Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com
Aris Home
Contact Us
Learn More

Cadia Healthcare Facilities fined $182K for posting success stories

Posted bySuze Shaffer
Fill in missing gaps of HIPAA compliance

OCR issues fines for not obtaining written authorizations before sharing PHI

The Cadia Healthcare Facilities are rehabilitation, skilled nursing, and long-term care services providers located in Delaware and were fined $182K for “posting” a success story to their website without obtaining a written authorization from the patient.

The settlement resolves an investigation of Cadia Healthcare Facilities that OCR initiated after receiving a complaint in September 2021 alleging that Cadia Healthcare Facilities had impermissibly disclosed a patient’s name, photograph and information pertaining to the patient’s conditions, treatment, and recovery in the form of a “success story” posted to Cadia Healthcare Facilities’ website.

Additional disclosures

OCR’s investigation also determined that Cadia Healthcare Facilities disclosed the PHI of a total of 150 patients to its websites through its “success story” program without first obtaining valid, written HIPAA authorizations. OCR determined that Cadia Healthcare Facilities impermissibly disclosed PHI, failed to have appropriate administrative, physical, and technical safeguards in place to protect the privacy of PHI, and failed to provide breach notification to the affected individuals.

Under the resolution agreement

Under the terms of the resolution agreement, Cadia Healthcare Facilities agreed to implement a corrective action plan that will be monitored by OCR for two years and pay $182,000 to the OCR. Cadia Healthcare Facilities will also take steps to improve its compliance with the HIPAA Privacy and Breach Notification Rules.

This includes:

  • Developing, reviewing, maintaining, and/or revising, its written policies and procedures to comply with the HIPAA Privacy and Breach Notification Rules.
  • Providing training on their HIPAA policies and procedures to all members of their workforce, including marketing personnel.
  • Cadia Healthcare facilities must notify any individuals (or their personal representatives) whose PHI was disclosed without valid authorization on websites, social media platforms, or in any other marketing materials.

Summary

“The internet and social media are important business development tools.  But before disclosing PHI through social media or public-facing websites, covered entities and business associates should ensure that the HIPAA Privacy Rule permits the disclosure,” said OCR Director Paula M. Stannard. “Generally, a valid, written HIPAA authorization from an individual is necessary before a covered entity or business associate can post that individual’s PHI in a website testimonial or through a social media campaign.”

This case is a clear warning to ensure all employees, including marketing individuals, are included in HIPAA training and policies and procedures are implemented and followed.

At Aris Medical Solutions, our HIPAA Keeper platform helps healthcare organizations get compliant and maintain compliance with the HIPAA Privacy and Security Rules—all within one secure, cloud-based system.

Contact Aris to schedule a free HIPAA checkup today.

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

View all posts by Suze Shaffer

Ransomware

BST & Co. CPAs, LLP fined $175K for Ransomware Breach

August 18, 2025
©2026 Aris Medical Solutions – HIPAA Keeper | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC