160–164 (HIPAA Privacy and Security Rules)

Penalty Tier Breakdown

State AG Civil Penalty — Per Violation

$100 per individual per violation

Annual max: $25,000 per violation category per calendar year

State AGs calculate penalties at $100 per resident whose PHI was impermissibly disclosed or whose rights were violated, per violation category. A single breach can generate separate violation counts for Privacy Rule failures, Security Rule failures, and Breach Notification Rule failures — each subject to its own $25,000 annual cap. The HITECH cap applies per state, so multi-state enforcement (where multiple AGs join a coordinated action) can multiply the total AG exposure.

Example: A health insurer's breach affects 85,000 New York residents. The NY AG pursues one Privacy Rule violation ($25,000 cap), one Security Rule violation ($25,000 cap), and one Breach Notification violation ($25,000 cap). Total NY AG exposure: $75,000, plus parallel HHS OCR action.

Multi-State Coordinated AG Action

$25,000 per violation category per state per year

Annual max: Stacks per participating state; 50 states = up to $1.25M per violation category

Multiple AGs can coordinate enforcement for a single breach affecting residents in multiple states. Each state AG operates under its own $25,000 annual cap per violation category, making the aggregate multi-state exposure potentially significant. The National Association of Attorneys General (NAAG) facilitates coordination. Multi-state settlements often include mandatory corrective action plans, breach notification improvements, and ongoing compliance monitoring.

Example: A data breach at a national health plan affects residents in 22 states. A coordinated AG action involving all 22 states results in a $2.2M aggregate settlement ($100,000 per state across multiple violation categories), plus OCR civil money penalties and required corrective actions.

State AG — Injunctive Relief

Equitable relief; no fixed monetary cap

Annual max: Court-ordered; may include extensive compliance requirements

Beyond monetary penalties, state AGs can seek injunctive relief under 42 U.S.C. § 17951(b) — court orders requiring covered entities to implement specific compliance measures. Injunctive actions have required entities to: implement multi-factor authentication, conduct workforce HIPAA training, retain independent HIPAA compliance monitors for 3–5 years, and provide free credit monitoring to affected individuals. These compliance costs often exceed the nominal AG monetary penalties.

Example: Following a breach affecting 40,000 state residents, the AG secures a consent decree requiring the covered entity to hire an independent HIPAA monitor for 3 years ($600,000 estimate), implement encryption across all portable devices, and conduct annual security risk assessments — costs far exceeding the $75,000 in monetary penalties.

State Privacy Law Parallel Action

Varies by state; California: up to $7,500/intentional violation under CCPA

Annual max: No federal cap; governed by state law

Several states have enacted privacy laws that overlap with HIPAA, allowing AGs to pursue both HIPAA enforcement (capped at $25,000/year) and separate state law claims with potentially higher penalties. California's CPRA/CCPA applies to health information not otherwise covered by HIPAA. New York's SHIELD Act applies to breaches of 'private information.' Texas imposes separate data breach notification requirements. These parallel state claims are not subject to the HITECH $25,000 cap.

Example: A covered entity's breach involves PHI and employee personal data. The California AG pursues: HIPAA enforcement ($25,000/category), CCPA enforcement for employee data ($7,500/intentional violation × multiple violations), and California Confidentiality of Medical Information Act (CMIA) claims — total AG exposure exceeds $500,000.

How Penalties Are Calculated

State AG HIPAA penalties are calculated under 42 U.S.C. § 17951 as $100 per individual per violation per calendar year, capped at $25,000 per violation category per year. 'Violation category' means each distinct HIPAA provision violated — e.g., Security Rule failure to conduct a risk analysis (§ 164.308(a)(1)) and Breach Notification Rule failure (§ 164.402) are two separate violation categories, each with its own $25,000 cap. Multi-state actions multiply the $25,000 cap by the number of participating states. AGs also have authority to seek attorneys' fees and litigation costs, and to seek injunctive relief without a monetary cap. State AG settlements commonly include compliance monitors (costing $200,000–$800,000 annually), workforce training mandates, and technology upgrades — which are typically the largest financial components of state AG HIPAA enforcement.

Recent Enforcement Actions

2024 — Managed care organization, New York

Breach of 13,000 NY residents' PHI due to inadequate encryption; failure to notify HHS within 60 days; NY AG filed simultaneous with OCR investigation

Penalty: $225,000 combined NY AG settlement ($75,000) + HHS OCR resolution agreement ($150,000); 2-year corrective action plan with AG oversight

Source: New York AG Press Release, 2024; HHS OCR Resolution Agreement, 2024

2023 — Multi-state health insurer

Ransomware attack affecting 2.6M individuals across 12 states; breach notification sent 72 days late; inadequate Security Rule controls

Penalty: $5,100,000 — coordinated 12-state AG settlement averaging $425,000/state; separate $3.2M HHS OCR CMP

Source: Multi-State AG Joint Press Release, September 2023; HHS OCR, 2023

2023 — Home health agency, Connecticut

Employee email account compromise exposed PHI of 4,800 Connecticut residents; organization failed to timely notify individuals and did not conduct required risk analysis

Penalty: $60,000 — Connecticut AG settlement; required 18-month independent HIPAA compliance review

Source: Connecticut AG Press Release, 2023

2022 — Vision benefits administrator (multi-state)

Phishing attack exposed PHI of 484,157 individuals including 105,000 New York residents; inadequate access controls; delayed notification

Penalty: $4,500,000 — New York AG settlement under state data breach law and HIPAA; first major optometry-sector AG action

Source: New York AG Press Release, January 2022

Understand Your HIPAA Penalty Exposure

Use ComplianceStack's free tools to identify gaps before regulators do.

Take the Quiz → Gap Analyzer →

Frequently Asked Questions

Can a state AG bring a HIPAA enforcement action even if HHS OCR is not investigating?

Yes. State AGs have independent enforcement authority under HITECH — they do not need to wait for OCR to act, and they can proceed even if OCR declines to investigate. A state AG must notify HHS before filing a civil action and provide HHS with an opportunity to intervene. If HHS intervenes, the AG action continues in coordination with OCR. If HHS declines, the AG proceeds independently. In practice, AGs most commonly act following large breaches affecting many state residents, data breaches that OCR takes more than 6 months to resolve, or situations where a local political motivation exists to act quickly.

Which states are the most active HIPAA AG enforcers?

New York has been the most active, filing 8+ HIPAA-related enforcement actions since HITECH's passage and securing settlements exceeding $20M total. Connecticut was the first state to file a HIPAA AG action (2010, against Health Net Inc.) and has remained consistently active. Massachusetts, Indiana, and Texas have each filed multiple actions. California AG has pursued health data violations under CMIA and CCPA rather than HIPAA directly, with some of the largest penalties. The trend since 2022 has been toward coordinated multi-state actions, where 10–25 state AGs join a single enforcement proceeding for large national breaches — amplifying the aggregate penalty and compliance requirements beyond what any single state can impose.

Does OCR pre-emption prevent state AGs from imposing stricter requirements?

No. HIPAA's preemption provisions (45 CFR § 160.203) only preempt state laws that are 'contrary to' HIPAA — meaning a covered entity cannot comply with both. State laws that provide greater privacy protections (stricter requirements, broader rights) are explicitly preserved. This is why California's CMIA, New York's SHIELD Act, Texas Health & Safety Code, and other state health privacy laws coexist with HIPAA — they impose additional obligations on covered entities. State AGs enforcing these state laws operate outside the $25,000 HITECH cap entirely. Only enforcement actions brought specifically under HIPAA (via HITECH authority) are subject to the $100/$25,000 cap.