Privacy Failures Are Costly Lessons for Healthcare Companies

Federal and state regulators are ramping up enforcement of consumer data privacy laws, signaling steep penalties for healthcare organizations that fail to meet evolving compliance requirements.
Sept. 9, 2025
6 min read
The best photo for all / iStock / Getty Images Plus via Getty Images
Healthcare organizations face heightened regulatory scrutiny as new data privacy laws and enforcement actions raise the stakes for protecting patient information.
Healthcare organizations face heightened regulatory scrutiny as new data privacy laws and enforcement actions raise the stakes for protecting patient information.

Federal and state regulators are putting companies on notice that attempts to exploit consumer data will not be tolerated.

In July, the California Attorney General announced that Healthline.com will pay $1.55 million for violating the California Consumer Privacy Act (CCPA) — the largest penalty under that law to date. The California Department of Justice investigation found the company improperly used online tracking tools, disclosed sensitive health information to advertisers, left out required privacy terms in third-party contracts, and misled users about their data collection practices, among other violations.

This action reflects a broader trend of increased regulatory scrutiny across jurisdictions. Even established healthcare information companies are not immune to penalties when data practices fall short of regulatory requirements. As enforcement ramps up, here’s what healthcare leaders need to know.

New privacy laws, more enforcement ahead

The data privacy compliance landscape is becoming increasingly complex. Eight states have new data privacy laws going into effect this year, bringing the number of states with CCPA-like regulation to 20. These laws vary in their effective dates and specific requirements, creating a patchwork of compliance obligations that healthcare organizations must navigate. At the federal level, the Department of Justice recently implemented new restrictions on transfers of sensitive data to “countries of concern” like Russia and China.

Companies dealing with sensitive health data also need to reckon with sector-specific compliance requirements. Washington, for example, has a comprehensive health data law — the My Health, My Data Act — which expands Health Insurance Portability and Accountability Act (HIPAA) requirements to organizations outside traditionally regulated entities, such as apps and websites. While it was one of the first, it isn’t the only: Nevada and Connecticut already have something similar, and New York is in the process of doing so with the New York Health Information Privacy Act.

Federally, Biden-era data privacy enforcement is continuing under the Trump administration. Regulators like the Federal Trade Commission (FTC) are taking a tough stance against companies engaging in deceptive data practices, even without a comprehensive federal data privacy law in place. These enforcement actions have targeted companies lacking transparency about data collection and usage, including “dark patterns” that intentionally make it difficult for consumers to understand how to revoke consent to collect and use their data.

These actions can be costly. Barnes & Thornburg’s Healthcare Enforcement & Compliance Report reveals how data privacy and cybersecurity enforcement actions led to over $9.3 million in penalties across the healthcare industry last year. Regulators are targeting not just data breaches stemming from technical security failures, but also the use of tracking technologies to collect, share and use health information for advertising purposes.

Online mental health provider Cerebral Inc. paid more than $7 million in penalties alone after the FTC alleged that the company and its CEO disclosed the sensitive personal health information and other data collected from 3.2 million consumers to third-party advertisers — despite promises not to share data without express consent.

Enhancing data privacy compliance through collaboration 

Protecting personal health data requires both strong information security and comprehensive data privacy compliance. Most importantly, these two functions need to work together — something many companies overlook.

If IT teams view cybersecurity and data privacy solely as technical problems with technical solutions, for example, they might miss compliance issues regarding how data is collected, stored and shared. On the other hand, if the legal team doesn’t have full visibility into the company’s data collection practices, the company runs the risk of making privacy promises it can’t keep.

That’s why IT, legal and leadership need to closely collaborate on data privacy policies and practices, encompassing:

  • What types of data are getting collected
  • The purpose and method of data collection
  • How data is being stored
  • Who data is being shared with (and why)
  • What notices and privacy policies customers receive

This necessitates more than just occasional meetings and information sharing: These teams also need to engage in joint risk assessments and table-top exercises to ensure they’re adequately managing risks and prepared for any issues that could arise. Enforcement cases frequently cite gaps such as missing risk analyses, inadequate system monitoring and weak access controls. Prioritizing regular reviews of these areas can materially reduce organizational exposure.

Effective collaboration also requires establishing clear roles and responsibilities across teams and opening regular communication channels. IT teams should lead technical assessments of data flows and security controls while legal teams focus on regulatory compliance and contractual obligations. Leadership must ensure adequate resources and executive sponsorship for cross-functional privacy initiatives.

Additionally, companies using AI should be extra careful about putting data protection policies in place that consider how the AI vendor will use and store data. Regulators now expect organizations to demonstrate robust due diligence and contractual safeguards not just for data processors, but also for technologies using AI or advanced analytics platforms.

Legal and IT teams should work together to review vendor contracts and assess security practices for alignment with internal compliance requirements, including specific provisions addressing data residency, model training practices and data retention policies. They should also keep in mind that regulators like the FTC have explicitly warned that quietly changing privacy policies to be more permissive in order to sell data to AI companies or other third parties could be deemed unfair or deceptive. This creates particular compliance challenges for healthcare organizations that may have collected data under more restrictive privacy policies.

Prepare today for tomorrow’s enforcement

As regulators continue to heighten enforcement against deceptive data privacy practices in healthcare, the risks are too high for companies to continue working in siloes. Protecting sensitive data requires an integrated approach that brings cross-functional teams and leadership to the table.

The Healthline.com penalty and similar enforcement actions signal that regulators are prepared to impose significant financial consequences for non-compliance. In this environment, healthcare organizations must recognize that compliance is not optional but essential for business continuity. Even simple steps, like updating incident response protocols and assessing business associate agreements, can dramatically improve preparedness and reduce enforcement risk.

By fostering ongoing communication, shared accountability, and a proactive stance on privacy and security, healthcare organizations will be better positioned to meet the regulatory demands of today  and tomorrow.

About the Author

Brian McGinnis

Brian J. McGinnis is a partner with Barnes & Thornburg, where he is a founding member and co-chair of the firm's data security and privacy law practice group, a member of the intellectual property department and internet and technology practice and the firm’s chief privacy officer. He is based in the firm’s Indianapolis office.

Sign up for SecurityInfoWatch Newsletters
Get the latest news and updates.

Related

Privacy Unplugged: Tackling the Challenges of Agentic AI in Business
Data Centers Facing Bold Security Challenges in 2025 and Beyond
Take Control of Your Physical Security Systems
Sponsored
Are Manual Site Surveys Costing You?
Sponsored

Voice Your Opinion!

To join the conversation, and become an exclusive member of SecurityInfoWatch, create an account today!