On April 23, 2026, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced settlements with four different HIPAA-regulated entities following separate ransomware investigations.
Though unrelated, the four incidents impacted over 427,000 individuals and resulted in over $1 million in financial settlements. All four entities agreed to enter into corrective action plans, subjecting them to OCR monitoring for two years.
The announcement marks 13 completed investigations in OCR’s Risk Analysis Initiative and 19 completed investigations of ransomware breaches.
Four settlements involving ransomware attacks
Regional Women’s Health Group, LLC dba Axia Women’s Health
Regional Women’s Health Group, LLC d/b/a Axia Women’s Health (RWHG), a multi-state network of women’s healthcare providers, reported in December 2020 that an unauthorized third-party gained access to its systems and potentially exfiltrated electronic protected health information (ePHI). Almost 38,000 individuals were impacted. Following OCR’s investigation, it was determined that RWHG failed to conduct an accurate and thorough security risk analysis.
Assured Imaging Affiliated Covered Entities
Assured Imaging Affiliated Covered Entities (Assured Imaging), a medical imaging and screening service based in Arizona and California, reported that its network server was infected with ransomware in May 2020, affecting 244,813 individuals. In addition to failing to conduct an accurate and thorough risk analysis, OCR concluded that Assured Imaging impermissibly disclosed ePHI and failed to timely notify affected individuals of the breach.
Consociate, Inc., dba Consociate Health
Consociate, Inc. dba Consociate Health (Consociate) is a third-party administrator of employee-sponsored benefits programs that provides services to HIPAA covered entities as a business associate. Consociate discovered that a successful phishing attack in July 2020 escalated to a ransomware deployment in November and December 2021 that left some of its information systems encrypted and impacted over 135,000 individuals. OCR determined that Consociate failed to conduct an accurate and thorough risk analysis.
Star Group, L.P. Health Benefits Plan
The self-funded employee benefits plan of a Connecticut-based energy provider, Star Group, L.P. Health Benefits Plan (SG Health Plan), reported in October 2021 that a ransomware attack caused ePHI to be exfiltrated from its information system. OCR’s investigation determined that SG Health Plan not only failed to conduct an accurate and thorough risk assessment, but it also impermissibly disclosed ePHI. 9,316 individuals were impacted by the incident.
Risk management is essential
In April 2026, OCR released a guidance video titled “Risk Management Under the HIPAA Security Rule” in which Nicholas Heesters, Senior Advisor for Cybersecurity at OCR, provides practical education to HIPAA-regulated entities about the risk management requirement of the HIPAA Security Rule. The release fits into a broader pattern of OCR video guidance for the healthcare industry. OCR previously published a presentation titled, “How the HIPAA Security Rule Can Help Defense Against Cyber-Attacks,” which covers OCR breach and investigation trends and weaknesses identified during OCR investigations. The new risk management video complements the prior video by delving into the specific HIPAA Security Rule obligation to identify, assess, and mitigate risks to ePHI.
In the press release announcing the four recent settlements, OCR Director Paula M. Stannard emphasized that “[h]acking and ransomware are the most frequent type of large breach reported to OCR.” She echoed the message from the guidance video, stating that “[p]roactively implementing the HIPAA Security Rule before a breach or an OCR investigation not only is the law but also is a regulated entity’s best opportunity to prevent or mitigate the harmful effects of a successful cyberattack.”
Practical takeaways for HIPAA-regulated entities
These settlements reinforce several points the guidance video and OCR’s broader guidance emphasize: (1) a documented enterprise-wide security risk analysis covering all ePHI is now effectively the first thing OCR looks for after a ransomware incident; (2) OCR enforcement under the Risk Analysis Initiative spans across types of HIPAA-regulated entities; business associates (like Consociate) and self-funded employee health plans (like SG Health Plan), can be subject to enforcement just like any large health system or commercial health plan; (3) breaches resulting from ransomware attacks are subject to enforcement even if the affected population is relatively small; and (4) breach notification timeliness remains a separate, “stackable” violation, as illustrated by OCR’s settlement with Assured Imaging. OCR’s recommended mitigations in its press release track the administrative safeguards the video is intended to support, including organization-specific, role-based workforce training and periodic review and updating of security measures.