Reporters, bloggers and broadcasters love press releases — particularly those that contain juicy bits of crime news. When a Texas hospital used a press release to brag about catching a potential fraudster, it landed them in a heap of trouble.

On May 10, 2017, the Office of Civil Rights hit Houston’s giant Memorial Hermann Health System (MHHS) with a whopping $2.4 million fine for disclosing the name of a patient in a press release.

Back in 2010, a sharp MHHS employee eyed a fake identification card presented to the hospital. Staff quickly called the authorities and the suspect was arrested.

Of course, HIPAA rules allow the identity of the fraudster to be shared with law enforcement.

HIPAA rules did not, however, permit disclosing that identity in the press release MHHS blasted out, boasting of its heroic, eagle-eyed, fraud-fighting staff.

In addition to the $2.4 million penalty, MHHS was forced to endure costly and time-consuming staff training and corrective actions to demonstrate its understanding of Protected Health Information handling procedures and media disclosures.