HHS-OCR reaches $1.1M in HIPAA settlements following ransomware breaches

It's May. And for anyone seeking reservations at a top restaurant, one may be met with lack of availability due to proms, graduation and Mother's Day.

Again, it's May and a good time to “commence” review recent U.S. Department of Health and Human Services – Office for Civil Rights (HHS-OCR) developments. First, any reports submitted to Congress are worth reviewing; however, the last Report to Congress on Breach Notification Program and Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance details 2023 numbers, events and initiatives.

More recently, on April 23, 2026, HHS-OCR announced four (4) settlements related to the HIPAA Security Rule. Two main items stood out: (1) the lack on a comprehensive annual risk analysis; and (2) ransomware and hacking are the most common causes associated with large breaches. In total, these entities settled for over $1.1 million and each individual entity implemented a corrective action plan. (CAP) and will be monitored by HHS-OCR for two years. Notably, both covered entities and business associates were in the mix.

Here are the highlights from HHS-OCR:

Regional Women’s Health Group, LLC (“RWHG”), doing business as Axia Women’s Health, is a network of women’s health care providers in New Jersey, Pennsylvania, Ohio, Indiana, and Kentucky. The ransomware breach affected 37,989 individuals. The types of ePHI affected by the breach included names, addresses, dates of birth, SSNs, driver’s license numbers, diagnoses or conditions, lab results, and medications. RWHG reported in December 2020 that an unauthorized third-party gained access to its IT network and potentially exfiltrated data from RWHG’s electronic medical record database housing patient ePHI. OCR’s investigation found that RWHG failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI. In addition to committing to corrective actions, RWHG paid $320,000 to OCR.

Assured Imaging Affiliated Covered Entities (“Assured Imaging”) is a medical imaging and screening service provider with corporate headquarters in Arizona and California. The ransomware breach affected 244,813 individuals. The types of affected ePHI included patient names, addresses, dates of birth, diagnosis and conditions, lab results, medications, and treatment information. Assured Imaging reported in May 2020 that a server on its network was infected with ransomware. OCR’s investigation determined that Assured Imaging had impermissibly disclosed PHI, failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI, and failed to timely notify affected individuals of the breach. In addition to committing to corrective actions, Assured Imaging paid $375,000 to OCR.

Consociate, Inc., doing business as Consociate Health (“Consociate”) is a third-party administrator of employee-sponsored benefit programs that provides health plan administration, plan analytics and consulting services to HIPAA covered entities as a business associate. Approximately 136,539 individuals were affected by the ransomware breach. Affected ePHI included names, addresses, dates of birth, driver’s license numbers, SSNs, credit card/bank account numbers, and diagnoses or conditions. Consociate reported in November and December 2021 that some of its information systems had been encrypted in a ransomware attack. Consociate subsequently learned that, after a successful phishing attack in July 2020, the threat actor gained access to a server that held ePHI. OCR’s investigation determined that Consociate had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by Consociate. In addition to committing to corrective actions, Consociate paid $225,000 to OCR.

Star Group, L.P. Health Benefits Plan (“SG Health Plan”) is the self-funded employee benefits plan of a Connecticut-based energy provider. About 9,316 individuals were affected by the ransomware breach. Affected ePHI included names, addresses, dates of birth, SSNs, and health insurance information, such as member identification numbers, claims data, and benefit selection information. SG Health Plan reported in October 2021 that an unauthorized actor deployed ransomware on SG Health Plan’s information system and exfiltrated PHI. OCR’s investigation determined that SG Health Plan had impermissibly disclosed PHI and failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI. In addition to committing to corrective actions, SG Health Plan paid $245,000 to OCR.

As I have written about for years, ensuring that adequate technical, administrative and physical safeguards are in place is critical. And, it begins with an annual risk analysis.

Rachel V. Rose, J.D., MBA, advises clients on compliance, transactions, government administrative actions and litigation involving health care, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rose can be reached through her website, www.rvrose.com.