OCR settles four HIPAA ransomware cases affecting 427k

On April 23, 2026, the HHS Office for Civil Rights announced four HIPAA Security Rule settlements tied to separate ransomware investigations affecting more than 427,000 individuals.

What happened

The cases involved Regional Women’s Health Group, doing business as Axia Women’s Health; Assured Imaging Affiliated Covered Entities; Consociate, doing business as Consociate Health; and Star Group, L.P. Health Benefits Plan. OCR said the breaches exposed unsecured electronic protected health information, including demographic data, Social Security numbers, financial information, lab results, medications, diagnoses or conditions, driver’s license numbers, treatment information, claims data, and health insurance details.

The settlements totaled $1,165,000, with each organization also agreeing to a corrective action plan monitored by OCR for two years. OCR’s investigations repeatedly found failures to conduct an accurate and thorough risk analysis to identify risks and vulnerabilities to electronic protected health information. In some cases, OCR also found impermissible protected health information (PHI) disclosures and delayed breach notification.

The announcement brings OCR’s completed ransomware breach investigations to 19 and its completed Risk Analysis Initiative investigations to 13, reinforcing OCR’s position that risk analysis, audit controls, authentication, encryption, workforce training, and incident lessons learned remain central HIPAA Security Rule expectations.

The background

Regional Women’s Health Group, LLC

Regional Women’s Health Group, LLC, doing business as Axia Women’s Health, reported a ransomware breach in December 2020 after an unauthorized third party gained access to its IT network. The incident potentially involved data exfiltrated from an electronic medical record database containing patient electronic protected health information.

The breach affected 37,989 individuals and involved names, addresses, dates of birth, Social Security numbers, driver’s license numbers, diagnoses or conditions, lab results, and medications. OCR’s investigation found that RWHG failed to conduct an accurate and thorough risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic PHI (ePHI).

Assured Imaging Affiliated Covered Entities

Assured Imaging Affiliated Covered Entities reported a ransomware incident in May 2020 after a server on its network was infected. The medical imaging and screening provider, headquartered in Arizona and California, had a breach affecting 244,813 individuals. OCR said the affected ePHI included patient names, addresses, dates of birth, diagnoses and conditions, lab results, medications, and treatment information. OCR’s investigation determined that Assured Imaging had impermissibly disclosed PHI, failed to conduct an accurate and thorough risk analysis, and failed to notify affected individuals of the breach in a timely manner.

Consociate, Inc.

Consociate, Inc., doing business as Consociate Health, reported ransomware activity in November and December 2021 after some of its information systems were encrypted. Consociate acts as a third-party administrator of employee-sponsored benefit programs and provides health plan administration, plan analytics, and consulting services to HIPAA covered entities as a business associate. The breach affected about 136,539 individuals. OCR said Consociate later learned that, after a successful phishing attack in July 2020, the threat actor gained access to a server holding ePHI.

Star Group, L.P. Health Benefits Plan

Star Group, L.P. Health Benefits Plan is the self-funded employee benefits plan of a Connecticut-based energy provider. It reported a ransomware breach in October 2021 after an unauthorized actor deployed ransomware on its information system and exfiltrated PHI. The breach affected about 9,316 individuals and involved names, addresses, dates of birth, Social Security numbers, and health insurance information, including member identification numbers, claims data, and benefit selection information.

What was said

In the HHS press release, OCR Director Paula M. Stannard noted, “Hacking and ransomware are the most frequent type of large breach reported to OCR. Proactively implementing the HIPAA Security Rule before a breach or an OCR investigation not only is the law but also is a regulated entity’s best opportunity to prevent or mitigate the harmful effects of a successful cyberattack.”

Why it matters

The common thread was not just that ransomware occurred. OCR repeatedly found failures to conduct an accurate and thorough risk analysis, which is a core Security Rule requirement. The timing also matters because healthcare ransomware is escalating. Paubox’s 2025 Healthcare Email Security Report analyzed 180 email-related healthcare breaches and reported a 264% increase in ransomware attacks targeting healthcare since 2018.

A JAMA Network Open study frames the risk plainly, noting that ransomware attacks increasingly threaten health care operations. The settlements, therefore, reinforce OCR’s message that covered entities and business associates cannot treat risk analysis, audit controls, authentication, encryption, breach notification, and workforce training as paperwork.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

What is a HIPAA risk analysis?

A HIPAA risk analysis is an accurate and thorough assessment of the risks and vulnerabilities that could affect ePHI. OCR’s ransomware settlements show that failing to conduct a proper risk analysis can become a major enforcement issue after a breach.

Why does the Security Rule matter during ransomware attacks?

The Security Rule matters because ransomware often targets systems that store or transmit ePHI.

Does the Security Rule require encryption?

The Security Rule does not treat encryption as a one-size-fits-all requirement in every situation, but OCR recommends encrypting ePHI in transit and at rest when appropriate.