WILMINGTON, Del. — Five Delaware nursing homes operating under the Cadia Healthcare brand agreed to pay $182,000 to the federal government after investigators determined the facilities disclosed protected health information belonging to approximately 150 patients on company websites and social media platforms without obtaining proper authorization, according to a settlement announced September 30, 2025, by the U.S. Department of Health and Human Services Office for Civil Rights.
The case centers on what Cadia Healthcare marketed as patient "success stories" — promotional posts that included individuals' full names, photographs, medical diagnoses, and details about their therapy and rehabilitation progress, as reported by HIPAA Journal. Federal regulators found that the company's marketing staff extracted the information directly from patient medical records to create the content, according to Nurse.org.
The investigation began after a complaint filed on September 20, 2021, alleged that Cadia had posted a patient's name, photograph, and treatment information without authorization, according to HIPAA Journal. By February 2022, OCR investigators had identified success stories containing the protected health information of 150 patients published without valid HIPAA authorizations across the chain's digital platforms.
The five facilities named in the settlement are Cadia Rehabilitation Broadmeadow in Middletown, Cadia Rehabilitation Renaissance in Millsboro, Cadia Rehabilitation Capital in Dover, and Cadia Rehabilitation Pike Creek and Cadia Rehabilitation Silverside, both located in Wilmington, as reported by HIPAA Journal. The facilities provide rehabilitation, skilled nursing, and long-term care services.
Federal investigators found that Cadia violated both the HIPAA Privacy Rule and the Breach Notification Rule, according to the National Law Review. Beyond the unauthorized disclosures themselves, the chain also failed to notify the affected individuals whose private medical information had been posted publicly online — a separate and significant regulatory failure.
"Healthcare providers must prioritize patient privacy in all communications, especially in the digital age where social media amplifies reach," OCR Director Melanie Fontes Rainer said in a statement accompanying the settlement, as reported by Captain Compliance.
No criminal charges were filed against Cadia Healthcare, according to Nurse.org. One legal analysis placed the number of affected patient cases at approximately 158, according to attorney Linn Foster Freedman of Robinson & Cole LLP, writing for Data Privacy and Security Insider.
Under federal law, covered entities including nursing homes must obtain valid written authorization from patients before disclosing protected health information for marketing purposes. The HIPAA Privacy Rule requires that such authorizations clearly describe the information to be disclosed, the purpose, and the recipient. The Breach Notification Rule separately requires facilities to notify individuals when their unsecured protected health information has been improperly accessed or disclosed.
Corrective Action Plan
Beyond the financial penalty, Cadia Healthcare agreed to a two-year corrective action plan that places the chain under direct OCR monitoring, according to multiple reports. The plan requires the company to review and develop written HIPAA privacy policies, provide workforce-wide training with specific guidelines for marketing personnel and social media use, appoint a dedicated privacy officer, perform regular audits of all marketing materials, remove any non-compliant content still posted, and submit semi-annual compliance reports to OCR, according to reports from HIPAA Journal, Nurse.org, and Captain Compliance.
The chain must also notify all affected individuals whose information was disclosed without authorization — a step it had previously failed to take, according to the National Law Review.
The case is not without precedent. A similar enforcement action in 2023 resulted in a $50,000 fine against a facility in Bergen County, New Jersey, for posting patient photographs without consent, as reported by Captain Compliance.
CMS Inspection History
The Cadia Healthcare facilities named in the settlement have varying track records in federal nursing home inspections. CMS maintains publicly available data on all Medicare- and Medicaid-certified nursing facilities through its Care Compare system, which rates facilities on a one-to-five star scale across health inspections, staffing levels, and quality measures.
Privacy violations like those at the center of this settlement are distinct from the clinical deficiencies tracked through CMS's standard inspection process. HIPAA enforcement falls under the HHS Office for Civil Rights rather than the Centers for Medicare & Medicaid Services. However, the case raises broader questions about organizational compliance culture — when a chain's marketing department is routinely accessing and publishing patient medical records without authorization, it may signal systemic gaps in how the organization handles sensitive patient data across all operations.
Families evaluating any of the five Cadia facilities should review both CMS inspection reports, available at medicare.gov/care-compare, and this HIPAA enforcement history when assessing the chain's approach to patient rights and privacy protections.
Ownership & Operations
Cadia Healthcare operates as a chain of five rehabilitation and skilled nursing facilities concentrated in Delaware. The company's marketing practices came under federal scrutiny when what appeared to be a systematic content strategy — extracting patient information from medical records for promotional use — was found to lack the basic authorization safeguards required by federal law.
The $182,000 penalty, while significant, represents a relatively modest financial consequence for a multi-facility chain. HIPAA penalties can reach up to $2.13 million per violation category per year. The settlement amount suggests OCR may have considered factors such as the organization's cooperation during the investigation or its financial capacity.
The two-year monitoring period and corrective action requirements may ultimately prove more consequential than the fine itself, as they require sustained institutional changes to how the organization handles patient information in its marketing and communications operations.
Resources for Families
Family members who believe their loved one's health information may have been disclosed without authorization at any healthcare facility have several options for reporting and assistance.
To file a HIPAA complaint, individuals can contact the HHS Office for Civil Rights directly through its online complaint portal or by calling the HHS hotline. Complaints must generally be filed within 180 days of discovering the violation.
For broader concerns about nursing home care, residents and families can contact the National Long-Term Care Ombudsman Resource Center at 1-800-677-1116. Ombudsman programs advocate for residents of nursing homes, assisted living facilities, and other long-term care settings, and can help navigate complaints related to care quality, resident rights, and facility practices.
Additional information about nursing home rights and quality ratings is available through Medicare's Care Compare tool and through the Administration for Community Living at [ltcombudsman.org](https://ltcombudsman.org).