On September 30, 2025, the Office for Civil Rights of the Department of Health and Human Services (OCR) announced a settlement with Cadia Healthcare Facilities, a provider of rehabilitation, skilled nursing and long-term care services located in Delaware “for potential violations…of HIPAA Privacy and Breach Notification Rules.”

According to the OCR’s press release, the settlement follows an investigation of Cadia after it received a complaint that the company had “impermissibly disclosed a patient’s name, photograph and information pertaining to the patient’s conditions, treatment, and recovery in the form of a ‘success story’ posted to Cadia Healthcare Facilities’ website.” After investigation, the OCR found that Cadia had posted the patient’s protected health information to its website without obtaining written authorization from the patient. The OCR further found that Cadia had posted 158 “success stories” without obtaining valid written authorization from the patients featured in the articles.

Cadia agreed in the settlement to pay the OCR $182,000 and implement a corrective action plan that will be monitored by the OCR for two years.