​When Patient “Success Stories” Become a Privacy Breach

Privacy Breach Nugget

Ever wonder how privacy breaches happen—and what you can do to stop them? Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s unpack today’s case and explore what went wrong, what worked, and how you can apply these insights to protect patient information.

What Happened

Cadia Healthcare Facilities, which is a rehabilitation, skilled nursing, and long-term care services provider with 5 locations located in Delaware, US.

Cadia posted patient names, photographs, and detailed health information on its public-facing website as part of a marketing campaign featuring patient “success stories.” These disclosures were made without obtaining valid written authorization from the patients whose information appeared on the website.

4 Step Privacy Breach Response

Cadia’s management of the privacy breach can be examined using the 4 Step Response Plan framework.

Step 1 – Spot and Stop

Cadia had procedures that required employees to obtain a written consent from patients before sharing their testimonials. Despite this, the Office of Civil Rights (OCR) received a complaint in September 2021 alleging that patient information had been disclosed without authorization.

OCR’s investigation ultimately confirmed that the protected health information (PHI) of 150 patients had been disclosed without proper authorization. Cadia was formally notified of these findings in February 2022.

Step 2 – Investigate

Cadia conducted an internal investigation and on March 2022 removed all the success stories from their social media and website and ended the marketing campaign.

However, during this process, the organization deleted the content before confirming which patients had valid written consent on file, making it more difficult to accurately determine the full scope of unauthorized disclosures.

Step 3 – Notify

Cadia initially failed to notify affected patients of the privacy breach, as required. Notification obligations were later addressed as part of the enforcement process. A public notice regarding the breach can now be found on the Cadia website.

Step 4 – Prevent the Breach from Happening Again

According to the OCR settlement details:

• Cadia agreed to pay a $182,000 USD penalty
• A Corrective Action Plan (CAP) was imposed, including two years of OCR monitoring and reporting
• Cadia failed to properly implement its existing administrative privacy policies
• Cadia is required to:
  • Revise its privacy policies and procedures
  • Provide privacy training to all staff, including marketing personnel
  • Implement stronger authorization processes before using patient information for marketing
• Cadia must now notify all affected individuals whose PHI was disclosed without authorization

Website and Social Media Tips

Custodians are responsible for ensuring that patients’ health information is collected, used, and disclosed in compliance with health privacy legislation, such as Alberta’s Health Information Act (HIA) and Ontario’s Personal Health Information Protection Act (PHIPA).

It’s also important to ensure your practices align with professional college standards related to advertising, professionalism, and confidentiality.

Here are key questions to include in your website and social media compliance checklist before collecting or using patient testimonials:

• What is your clinic’s approval process before content is posted online?
• Has the patient provided written consent for their information to be used?

• • If a photograph is included, does the consent explicitly authorize the use of images?

• Who authorizes the content before it is published?

• • For example: the healthcare provider, lead custodian, social media lead, or privacy officer?

• Before posting, has the content been reviewed for compliance with:

• • Health privacy legislation?
  • Professional college standards?

• Does your marketing vendor understand your privacy obligations?

• • Do you have a written agreement in place requiring the vendor to protect the confidentiality of personal health information?

Also See

Is your website secure? Take the Website Self-Assessment from Elevated Business Solutions.

Do you have a website for your healthcare practice in Ontario? PHIPA Website Guide from Elevated Business Solutions will help you.

Take-Aways

The Cadia case is a reminder that policies alone are not enough. Clinics must ensure that privacy requirements are understood, followed in practice, and applied consistently across all teams, including marketing and external vendors. Taking the time to review your website and social media practices now can help prevent a costly and public privacy breach later.

You May Also Be Interested In

Medical Secretary Fined for Unauthorized Access And Disclosure to Health Information

3rd Largest Fine Ever Under the HIA

References

Cadia Healthcare Facilities. Notice of Success Story Incident. https://cadiahealthcare.com/wp-content/uploads/2025/06/Cadia_Notice-1.pdf

Health and Human Services. HHS’ Office for Civil Rights Settles HIPAA Investigation of Cadia Healthcare Facilities for Disclosure of Patients’ Protected Health Information. 2025Sept30. https://www.hhs.gov/press-room/ocr-settles-hipaa-with-cadia-healthcare-facilities.html

Help Me With HIPAA. Did Anyone Even Ask If It Was OK? – Ep 531 podcast. 2025Oct17 https://helpmewithhipaa.com/did-anyone-even-ask-if-it-was-ok-ep-531