The fine issued to Facebook by the Information Commissioner’s Office - the UK's data protection regulator - over the Cambridge Analytica scandal marked the first time that the ICO had handed out its maximum £500,000 monetary penalty.
The fines, which were added to the regulator’s enforcement powers in 2010, had not reached the maximum amount in the previous seven years, but they did come close with penalties issued to NHS trusts, while Google avoided a major fine over data collected by its Street View cars in 2013.
Monetary fines often mark the final action regulators will take, normally preferring to take other action to work with the victim who reported the violation. However, now that we are in the era of GDPR – where fines could potentially reach up to €20m, or 4% of turnover (whichever is greater) – the amount of money being paid for infringements could get serious. With this in mind, Infosecurity looked at some of the highest regulatory fines when compliance gets severe.
1 - Genesco
VISA issued a $13.3m fine to Genesco after a credit card breach in 2010. The retailer claimed that the fines were unjustified and unenforceable under the law.
Source: Computer World
2 - Advocate Health Care
Advocate Health Care paid $5.55m for HIPAA violations relating to three reported data breaches.
Source: Beckers Hospital Review
3 - The University of Texas
The University of Texas MD Anderson Cancer Center lost an unencrypted laptop and two USB drives affecting 33,500 people, and was fined $4.3m.
Source: HHS
4 - Computer Sciences Corporation
The Securities and Exchange Commission fined two former executives of Computer Sciences Corporation $4m over NHS contract shortfalls.
Source: USA Today
5 - The Feinstein Institute for Medical Research
The Feinstein Institute for Medical Research was fined $3.9m when a laptop containing the details of 13,000 patients and research participants was stolen
in 2012.
Source: Beckers Hospital Review
6 - Fresenius Medical Care
Fresenius Medical Care reported five incidents in 2012 incurring a $3.5m fine.
Source: Fierce Healthcare
7 - The Children’s Medical Center of Dallas
The Children’s Medical Center of Dallas was fined $3.2m over lost devices and non-compliance with HIPAA.
Source: Careers Infosecurity
8 - The University of Mississippi Medical Center
The University of Mississippi Medical Center was fined $2.75m over several unreported data breaches.
Source: HHS
9 - Cardionet
Cardionet was fined $2.5m after a laptop theft revealed insufficient risk analysis and management processes.
Source: Healthcare IT News
10 - MAPFRE Life Insurance
MAPFRE Life Insurance was fined $2.2m following the loss of an unencrypted USB drive containing 2000 personal details.
Source: Careers Infosecurity