OCR settles four HIPAA investigations, prioritizes risk analysis

The HHS Office for Civil Rights announced four settlements with HIPAA-covered entities stemming from separate ransomware investigations it conducted under the HIPAA Security Rule.  

The incidents, though not related, collectively impacted more than 427,000 individuals and exposed unsecured protected health information. The affected entities paid OCR a total of $1.17 million, agreed to implement corrective action plans and consented to OCR monitoring for two years to resolve the investigations.  

All four incidents show that OCR continues to prioritize enforcing the risk analysis provisions of the HIPAA Security Rule, as it has since the first enforcement action under its risk analysis initiative was issued in October 2024.  

Notably, the four breaches were not particularly large, with the smallest impacting just 9,300 individuals. This shows that OCR is not only pursuing settlements with large health systems or entities that have experienced disproportionately large breaches. Rather, any HIPAA-covered entity that fails to implement the proper HIPAA-compliant safeguards to protect PHI could find itself the subject of an OCR investigation. 

The latest settlements mark 19 completed OCR investigations pertaining to ransomware incidents and 13 completed under OCR's risk analysis initiative. 

“Hacking and ransomware are the most frequent type of large breach reported to OCR," OCR Director Paula M. Stannard said in the announcement.  

"Proactively implementing the HIPAA Security Rule before a breach or an OCR investigation not only is the law but also is a regulated entity's best opportunity to prevent or mitigate the harmful effects of a successful cyberattack." 

OCR recommended that all HIPAA-covered entities take proactive steps to mitigate cyberthreats, including identifying where electronic PHI is located within the organization, implementing a risk management plan and incorporating lessons learned from cybersecurity incidents into the organization's overall security strategy.  

Here are the four settlements: 

Assured Imaging 

Assured Imaging, a medical imaging and screening service provider with corporate locations in Arizona and California, suffered a ransomware attack in May 2020 at the hands of PYSA ransomware cybercriminals.  

According to the settlement agreement, OCR launched an investigation into the incident and learned that PYSA had encrypted Assured's EMR system and potentially exfiltrated data, impacting 244,813 individuals. 

OCR's investigation revealed that Assured had never conducted a compliant risk analysis as required by HIPAA. What's more, the entity failed to notify the impacted individuals of the breach within 60 days of discovery.  

Assured did not admit liability. However, the entity agreed to pay HHS $375,000 to resolve the investigation. Assured also agreed to a corrective action plan that requires it to conduct a risk analysis, update and maintain policies to safeguard PHI and submit to training, among other measures. 

Regional Women's Health Group 

New Jersey-based Regional Women's Health Group (RWHG), now part of Axia Women's Health, paid OCR $320,000 and agreed to implement corrective actions stemming from a December 2020 data breach that impacted 37,000 patients.  

OCR's investigation revealed that "RWHG failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information that it holds," the settlement agreement stated. 

Like Assured, RWHG's corrective action plan requires it to conduct a risk analysis and improve its security posture over a two-year OCR monitoring period. 

Star Group, L.P. Health Benefits Plan 

Star Group, L.P. Health Benefits Plan, the self-funded employee benefits plan of a Connecticut-based energy provider, filed a breach report in October 2021 stating that it had experienced a ransomware attack. Approximately 9,300 individuals were affected. 

OCR found that SG Health Plan had impermissibly disclosed PHI and failed to conduct an accurate risk assessment to identify risks to PHI.  

SG Health Plan paid OCR $245,000 to resolve the investigation and entered into a corrective action plan. 

Consociate Health 

Consociate Health, a HIPAA business associate and third-party administrator of employee-sponsored benefit programs, fell victim to a phishing attack in July 2020. Six months after initial access, the cyberthreat actor deployed ransomware and gained access to a server containing the PHI of approximately 136,500 individuals. 

Again, OCR's investigation posited that Consociate had failed to conduct a thorough risk assessment of the vulnerabilities to the confidentiality of patients' PHI. HHS accepted a $225,000 payment from Consociate to resolve the investigation, along with a corrective action plan.  

Jill Hughes has covered health tech news since 2021.