May 4, 2026 Quick Guide: The Office for Civil Rights (OCR) just issued a massive wake-up call, announcing four simultaneous settlements totaling $1,165,000. The Stats You Need to Know 76%: The percentage of large healthcare breaches now caused by hacking/IT incidents. 427,000+: Total number of patients impacted across these four recent settlements. 264%: The increase in ransomware-related breaches reported to the OCR since 2018. The Office for Civil Rights (OCR) just announced a flurry of investigation settlements. At the root of the four that were announced: ransomware. Ransomware attacks continue to target healthcare facilities. As of last year, the OCR discovered that 76% of large breaches are due to hacking and IT shortcomings. Unfortunately, healthcare information is a goldmine for hackers, exposing sensitive data that can lead to identity theft, financial fraud, and compromised patient care. Breakdown & Lessons Learned Regional Women’s Health Group (Axia) The first settlement was regarding the Regional Women’s Health Group (Axia), an OBGYN network across five states. In this case, the organization submitted a breach report following a cyberattack that exposed over 37,000 patients. The settlement resulted in a $320,000 fine and a 2-year Corrective Action Plan (CAP). The Lesson: The OCR didn’t just fine them for being hacked; they reached a settlement because the healthcare organization failed to conduct a “thorough and accurate” Security Risk Analysis (SRA). If you don’t know where your vulnerabilities are, you can’t patch them. Unfortunately, hackers counted on this negligence and exploited it. Assured Imaging This was the largest of the four fines, affecting a staggering 244,813 individuals. When a ransomware infection hit their servers, Assured Imaging, a medical imaging enterprise, reported a breach to the OCR. After a long investigation (the initial cyberattack occurred in 2020), and resulted in a $375,000 settlement and a 2-year CAP. The Lesson: Beyond the initial ransomware attack, it was discovered that Assured had never completed an SRA. Additionally, the organization did not notify patients within 60 days of discovery of the breach. This is a direct violation of the Breach Notification Rule, which aims to allow patients to take control and mitigate risks as quickly as possible. Consociate Health Consciate Health is the only Business Associate (BA) fine in the four. BAs continue to be under the OCR’s microscope, such as potentially needing to follow stricter requirements when handling patient data. Their breach started with a phishing attack that eventually led to the encryption of systems holding data for over 136,000 people. The BA discovered the ransomware six months after the initial phishing attack. Upon the OCR’s further investigation, the SRA was found to be insufficient. The organization paid a $225,000 settlement and entered into a 2-year CAP. The Lesson: Human error (phishing) is the most common entry point for ransomware. Constant employee training is just as important as a strong firewall. Additionally, just because a BA doesn’t directly work with patients doesn’t mean it isn’t their responsibility to keep patient data secure. SG Health Plan Even employee benefit plans are regulated under the Health Insurance Portability and Accountability Act (HIPAA). SG Health Plan, associated with a Connecticut energy provider, reported that the data of 9,316 members were exposed following a ransomware attack. It was discovered that the organization did not complete an extensive SRA. The benefit plan entered a settlement with the OCR for $245,000 and a 2-year CAP. The Lesson: This settlement highlights that HIPAA applies to corporate health plans just as much as it does to traditional healthcare providers. Additionally, every organization that handles Protected Health Information (PHI) must complete an SRA. The Bottom Line The OCR isn’t fining practices for ransomware attacks, but for being ill-prepared. However, it is easier said than done to ensure your organization is secure in protecting patient data and complying with HIPAA. Proactively implementing the HIPAA Security Rule is your opportunity to mitigate the impacts of a cyberattack. Waiting until the ransom note appears on your screen is a million-dollar mistake. Want to see what you might be missing? Run a 5-Minute HIPAA Gap Assessment and protect your practice today!
