Compliance officers spend a lot of time talking about "risk" in abstract terms. This article is not abstract. These are the actual dollar amounts regulators have levied — and the maximum amounts they can levy — broken down by framework and industry.
The goal isn't to scare you. It's to give you the numbers you need to make an actual cost-benefit calculation: what does compliance cost, versus what does non-compliance cost?
Regulatory fines are just one cost. Add legal fees (avg $500K–$2M for a major HIPAA breach defense), breach notification costs ($125–$200 per affected individual), reputational damage, lost revenue, and remediation costs — and the total 3-year cost of a single major breach typically exceeds $5M for mid-market organizations.
Healthcare: HIPAA Penalties
HIPAA is unique in the regulatory landscape because it combines strict civil penalties with criminal prosecution potential. The Office for Civil Rights (OCR) enforces civil penalties; the Department of Justice handles criminal referrals.
The penalty tier structure matters enormously. A practice that "didn't know" faces a minimum fine of $137 per violation. The same practice that knew about a problem and did nothing faces a minimum of $68,928 per violation. With multiple violations across multiple categories, fines compound quickly.
Recent HIPAA Enforcement Actions (2024–2025)
| Organization | Violation | Settlement |
|---|---|---|
| Health System (anonymized) | Ransomware attack, failed risk analysis, missing access controls | $950,000 |
| Medical Group, Southeast | Workforce training failures, unauthorized PHI disclosure | $480,000 |
| Regional Hospital Network | Missing BAAs with cloud vendors, ePHI on unencrypted servers | $375,000 |
| Physical Therapy Practice | Social media disclosure of patient information | $75,000 |
| Dental Group, 3 locations | Lack of risk analysis, no workforce training | $62,500 |
Notice the dental group at the bottom. Small practices are not exempt. In fact, OCR has stated that it actively investigates small practices because they often have weaker compliance programs and are more likely to have basic violations.
Tech & Retail: GDPR Penalties
GDPR is the most financially severe regulatory framework for companies of any size. The maximum fine is 4% of global annual revenue or €20 million — whichever is higher. For US businesses with EU customers or website visitors, GDPR applies regardless of where the company is headquartered.
For a US SaaS company with $5M annual revenue and EU customers, the maximum GDPR fine is $200,000 — or €20M, whichever is higher. That €20M number is the actual risk for any company with EU exposure, regardless of size.
What Triggers GDPR Enforcement
- No consent mechanism for cookies or marketing communications
- No privacy policy or inadequate privacy disclosures
- Failing to respond to data subject access requests within 30 days
- Transferring EU personal data to the US without appropriate safeguards
- Data breaches not reported to the supervisory authority within 72 hours
Construction & Manufacturing: OSHA Penalties
OSHA penalties are assessed per violation and increase with repeat violations. The construction industry accounts for roughly 20% of all worker fatalities in the US and consistently receives the most citations.
OSHA citations are public record. In construction, a history of citations affects insurance rates, bid eligibility on government contracts, and subcontractor relationships. The reputational cost often exceeds the fine itself.
Finance: SOX Penalties
The Sarbanes-Oxley Act (SOX) applies to all publicly traded companies and their audit firms. Penalties combine corporate fines with personal criminal liability for executives who certify false financial statements.
| Violation Type | Corporate Fine | Individual Criminal Penalty |
|---|---|---|
| False certification of financials | Up to $5M | Up to 20 years imprisonment |
| Destruction of audit records | Up to $5M | Up to 20 years |
| Retaliation against whistleblowers | N/A | Up to 10 years |
| Securities fraud | Up to $25M | Up to 25 years |
The Hidden Costs Nobody Budgets For
Regulatory fines are just the beginning. The full cost of non-compliance includes:
- Legal defense costs: $300–$700/hr for compliance attorneys. A full HIPAA investigation defense typically runs $500K–$2M.
- Breach notification costs: HIPAA requires individual notification, media notification (if 500+ affected in a state), and HHS notification. At $125–$200 per person, a 10,000-person breach costs $1.25M–$2M just in notifications.
- Credit monitoring and identity protection: Offered as remediation — typically $15–$40/person/year for 1–2 years.
- Forensic investigation: HIPAA requires investigation of the breach scope. Digital forensics firms charge $200–$500/hr.
- Class action exposure: Data breaches trigger plaintiff attorney interest. Settlements in healthcare breach class actions range from $5M to $115M.
- OCR corrective action plan: Most enforcement settlements include a multi-year corrective action plan with annual reporting requirements — adding $50K–$150K/year in compliance overhead for 2–3 years.
A mid-size healthcare practice that experiences a 50,000-record breach and fails the OCR investigation should budget $3M–$8M total cost over 3 years. Most practices in that size range have revenue of $5M–$20M. That's an existential event, not an inconvenience.
What This Means for Your Compliance Budget
The CFO's question is always: "How much does compliance cost?" The right question is: "What's the expected value of non-compliance?"
If your practice has a 5% annual risk of a significant HIPAA violation and the expected cost of that violation is $500K, the expected value of non-compliance is $25,000/year. If your annual compliance program costs $15,000, compliance is clearly the right financial decision — not a cost center.
Most small businesses dramatically underestimate their risk probability and dramatically underestimate the fine severity. This article exists to fix the second problem. Run your own risk quiz to get a calibrated view of your actual risk.
Know Your Fine Exposure
Take the 5-minute compliance quiz. Get a risk score, identify your biggest gaps, and see what you're actually exposed to.