March 6, 2026 They say a mistake ignored is a disaster in the making. For one dental software provider, a 2020 breach became a 15-million-patient nightmare in 2026. MMG Fusion LLC, a dental marketing software business in Maryland, is in the crosshairs of the OCR and the subject of the latest HIPAA enforcement action. MMG agreed to a $10,000 settlement and a 3-year Corrective Action Plan (CAP). The latest HIPAA settlement, and the 12th Enforcement Action in the Office for Civil Rights (OCR) Risk Analysis Initiative, highlighted the importance of completing a thorough Security Risk Analysis (SRA), proper Breach Notification, and choosing the right Business Associate (BA). What Happened? In December 2020, a malicious actor infiltrated MMG’s systems. Over 15 million patients’ Protected Health Information (PHI) was exposed in the cybercrime and leaked to the dark web. Under the HIPAA Breach Notification Rule, a BA must notify affected Covered Entities (the dental practices) within 60 days of discovering a breach. However, the OCR didn’t learn about this 2020 incident until a complaint was filed in March 2023, more than two years later. The investigation uncovered a critical flaw: MMG Fusion lacked a compliant Security Risk Analysis (SRA). The SRA is a comprehensive review of an organization’s physical, technical, and administrative safeguards to protect PHI. A thorough SRA likely would have identified the very system vulnerabilities that the hackers exploited in 2020. Although the OCR factored in MMG’s “small business” status when determining the $10,000 fine, this amount does not account for the years the investigation took, the accumulated costs of legal counsel, stress, and reputational damage that occurred before the fine was made public. Additionally, MMG will also need to report to the OCR for 3 years in accordance with the CAP settlement. Streamline Your Compliance This case highlights three non-negotiable pillars for every HIPAA-regulated entity: compliant HIPAA risk assessments, timely breach notification to the OCR and impacted parties, and choosing the right business partner to handle your sensitive information. Managing vendors and staying on top of SRAs is overwhelming for a busy healthcare organization. Modern software solutions automate the SRA process and generate compliant Business Associate Agreements (BAAs) for Covered Entities and BAs to use, ensuring both parties are held accountable. Ready to learn more? Meet with an expert today!
