Deer Oaks – The Behavioral Health Solution, a provider of psychiatric and psychological services for long-term care facilities, has agreed to pay $225,000 and implement a corrective action plan after the U.S. Department of Health and Human Services (HHS) found it failed to conduct a required HIPAA risk analysis.
The settlement follows two serious incidents: a multi-year exposure of patient data on the public internet and a ransomware attack that compromised over 170,000 individuals’ protected health information (PHI).
What Happened To Deer Oaks?
The first issue stemmed from a now-defunct patient portal pilot program that had a coding error. As a result, discharge summaries containing sensitive information—like names, birth dates, diagnoses, and facilities were made publicly accessible via search engines between December 2021 and May 2023.
Shortly after that issue was reported, a more severe incident followed. In August 2023, Deer Oaks experienced a ransomware attack. Threat actors accessed an employee’s account and exfiltrated data belonging to more than 171,000 patients. That data was later used in an extortion attempt.
Key Compliance Breakdown
The Office for Civil Rights (OCR) concluded that Deer Oaks had not conducted the HIPAA-required risk analysis under 45 C.F.R. § 164.308(a)(1)(ii)(A). This assessment is a cornerstone of the HIPAA Security Rule, designed to help organizations identify and address security gaps before they’re exploited.
OCR emphasized that without a comprehensive risk analysis, organizations are ill-prepared to prevent data breaches—whether they’re the result of human error or criminal attacks.
What Deer Oaks Must Do Now
In addition to the monetary settlement, Deer Oaks has entered into a two-year corrective action plan that includes:
• Conducting an organization-wide risk analysis
• Implementing a risk management plan based on those findings
• Updating HIPAA policies and procedures across the board
• Training staff who access PHI on security and privacy safeguards
• Providing regular reports and documentation to HHS for monitoring
What Covered Entities Should Do Now
If your organization handles ePHI, OCR recommends:
• Map out where ePHI resides and how it flows through systems
• Review and update risk analyses regularly
• Ensure audit controls and reviews of system activity logs
• Implement strong user authentication and encryption
• Integrate lessons from incidents into security protocols
• Conduct role-based annual HIPAA training (HHS.gov)
Why This Case Matters
This isn’t just a technical violation. It’s another example of how failure to perform basic, well-documented security hygiene—like risk analysis—can leave patient data exposed and result in steep regulatory consequences.
Paula Stannard, acting OCR director, summed it up clearly: “Risk analysis is foundational. Without it, organizations can’t detect vulnerabilities and are left unable to protect patient data effectively.”
The Deer Oaks case reinforces a larger pattern in OCR enforcement this year—targeting entities that neglect risk analysis and related administrative safeguards. Even when breaches stem from unintentional mistakes, the regulatory expectation remains: covered entities must proactively identify and mitigate vulnerabilities.
What Healthcare Providers and Business Associates Should Be Doing
If you’re in the healthcare space and handle electronic PHI, take this moment to reassess:
• When was your last enterprise-wide risk analysis?
• Do you know where all PHI lives across systems, vendors, and staff devices?
• Are you logging and auditing access to PHI as required?
• Do your employees receive role-based, annual HIPAA security training?
• Have you tested your incident response plan lately?
These are not just best practices they’re regulatory obligations and Captain Compliance is here to help.
