Privacy Breach Nugget: When Patient “Success Stories” Become a Privacy Breach
When Patient “Success Stories” Become a Privacy Breach
Privacy Breach Nugget
Ever wonder how privacy breaches happen—and what you can do to stop them? Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s unpack today’s case and explore what went wrong, what worked, and how you can apply these insights to protect patient information.
What Happened
Cadia Healthcare Facilities, which is a rehabilitation, skilled nursing, and long-term care services provider with 5 locations located in Delaware, US.
Cadia posted patient names, photographs, and detailed health information on its public-facing website as part of a marketing campaign featuring patient “success stories.” These disclosures were made without obtaining valid written authorization from the patients whose information appeared on the website.
4 Step Privacy Breach Response
Cadia’s management of the privacy breach can be examined using the 4 Step Response Plan framework.
Step 1 – Spot and Stop
Cadia had procedures that required employees to obtain a written consent from patients before sharing their testimonials. Despite this, the Office of Civil Rights (OCR) received a complaint in September 2021 alleging that patient information had been disclosed without authorization.
OCR’s investigation ultimately confirmed that the protected health information (PHI) of 150 patients had been disclosed without proper authorization. Cadia was formally notified of these findings in February 2022.
Step 2 – Investigate
Cadia conducted an internal investigation and on March 2022 removed all the success stories from their social media and website and ended the marketing campaign.
However, during this process, the organization deleted the content before confirming which patients had valid written consent on file, making it more difficult to accurately determine the full scope of unauthorized disclosures.
Step 3 – Notify
Cadia initially failed to notify affected patients of the privacy breach, as required. Notification obligations were later addressed as part of the enforcement process. A public notice regarding the breach can now be found on the Cadia website.
Step 4 – Prevent the Breach from Happening Again
According to the OCR settlement details:
- Cadia agreed to pay a $182,000 USD penalty
- A Corrective Action Plan (CAP) was imposed, including two years of OCR monitoring and reporting
- Cadia failed to properly implement its existing administrative privacy policies
- Cadia is required to:
- Revise its privacy policies and procedures
- Provide privacy training to all staff, including marketing personnel
- Implement stronger authorization processes before using patient information for marketing
- Cadia must now notify all affected individuals whose PHI was disclosed without authorization
Website and Social Media Tips
Custodians are responsible for ensuring that patients’ health information is collected, used, and disclosed in compliance with health privacy legislation, such as Alberta’s Health Information Act (HIA) and Ontario’s Personal Health Information Protection Act (PHIPA).
It’s also important to ensure your practices align with professional college standards related to advertising, professionalism, and confidentiality.
Here are key questions to include in your website and social media compliance checklist before collecting or using patient testimonials:
- What is your clinic’s approval process before content is posted online?
- Has the patient provided written consent for their information to be used?
-
- If a photograph is included, does the consent explicitly authorize the use of images?
- Who authorizes the content before it is published?
-
- For example: the healthcare provider, lead custodian, social media lead, or privacy officer?
- Before posting, has the content been reviewed for compliance with:
-
- Health privacy legislation?
- Professional college standards?
- Does your marketing vendor understand your privacy obligations?
-
- Do you have a written agreement in place requiring the vendor to protect the confidentiality of personal health information?
Also See
Is your website secure? Take the Website Self-Assessment from Elevated Business Solutions.
Do you have a website for your healthcare practice in Ontario? PHIPA Website Guide from Elevated Business Solutions will help you.
Take-Aways
The Cadia case is a reminder that policies alone are not enough. Clinics must ensure that privacy requirements are understood, followed in practice, and applied consistently across all teams, including marketing and external vendors. Taking the time to review your website and social media practices now can help prevent a costly and public privacy breach later.
You May Also Be Interested In
Medical Secretary Fined for Unauthorized Access And Disclosure to Health Information
References
Cadia Healthcare Facilities. Notice of Success Story Incident. https://cadiahealthcare.com/wp-content/uploads/2025/06/Cadia_Notice-1.pdf
Health and Human Services. HHS’ Office for Civil Rights Settles HIPAA Investigation of Cadia Healthcare Facilities for Disclosure of Patients’ Protected Health Information. 2025Sept30. https://www.hhs.gov/press-room/ocr-settles-hipaa-with-cadia-healthcare-facilities.html
Help Me With HIPAA. Did Anyone Even Ask If It Was OK? – Ep 531 podcast. 2025Oct17 https://helpmewithhipaa.com/did-anyone-even-ask-if-it-was-ok-ep-531
