On April 23, 2026, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced settlements with four healthcare organizations following ransomware investigations — adding four more chapters to what has become one of the most urgent and costly crises in American healthcare: the systematic failure of covered entities and business associates to protect electronic patient health information from cyberattack.
Introduction: A Pattern of Preventable Failures
The four settlements — totaling $1,165,000 in payments to OCR — arise from ransomware breaches that collectively exposed the protected health information (PHI) of more than 427,000 individuals. The victims range from a women’s health network spanning five states to a small Connecticut energy company’s self-funded health plan. What unites them is not their size or sector, but a common and critical failure: none had conducted the thorough, accurate risk analyses that HIPAA has required of them for decades.
These settlements bring OCR’s total completed ransomware breach investigations to 19, and its completed investigations under the Risk Analysis Initiative to 13 — a targeted enforcement campaign that signals OCR is done treating inadequate risk management as a minor compliance gap. It is, the agency says, the single most effective tool an organization has to prevent or mitigate a cyberattack. And organizations that don’t use it will pay for it.
The Ransomware Threat in Healthcare: Understanding the Stakes
Before turning to the specifics of the four cases, it’s worth understanding why OCR has made ransomware enforcement a priority at all.
Ransomware is malicious software designed to block access to data — typically by encrypting files with a cryptographic key held only by the attacker — until the victim pays a ransom. In healthcare settings, ransomware doesn’t just cost money. It can delay patient care, corrupt medical records, expose sensitive diagnoses and treatment histories, and, in the most severe cases, put lives at risk when hospital systems go dark.
OCR Director Paula M. Stannard captured the stakes plainly in the announcement: “Hacking and ransomware are the most frequent type of large breach reported to OCR.” That’s not a recent development — ransomware attacks on healthcare have been escalating for years, with attackers specifically targeting an industry that holds extraordinarily sensitive data, often runs legacy IT infrastructure, and faces enormous pressure to restore operations quickly (making ransom payment tempting).
The types of information exposed in these four cases illustrate exactly why healthcare is such a target: names, addresses, Social Security numbers, dates of birth, driver’s license numbers, diagnoses and medical conditions, lab results, medications, treatment information, financial account numbers, and health insurance details. This is the full mosaic of a person’s life — financial, medical, and personal — assembled in one place.
Yet despite this well-understood threat environment, all four organizations investigated by OCR shared the same fundamental compliance gap: they had not done the basic risk assessment work that HIPAA demands.
The HIPAA Security Rule: What the Law Actually Requires
To understand the significance of these settlements, it helps to understand what the HIPAA Security Rule requires — and how it applies to ransomware.
The Security Rule, enacted under the Health Insurance Portability and Accountability Act of 1996, establishes national standards for protecting electronic protected health information (ePHI). It applies to covered entities — health plans, healthcare providers, and health clearinghouses — and to their business associates, third parties that handle ePHI on their behalf.
The Rule requires organizations to implement three categories of safeguards:
Administrative safeguards — Policies, procedures, and training programs that govern how ePHI is managed and protected. This includes conducting regular risk analyses and implementing risk management plans.
Physical safeguards — Controls over physical access to systems and facilities that hold ePHI.
Technical safeguards — Technology-based protections including access controls, audit controls, integrity controls, and encryption.
At the heart of all of this is the Risk Analysis requirement — arguably the most important single provision of the Security Rule. Organizations must conduct an “accurate and thorough assessment” of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. This isn’t a one-time checkbox. It’s an ongoing process that must be updated as technology changes, as organizational infrastructure evolves, and as the threat landscape shifts.
OCR’s enforcement record makes clear that the Risk Analysis requirement is where the healthcare industry is most consistently, and most dangerously, failing.
The Four Cases: A Detailed Breakdown
1. Regional Women’s Health Group / Axia Women’s Health — $320,000
Organization: A network of women’s healthcare providers operating across New Jersey, Pennsylvania, Ohio, Indiana, and Kentucky, doing business as Axia Women’s Health.
Scale of breach: 37,989 individuals affected.
What was exposed: Names, addresses, dates of birth, Social Security numbers, driver’s license numbers, diagnoses or conditions, lab results, and medications — a comprehensive profile combining financial identity data with sensitive clinical information.
What happened: In December 2020, an unauthorized third party gained access to the organization’s IT network and potentially exfiltrated data from its electronic medical record (EMR) database. This wasn’t a matter of a single vulnerability being exploited without warning — it was a breach of the core system holding patient records for a multi-state women’s health network.
What OCR found: RWHG had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI. For an organization operating across five states with a centralized EMR system, the absence of a functioning risk analysis program is a serious gap.
The settlement: $320,000 in payments to OCR, plus a corrective action plan subject to OCR monitoring for two years.
Why it matters: Women’s health data is among the most sensitive categories of medical information, carrying profound personal, social, and in some contexts legal implications. The exposure of diagnoses, medications, and lab results for nearly 38,000 patients — combined with Social Security numbers and financial identifiers — creates a serious and lasting harm to those individuals. The scale and sensitivity of this breach underscore why the risk analysis failure is so consequential.
2. Assured Imaging Affiliated Covered Entities — $375,000
Organization: A medical imaging and screening service provider with corporate headquarters in Arizona and California, operating as affiliated covered entities.
Scale of breach: 244,813 individuals affected — the largest breach by patient count in this group of settlements.
What was exposed: Patient names, addresses, dates of birth, diagnoses and conditions, lab results, medications, and treatment information.
What happened: In May 2020, a server on Assured Imaging’s network was infected with ransomware. The attack succeeded in penetrating the organization’s systems and encrypting its data, disrupting access to medical imaging records for nearly a quarter million patients.
What OCR found: OCR’s investigation uncovered multiple violations. Assured Imaging had:
- Impermissibly disclosed PHI — meaning patient information was exposed to unauthorized parties in violation of the HIPAA Privacy Rule.
- Failed to conduct an accurate and thorough risk analysis — the foundational Security Rule failure shared by all four organizations.
- Failed to timely notify affected individuals of the breach, in violation of the HIPAA Breach Notification Rule.
The notification failure is significant. The Breach Notification Rule is clear: individuals whose unsecured PHI has been breached must be notified promptly — within 60 days of discovery. Delays in notification leave patients unable to take protective action, such as monitoring their credit, placing fraud alerts, or watching for identity theft. For nearly 245,000 patients, Assured Imaging’s failure to notify in a timely fashion compounded the harm of the breach itself.
The settlement: $375,000 — the largest single payment in this group — plus a two-year corrective action plan under OCR monitoring.
Why it matters: Medical imaging providers hold extraordinarily sensitive clinical data. They are also often part of complex organizational structures (hence “affiliated covered entities”) that can create gaps in security governance. The combination of three distinct HIPAA violations — privacy, security, and notification — makes this one of the more serious cases in the batch.
3. Consociate, Inc. / Consociate Health — $225,000
Organization: A third-party administrator (TPA) of employee-sponsored benefit programs providing health plan administration, analytics, and consulting services as a HIPAA business associate.
Scale of breach: 136,539 individuals affected.
What was exposed: Names, addresses, dates of birth, driver’s license numbers, Social Security numbers, credit card and bank account numbers, and diagnoses or conditions. The inclusion of financial account data alongside clinical and identity information makes this an especially damaging exposure.
What happened: The Consociate case is a study in how modern cyberattacks unfold over extended timelines. A successful phishing attack in July 2020 gave a threat actor an initial foothold in Consociate’s systems. The attacker then waited — moving quietly through the network, escalating access, and eventually gaining entry to a server that held ePHI. It wasn’t until November and December 2021 — more than a year after the initial phishing compromise — that Consociate reported that some of its information systems had been encrypted in a ransomware attack.
This timeline is critical. The gap between initial compromise and ransomware deployment is characteristic of sophisticated, patient attackers who take time to maximize their access before striking. Organizations without robust audit controls and continuous monitoring of system activity may not detect an intruder for months or years.
What OCR found: Consociate failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Had a proper risk analysis been in place — followed by appropriate technical controls — the phishing attack might have been contained before it gave attackers a path to sensitive data.
The settlement: $225,000 plus a two-year corrective action plan.
Why it matters: Consociate’s case highlights two underappreciated risks. First, business associates are fully subject to the HIPAA Security Rule and bear independent compliance obligations — they are not insulated by their covered entity clients’ programs. Second, phishing — not exotic malware — was the initial attack vector here. This is one of the most common and preventable entry points for cybercriminals, and regular workforce training specifically addressing phishing is a core HIPAA administrative safeguard requirement.
4. Star Group, L.P. Health Benefits Plan — $245,000
Organization: The self-funded employee benefits health plan of a Connecticut-based energy provider — a health plan and therefore a HIPAA covered entity in its own right, even though its sponsor is an energy company.
Scale of breach: 9,316 individuals affected — the smallest breach in this group.
What was exposed: Names, addresses, dates of birth, Social Security numbers, and health insurance information including member identification numbers, claims data, and benefit selection information.
What happened: In October 2021, an unauthorized actor deployed ransomware on SG Health Plan’s information system and exfiltrated PHI — meaning data was not just encrypted but stolen and taken off the organization’s systems entirely, a more severe scenario than encryption alone.
What OCR found: Two violations: SG Health Plan had impermissibly disclosed PHI (the exfiltration constituted an unauthorized disclosure) and had failed to conduct an accurate and thorough risk analysis.
The settlement: $245,000 plus a two-year corrective action plan.
Why it matters: This case is a reminder that self-funded health plans — operated by employers in every industry, not just healthcare — are HIPAA covered entities. Many such organizations don’t think of themselves as healthcare companies and may not maintain the same level of security sophistication as dedicated health systems or insurance companies. The SG Health Plan case shows that OCR will pursue enforcement regardless of an organization’s primary business.
The Corrective Action Plans: What Happens After a Settlement
Each of the four settlements includes a corrective action plan (CAP) that the organization must implement and maintain under OCR monitoring for two years. While the financial penalties get the headlines, the CAPs may have more lasting impact on organizational behavior.
A typical HIPAA corrective action plan following a ransomware investigation will require the organization to:
- Conduct a comprehensive, enterprise-wide risk analysis of ePHI
- Develop and implement a risk management plan addressing identified vulnerabilities
- Revise or adopt policies and procedures governing ePHI security
- Implement regular workforce training on HIPAA security obligations
- Report to OCR on compliance periodically throughout the two-year monitoring period
These requirements aren’t abstract — they force organizations to actually do the work they should have been doing all along, under the scrutiny of federal oversight.
OCR’s Recommended Security Practices: What Every Covered Entity Should Be Doing
OCR used the settlement announcement to reiterate its guidance on preventing and mitigating cyber threats. These recommendations constitute a practical checklist for covered entities and business associates:
1. Map your ePHI. Know where it lives — how it enters your systems, how it flows through them, and how it leaves. You can’t protect what you can’t see.
2. Conduct regular risk analyses. This is the foundation of everything else. The analysis must be accurate and thorough, and it must be updated as conditions change.
3. Develop and implement a risk management plan. The risk analysis identifies the risks. The risk management plan addresses them. Both are required.
4. Implement audit controls. Record and examine information system activity so you can detect anomalies and potential intrusions.
5. Review system activity regularly. Audit logs are only useful if someone looks at them. Regular review of information system activity can catch an attacker who has gained a foothold before they can cause catastrophic damage.
6. Authenticate users. Implement mechanisms to ensure that only authorized users are accessing ePHI. Multi-factor authentication is a leading practice.
7. Encrypt ePHI in transit and at rest. Encryption does not prevent all breaches, but it substantially limits the harm when a breach occurs. Encrypted data is generally considered “secured” under the HIPAA Breach Notification Rule, which can eliminate or reduce notification obligations.
8. Learn from incidents. After any security incident — whether or not it rises to the level of a reportable breach — incorporate the lessons learned into your overall security management process.
9. Train your workforce. Regular, role-specific training is a HIPAA requirement and one of the most effective ways to prevent phishing attacks and other social engineering tactics. As the Consociate case shows, a single successful phishing email can be the entry point for a catastrophic breach.
The Risk Analysis Initiative: A Sustained Enforcement Strategy
These four settlements are part of OCR’s broader Risk Analysis Initiative, which targets the persistent failure of covered entities and business associates to conduct the risk analyses that HIPAA has required since the Security Rule took effect in 2005. The fact that OCR has now completed 13 investigations specifically under this initiative signals that it is a sustained enforcement priority, not a one-off campaign.
The logic of the initiative is simple: the risk analysis is the cornerstone of the Security Rule’s requirements. If an organization hasn’t done it, all of its other security measures are built on guesswork — there is no systematic basis for knowing what threats exist, what vulnerabilities they exploit, or what controls are needed to address them. A ransomware attack that succeeds against an organization without a current risk analysis is almost by definition a foreseeable and preventable harm.
OCR’s enforcement pattern also sends a clear deterrence signal: if you experience a ransomware breach and OCR investigates, the first thing investigators will look for is your risk analysis. If you don’t have one — or if it’s outdated, superficial, or doesn’t cover the systems where the breach occurred — you are going to face a settlement.
Implications for the Healthcare Industry
The Cost of Non-Compliance Has Risen
$1.165 million across four settlements, combined with two-year corrective action plans and the indirect costs of breach response — legal fees, notification costs, IT remediation, reputational damage — makes a compelling case that the cost of non-compliance now exceeds the cost of a robust HIPAA security program. For smaller organizations that believe they can’t afford sophisticated security, OCR’s record suggests they can’t afford not to have it.
Business Associates Are Equally at Risk
The Consociate case is a clear reminder that business associates — third-party vendors, TPAs, billing companies, IT service providers, and others that handle ePHI — face the same legal exposure as covered entities. HIPAA compliance is not something that organizations can outsource along with their administrative functions.
The Threat Is Evolving, But the Fundamentals Haven’t
The specific tactics attackers use change rapidly — phishing techniques evolve, ransomware variants proliferate, and new attack vectors emerge. But the foundational defenses that OCR recommends — risk analysis, access controls, encryption, workforce training, audit controls — remain as relevant as they were when the Security Rule was written. The organizations that suffer breaches and enforcement actions are overwhelmingly not losing to sophisticated, novel attacks. They are losing to well-known threats that their security programs were not designed to resist.
The Self-Funded Health Plan Gap
The SG Health Plan case highlights a sector that may be systematically underestimating its HIPAA obligations: self-funded employer health plans. Companies across all industries sponsor these plans and are responsible for the ePHI they hold. Many do not have dedicated compliance staff, sophisticated IT security programs, or regular HIPAA training for employees who handle plan data. OCR’s enforcement action here should prompt every employer sponsoring a self-funded plan to review its HIPAA compliance posture.
The Message Is Unmistakable
OCR’s announcement of these four settlements — in the context of 19 total completed ransomware investigations and 13 completed Risk Analysis Initiative investigations — constitutes a clear and sustained enforcement message to the healthcare industry: the HIPAA Security Rule is not aspirational guidance. It is the law, and OCR is enforcing it.
The common thread across all four cases is as simple as it is damning: organizations that hold some of the most sensitive personal data in existence — medical records, diagnoses, financial identifiers, Social Security numbers — did not take the basic step of systematically assessing the risks to that data. They did not know what they had, where it was, how it could be attacked, or how to defend it. And when attackers came — as they inevitably do, in an era when ransomware groups specifically target healthcare — those organizations were not ready.
Director Stannard’s message deserves to be read as both warning and prescription: “Proactively implementing the HIPAA Security Rule before a breach or an OCR investigation not only is the law but also is a regulated entity’s best opportunity to prevent or mitigate the harmful effects of a successful cyberattack.”
That’s not just a regulatory admonition. It’s a statement of basic operational reality for any organization entrusted with Americans’ health information.
