The Office for Civil Rights (OCR) shattered all monetary settlement records for violations of the HIPAA (Health Insurance Portability and Accountability Act) privacy, security and breach rules in the fiscal year ended this past Sept. 30, according to a study by the law firm McDermott Will & Emery.

In fiscal 2016, OCR socked companies $25,6 million for HIPAA violations, up from a measly $7.9 million the year before, the study found.

OCR, the HIPAA enforcement arm for the Department of Health and Human Services (HHS), also reached an additional 13 settlements known as “resolution agreements.” OCR had never before resolved more than seven HIPAA cases in a year.

The three HIPAA rules protect consumers’ protected health information (PHI), but by federal law, individuals have no right of legal action against companies for violating their PHI. The 2013 HIPAA Omnibus Rule, however, did cede to the states the power to allow such individual action.