HIPAA and Sophos Report | futureTEKnow by Raffaella Aghemo

Raffaella Aghemo
2 min readMay 7, 2020


The HIPAA, approved by the US Congress in 1996, protects the US federal health care system.

In 2019, Touchstone Medical Imaging, a Tennessee diagnostic services company, paid the substantial sum of three million dollars for a databreach to its systems, which put more than three hundred thousand protected health information at risk!

There are exactly 18 PHI identifiers, and they are, to be precise:

  1. name
  2. date of birth
  3. address
  4. fax number
  5. social security number
  6. license number
  7. telephone number
  8. photography
  9. url and web addresses
  10. email address
  11. policy beneficiary
  12. IP address
  13. medical records
  14. biometrics
  15. device identifiers
  16. bank account number
  17. license plate
  18. any information enabling to identify the subject

If some of this data is removed from protected health information, it is considered unidentified PHI, and is no longer subject to the HIPAA Privacy Rule.

Health informations are “sellables”, with the express consent of the owner, but only after it has been de-identified, deleting any information that makes the patient identifiable. The information is a dark web gourmand, as it has no expiration date, and is an excellent tool to create false identities or fake profiles. 90% of the U.S. population has health insurance, so much so that since 2015, more than 300 million documents have been stolen, which is almost one in 10!

HIPAA does not apply to all health information, but only to information managed by entities covered, supervised and controlled by HIPAA. Unencrypted medical records, hacking and ransom, loss or theft of devices containing PHI, are just some of the contexts that lead to HIPAA violations. Such violations, whether accidental or intentional, result in severe penalties:

  • Ignorance violations result in fines ranging from $100,000 to $50,000.
  • violations despite reasonable vigilance, fines ranging from $1,000 to $50,000…
  • intentional negligence violations, corrected within 30 days, fine from $10,000 to $50,000.
  • intentional negligence violations, not corrected within 30 days, direct fine of $50,000.

but you can go as far as maximum penalties of $1,500,000 and even jail!

The most frequent HIPAA violations are:

The Sophos Report itself highlights how the first reason for cyber attacks or data theft is, as repeatedly stated, the human element, which, with its carelessness or inexperience, facilitates the incursion of skilled malicious people!

Originally published at https://www.futureteknow.com on May 7, 2020.



Raffaella Aghemo

Innovative Lawyer and consultant for AI and blockchain, IP, copyright, communication, likes movies and books, writes legal features and books reviews