From HHS, resolution of a complaint they received in 2017:
The Office for Civil Rights (OCR) has settled with B. Brandon Au, DDS, Inc., d/b/a New Vision Dental (New Vision Dental), in California, over the impermissible disclosure of patient protected health information (PHI) in response to online reviews, and other potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The violation involves the provider’s inappropriate use of social media to respond to patient reviews, disclosing protected health information. This practice is illegal under HIPAA. New Vision Dental paid $23,000 to OCR and agreed to implement a corrective action plan (CAP) to resolve this investigation
This is not the first time HHS has taken enforcement action for this type of situation. Long-time readers may recall the Shasta Regional Medical Center case that began in 2011, and of course, there have been a number of other similar situations since then, including another settlement earlier this year.