The Violation
Cadia Healthcare, which operates five rehabilitation and skilled nursing facilities in Delaware, has agreed to a $182,000 settlement with the HHS Office for Civil Rights (OCR) after an employee posted patient protected health information (PHI) on social media without obtaining a valid HIPAA authorization. The incident involved a success story program that featured patient photos, names, and details about medical conditions and recovery. OCR found that between 2021 and March 2022, the facilities posted PHI of at least 150 patients without proper consent forms on file.
Breach Notification Failure
Beyond the unauthorized social media disclosures, OCR determined that Cadia violated the HIPAA Breach Notification Rule by failing to notify affected patients after shutting down the success story program. Although Cadia removed all posts in March 2022 and ended the program entirely, it did not send breach notifications to individuals until after the settlement. OCR Director Paula M. Stannard emphasized that while social media is a legitimate business tool, covered entities must obtain a valid, written HIPAA authorization before posting any PHI online.
Corrective Actions and Enforcement Trends
The settlement includes a two year corrective action plan requiring Cadia to revise its HIPAA policies, distribute updates to all workforce members, conduct annual training reviews, and issue the overdue breach notifications. This marks the 20th HIPAA penalty imposed by OCR in 2025, with over $8.2 million collected in civil monetary penalties and settlements so far this year, making it one of the most active enforcement periods on record.
Source: Hipaajournal
