HHS settles HIPAA investigation into MMG Fusion breach affecting 15M

The U.S. Department of Health and Human Services Office for Civil Rights has reached a settlement with MMG Fusion, a healthcare technology company that provides patient engagement and communication platforms, following a data breach that exposed the protected health information of approximately 15 million individuals.

What happened

The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), has reached a settlement with MMG Fusion over alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) following a large data breach that exposed the protected health information (PHI) of approximately 15 million individuals.

Under the settlement agreement, MMG Fusion agreed to pay $10,000 and implement a corrective action plan that will be monitored by OCR for three years.

The backstory

According to BankInfo Security, the breach occurred in December 2020 when an unauthorized actor infiltrated MMG Fusion’s information systems and accessed patient data. The compromised information included names, phone numbers, mailing addresses, email addresses, dates of birth, and medical appointment details.

OCR launched its investigation in March 2023 after receiving a complaint about an unreported security incident and the appearance of PHI on the dark web.

Going deeper

OCR’s investigation found several potential HIPAA violations, including:

• Impermissible disclosure of PHI affecting about 15 million individuals
• Failure to conduct an accurate and thorough risk analysis of electronic PHI
• Failure to notify affected covered entities about the breach

These findings suggest noncompliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. As part of the corrective action plan, MMG Fusion must:

• Conduct a comprehensive risk analysis to identify vulnerabilities in its systems
• Develop and implement a risk management plan
• Create and maintain written HIPAA privacy and security policies
• Train workforce members on HIPAA compliance
• Conduct a breach risk assessment and notify affected healthcare clients where possible

OCR will oversee the company’s compliance with these measures for the next three years.

What was said

Paula M. Stannard stressed that organizations must report breaches promptly and take proactive steps to strengthen their cybersecurity practices. She says that “When a breach occurs, business associates must notify affected covered entities without unreasonable delay and within 60 calendar days of discovery.” Stannard added that timely notification is essential because it allows healthcare organizations to meet their own legal obligations to notify regulators and affected individuals.

She also stressed that conducting a thorough risk analysis is critical for strengthening cybersecurity as cyberattacks against healthcare organizations become more common, noting, “Risk analysis is a critical step in identifying vulnerabilities and preventing breaches that can compromise patients’ protected health information.”

In the know

Under the HIPAA Breach Notification Rule, organizations must notify affected individuals without unreasonable delay and no later than 60 days after discovering a breach. Breaches affecting 500 or more individuals must also be reported to the U.S. Department of Health and Human Services Office for Civil Rights within the same timeframe. Additionally, according to a Paubox report, the average time to detect and contain a healthcare data breach is 10 months.

In the MMG Fusion case, the breach occurred in December 2020; however, regulators only started investigating the breach in 2023 after learning that PHI had appeared on the dark web and that the incident may not have been properly reported. The case is an indicator of how delays in identifying and reporting breaches can trigger investigations and enforcement actions.

When notifications are delayed, affected individuals may miss the opportunity to take steps such as monitoring accounts or changing credentials, increasing the risk of identity theft and fraud.

Why it matters

According to Paula M. Stannard, the case reminds covered entities to take HIPAA compliance seriously and ensure patient information is properly protected. As she explains, “This settlement underscores the need for business associates to ensure they are fulfilling their HIPAA obligations to safeguard electronic protected health information.”

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

What is the HIPAA Breach Notification Rule?

The HIPAA Breach Notification Rule requires covered entities and business associates to notify affected individuals, regulators, and sometimes the media when a breach of unsecured PHI occurs.

What happens if an organization fails to report a breach?

Failure to report a breach may lead to investigations, financial penalties, and corrective action plans that require organizations to improve their security and compliance practices.

What is a corrective action plan in a HIPAA settlement?

A corrective action plan is a set of required steps an organization must take to address compliance failures. These steps may include conducting risk assessments, updating policies, and training staff.