Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  • About HHS
  • MAHA in Action
  • Programs & Services
  • Grants & Contracts
  • Laws & Regulations
  • Radical Transparency
Breadcrumb
  1. Home
  2. Press Room
  3. HHS’ Office for Civil Rights Settles HIPAA Investigation of Cadia Healthcare Facilities for Disclosure of Patients’ Protected Health Information
  • Press Room
  • HHS Live
FOR IMMEDIATE RELEASE
September 30, 2025
Contact: HHS Press Office
202-690-6343
Submit a Request for Comment

HHS’ Office for Civil Rights Settles HIPAA Investigation of Cadia Healthcare Facilities for Disclosure of Patients’ Protected Health Information

Settlement Resolves Potential Violations of the HIPAA Privacy and Breach Notification Rules

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with five health care providers, collectively known as Cadia Healthcare Facilities, for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Breach Notification Rules. The Cadia Healthcare Facilities are rehabilitation, skilled nursing, and long-term care services providers located in Delaware.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules), which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers), and business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Privacy Rule establishes national standards to protect individuals’ PHI; sets limits and conditions on the uses and disclosures of PHI; and gives individuals certain rights, including the right to timely access their health records. The Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.

“The internet and social media are important business development tools. But before disclosing PHI through social media or public-facing websites, covered entities and business associates should ensure that the HIPAA Privacy Rule permits the disclosure,” said OCR Director Paula M. Stannard. “Generally, a valid, written HIPAA authorization from an individual is necessary before a covered entity or business associate can post that individual’s PHI in a website testimonial or through a social media campaign.”

The settlement resolves an investigation of Cadia Healthcare Facilities that OCR initiated after receiving a complaint in September 2021 alleging that Cadia Healthcare Facilities had impermissibly disclosed a patient’s name, photograph and information pertaining to the patient’s conditions, treatment, and recovery in the form of a “success story” posted to Cadia Healthcare Facilities’ website. OCR’s investigation confirmed that Cadia Healthcare Facilities had posted the patient’s PHI to its public facing website without first obtaining a valid, written HIPAA authorization from the patient. OCR’s investigation also determined that Cadia Healthcare Facilities disclosed the PHI of a total of 150 patients to its websites through its “success story” program without first obtaining valid, written HIPAA authorizations. OCR determined that Cadia Healthcare Facilities impermissibly disclosed PHI, failed to have appropriate administrative, technical, and physical safeguards in place to protect the privacy of PHI, and failed to provide breach notification to the affected individuals.

Under the terms of the resolution agreement, Cadia Healthcare Facilities agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $182,000 to OCR. Cadia Healthcare Facilities will also take steps to improve its compliance with the HIPAA Privacy and Breach Notification Rules, including:

  • Reviewing and, to the extent necessary, developing, maintaining, and/or revising, its written policies and procedures to comply with the HIPAA Privacy and Breach Notification Rules;
  • Providing all members of their workforce, including marketing personnel, with training on their HIPAA policies and procedures; and
  • Notifying any and all individuals, or the individual’s personal representative, whose PHI was disclosed by Cadia Healthcare Facilities on any of its facility websites, social media accounts, or through other marketing or promotional materials without a valid authorization, that their PHI has been breached.

The resolution agreement and corrective action plan may be found at https://www.hhs.gov/sites/default/files/ocr-ra-cap-cadia-healthcare-facilities.pdf.

OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information. Guidance about the Privacy Rule, Security Rule, and Breach Notification Rule can also be found on OCR’s website.

If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR.

Follow HHS OCR on X (formerly Twitter) at @HHSOCR.

###
Note: All HHS press releases, fact sheets and other news materials are available in our Press Room.
Like HHS on Facebook, follow HHS on X @HHSgov, @SecKennedy, and sign up for HHS Email Updates.
Last revised: September 30, 2025

Submit a request for comment

For media inquiries, please submit a request for comment.

Sign up to receive our press releases

Sign Up

Related Press Releases

  • U.S. Department of Education and U.S. Department of Health and Human Services Find that Minnesota Violated Title IX

    • September 30, 2025 Press Release
  • HHS’ Office for Civil Rights Refers Harvard University for Suspension and Debarment Proceedings

    • September 29, 2025 Press Release
  • U.S. Departments of Education and Health and Human Services Notify Harvard University’s Accreditor of Harvard’s Title VI Violation

    • July 9, 2025 Press Release
Content created by Office for Civil Rights (OCR)
Content last reviewed September 30, 2025
Back to top
Secretary Robert F. Kennedy Jr.

Follow @SecKennedy

HHS icon

Follow @HHSGov

HHS Email updates

Receive email updates from HHS.

Subscribe

HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​

  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • Press Room
  • HHS Archive
  • Accessibility Statement
  • Privacy Policy
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov
  • Vulnerability Disclosure Policy