July 9, 2025
Handling a HIPAA investigation is stressful enough. Add a ransomware attack in the mix? A HIPAA nightmare.
The Office for Civil Rights (OCR) announced its first fine under the latest Director, Paula M. Stannard—a behavioral health organization fined $225,000 and placed under a two-year Corrective Action Plan (CAP).
This fine culminated several violations, but at its core, it was the lack of a Security Risk Analysis (SRA).
This latest enforcement highlights the OCR’s ongoing heightened enforcement and the importance of a thorough, proactive compliance program before issues occur.
What Happened?
The behavioral health provider, Deer Oaks, a Texas-based Covered Entity, was first investigated in May 2023 following a patient complaint.
It was discovered that following a pilot program for an online patient portal wasn’t properly coded, publicly disclosing 35 patients’ Protected Health Information (PHI). This PHI included sensitive discharge paperwork and medical assessments that were easily accessible online.
Unfortunately, this was only the beginning of the investigation for Deer Oaks. The OCR expanded its investigation when the behavioral health provider faced a ransomware attack in August 2023.
A malicious actor used a compromised account and held over 170,000 patients’ information for ransom. While there is no confirmation if the provider paid the ransom, improper account security led to this massive breach.
With two major HIPAA breaches within three months, the OCR didn’t have to dig deep to find the common thread: the missing SRA.
The SRA is a thorough assessment of potential vulnerabilities a practice might face. In this situation, an SRA could have identified the employee portal or account password management as a concern. This would allow the practice to address these issues proactively.
From the initial investigation triggered by a patient complaint in May 2023 to the ransomware breach in August, the OCR fined the practice nearly a quarter of a million dollars and mandated two years of government oversight. These costly few months served as a valuable lesson in proactive compliance.
Protecting Your Practice
A lapse in compliance, no matter how short, can lead to serious consequences. That’s why proactive compliance is essential.
Need a wake-up call? Over $7 million in fines have been levied since the beginning of 2025. The OCR has heightened its enforcement, already eclipsing the number of penalties from last year.
As the OCR continues enforcing HIPAA legislation, a robust compliance program is vital for your practice’s success.
With the right solution, your practice can streamline HIPAA compliance and easily complete requirements, like the SRA, without disrupting your practice’s workflow.
Meet with a compliance expert today to learn more about streamlining HIPAA compliance for your practice.