The HHS Office for Civil Rights settled with Spencer Gifts, a retail chain best known for novelty items and mall kiosks, not medical care. By 2021, a ransomware attack exposed the protected health information (PHI) of 10,023 members, and the plan paid $450,000. The settlement was OCR’s 20th ransomware enforcement action and its 14th settlement under OCR’s Risk Analysis Initiative.

A retail company’s employee benefits plan is not where most compliance teams expect federal HIPAA enforcement to land. It is precisely the point OCR wants regulated entities to notice. OCR’s Risk Analysis Initiative and its recent ransomware settlements show that failure to conduct an accurate and thorough risk analysis has become a recurring basis for HIPAA enforcement. A massive part of this is a documented risk analysis that is accompanied by the steps covered under OCR guidance.

 

Why risk analysis keeps showing up

A similar pattern in Paubox’s coverage of a previous set of OCR ransomware settlements involved four cases settled together in April 2026, impacting more than 427,000 individuals. The recurring finding across the cases was the missing or inadequate risk analysis. Ransomware attacks targeting healthcare have increased by 264% since 2018, according to Paubox’s analysis of 180 email-related healthcare breaches in its 2025 Healthcare Email Security Report. OCR is not treating ransomware solely as an external event that happened to a regulated entity. The attack may trigger the investigation, but the enforcement finding often centers on whether the organization had already conducted an accurate and thorough risk analysis and implemented appropriate safeguards.

 

Many organizations already have a document labeledrisk analysis

What OCR keeps discovering is the gap between that document and the real organization environment. A generic annual template, filled out once a year and kept in a compliance folder, does not tell an investigator where electronic PHI (ePHI) actually lives, what vendors touch it, who has credentials to access it remotely, or what happens when an employee cannot access the VPN.

The gap can be in recent survey data on third party access. Of the 209 healthcare delivery organizations surveyed across multiple countries, 51.1% maintained a comprehensive inventory of third parties with network access, while 60% said third-party access to sensitive or confidential information was not routinely monitored.

There is the same disconnect within organizations and with their vendors. According to a survey of 170 healthcare IT leaders in the US conducted by Paubox’s Healthcare Email Security Maturity Index, all of those surveyed rated their own breach detection as either excellent or good. Despite that self-assessment, 58% of those organizations had been breached through email during the previous 24 months, and 23% had been breached more than once.

 

What a defensible risk analysis actually documents

Based on OCR’s guidance and the pattern across recent settlements, a defensible risk analysis should be specific to the organization’s actual environment. Useful documentation may include the following:

  • An asset inventory of all systems, applications, devices, and cloud services that create, receive, maintain, or transmit ePHI, current and not an image of the environment from three years ago.
  • A listing of your vendors and business associates that details which third parties have access to which data, whether a business associate agreement is in place, and how that access is monitored.
  • A map of credentials and access that shows who has privileged accounts, which accounts have multi-factor authentication, and which accounts do not.
  • The log of remote access pathways (VPN, remote monitoring tools, etc.) identifies common points of entry that attackers use once a credential is compromised or an access tool itself is compromised.
  • An ePHI flow map illustrating how data enters the organization, moves between systems, and exits the organization via email, patient portals, and vendor integrations.
  • A remediation log, with tracking of each identified risk to an owner, a deadline and evidence the fix was completed.

Where secure communication fits, and where it does not

Email is one of the transmission pathways that should be considered in an ePHI flow map. OCR recommends encrypting ePHI in transit and at rest when appropriate. Encryption can mitigate particular risks identified through the analysis, but it does not eliminate the need for risk analysis, access controls, authentication, monitoring, or vendor oversight.

A secure email and a secure workflow are not the same type of control. Encrypting a message in transit protects that message. It does not account for who can access the mailbox, how attachments are handled downstream, or whether the recipient's own systems are part of the organization's documented ePHI flow. Tools like Paubox's HIPAA compliant email encryption can address the email transmission pathway identified in a risk analysis, but the risk analysis itself and the inventory of systems and vendors it depends on have to exist first.

 

FAQs

What usually triggers an OCR investigation?

An OCR investigation can begin after a reported breach, a patient complaint, a referral from another agency, or information OCR identifies through its own compliance reviews.

 

Is a ransomware attack automatically a HIPAA violation?

Being attacked does not automatically mean an organization violated HIPAA. OCR examines how the organization prepared for the risk, whether it conducted an accurate and thorough risk analysis.

 

How often should a HIPAA risk analysis be updated?

HIPAA does not set a fixed annual deadline, but the analysis should be reviewed and updated when the organization’s environment changes.