Four Healthcare Orgs Fined for Risk Analysis Failures

Four investigations of ransomware attacks on HIPAA-regulated entities have resulted in financial penalties for HIPAA violations, according to an April 23, 2026, announcement by the HHS’ Office for Civil Rights (OCR). The fines were imposed under OCR’s latest HIPAA enforcement initiative targeting the risk analysis implementation specification of the HIPAA Security Rule, one of its key priorities, and an important one for improving cybersecurity across the healthcare and public health sector.

Too many hacking-related data breaches are being reported. While any number of healthcare data breaches is too many, with the healthcare industry targeted by a growing army of financially motivated hackers, data breaches are inevitable; however, the volume of large data breaches over the past five years is a major cause of concern. Last year, 751 large healthcare data breaches were reported to OCR, the majority of which were hacking and ransomware attacks, and similar numbers were reported each year since 2021.

All too often, these hacks and data breaches are the result of cybersecurity failures: vulnerabilities have been exploited to gain access to healthcare networks and protected health information. OCR’s investigations of data breaches and compliance audits have frequently shown that risk analyses have not been conducted or have not covered all locations where ePHI is received, created, stored, or transmitted, hence the latest enforcement initiative.

The previous enforcement initiative targeting noncompliance with the HIPAA Right of Access – which is still ongoing – has been highly successful, hammering the message home – through more than 50 financial penalties – that HIPAA-covered entities must provide patients with timely access to their medical records. It is hoped that the same successes will be achieved with the risk analysis enforcement initiative.

The latest four enforcement actions have resulted in $1,165,000 in financial penalties to resolve risk analysis violations, which led to the exposure or theft of the ePHI of more than 427,000 individuals. In each case, the settlements include a corrective action plan to address the HIPAA compliance failures identified by OCR. The enforcement actions demonstrate that HIPAA compliance is vital for all HIPAA-covered entities and business associates, regardless of their size, and that even small data breaches can attract significant financial penalties. While the scale of the breach is considered, it is the underlying compliance failures that lead to a fine. For these three enforcement actions, the breach size ranges from 9,300 individuals to 244,813 individuals.

Assured Imaging HIPAA Settlement

The biggest settlement was agreed with the medical imaging and screening service provider Assured Imaging, which has corporate locations in Arizona and California. The May 2020 ransomware attack exposed the ePHI of 244,813 individuals, which was also potentially stolen in the attack.

Concerningly, OCR’s investigation revealed Assured Imaging had never conducted a risk analysis and then failed to notify the affected individuals within 60 days, as required by the HIPAA Breach Notification Rule. The alleged HIPAA violations, which include an impermissible disclosure of the ePHI of 244,813 individuals, were settled with a $375,000 financial penalty, a corrective action plan, and compliance monitoring for 2 years.

Regional Women’s Health Group (Axia Women’s Health) HIPAA Settlement

Regional Women’s Health Group in New Jersey, part of Axia Women’s Health, fell victim to a ransomware attack in December 2020, which exposed the ePHI of 37,989 individuals. OCR determined that there had been a failure to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to ePHI. The case was settled with a $320,000 financial penalty, a corrective action plan, and compliance monitoring for 2 years.

Star Group, L.P. Health Benefits Plan HIPAA Settlement

Star Group L.P. Health Benefits Plan, a self-funded employee benefits plan for a Connecticut-based energy provider, notified OCR in October 2021 about a ransomware attack involving the theft of the ePHI of 9,316 plan members. OCR’s investigation determined that the benefits plan had failed to conduct a comprehensive and accurate risk analysis, resulting in the impermissible disclosure of the ePHI of 9,316 individuals. The case was settled with a $245,000 financial penalty, a corrective action plan, and 2 years of compliance monitoring.

Consociate Health HIPAA Settlement

Consociate Health, a third-party administrator of employee-sponsored health plans and HIPAA business associate of health plans, experienced a phishing attack in July 2020, resulting in unauthorized access to its network. Six months later, as a direct result of that initial compromise, ransomware was deployed on its network. The ePHI of 136,539 individuals was compromised in the incident. OCR determined that Consociate Health had failed to conduct a comprehensive and accurate risk analysis. The case was settled with a $225,000 financial penalty, a corrective action plan, and 2 years of compliance monitoring.

“Hacking and ransomware are the most frequent type of large breach reported to OCR,” said OCR Director Paula M. Stannard. “Proactively implementing the HIPAA Security Rule before a breach or an OCR investigation not only is the law but also is a regulated entity’s best opportunity to prevent or mitigate the harmful effects of a successful cyberattack.”