On April 17, 2025, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $25,000 settlement with the Guam Memorial Hospital Authority (GMHA) over alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). This marks the first publicly announced HIPAA enforcement action under the current administration, the eleventh OCR enforcement involving ransomware, and the seventh settlement under OCR’s ongoing HIPAA Risk Analysis Initiative.
Complaint describing ransomware attack followed by breach complaint
OCR initiated its investigation of GMHA in response to a January 2019 complaint. The complainant alleged that the hospital had suffered a ransomware attack in December 2018 that impacted the electronic protected health information (ePHI) of approximately 5,000 individuals.
While the investigation was ongoing, a second complaint to OCR in March 2023 alleged that two former hospital employees were able to access GMHA’s systems after their employment had ended. This raised additional concerns about access controls and further prompted OCR to scrutinize GMHA’s security practices.
Corrective Action Plan underscores OCR’s Security Rule priorities
The three-year Corrective Action Plan (CAP) imposed on GMHA highlights OCR’s continued emphasis on foundational HIPAA Security Rule compliance. GMHA must conduct a comprehensive, enterprise-wide risk analysis of its ePHI, implement a risk management plan to address identified vulnerabilities, and revise policies and procedures related to access controls and information system activity reviews. Workforce training on these updates also is required.
Compared to other recent CAPs in OCR’s Risk Analysis Initiative, GMHA’s is narrower in scope. Northeast Radiology, P.C.’s recent settlement included additional technical specification’s related to imaging systems, while Elgon Inc.’s emphasized third-party vendor risks and log review and VPN Solutions faced more aggressive oversight—including biannual reporting.
These differences in CAPs likely stem from the unique circumstances of each case, such as the type of breach, the entity’s size and operations, and the specific vulnerabilities identified during OCR’s investigation, all of which influence the scope and intensity of the required remediation. Nonetheless, GMHA’s CAP reflects the core elements seen across recent OCR action: security risk analysis, policy updates, and workforce training. It serves as another reminder that HIPAA compliance failures, particularly around access management and risk assessment, continue to be high priorities for OCR enforcement.
Key takeaways: Continued emphasis on risk management
This settlement highlights OCR’s ongoing focus on ensuring HIPAA-regulated entities prioritize comprehensive security risk management, particularly in safeguarding ePHI. As we move into OCR enforcement actions executed under the current administration, this settlement serves as an example that maintaining robust security measures and conducting thorough risk analyses remain central to OCR’s enforcement strategy. Healthcare providers, health plans, and healthcare vendors should remain vigilant in addressing potential vulnerabilities through regular security risk assessments and workforce training. Mitigating risks to ePHI not only helps prevent enforcement actions but also minimizes the likelihood of data breaches, which could lead to costly legal repercussions and reputational damage. Proactive compliance is the best defense against both regulatory penalties and litigation risks.