What ransomware settlements reveal about OCR investigations

When federal investigators arrive after a ransomware breach, most healthcare organizations assume the investigation will focus on the attack: how the attacker got in, what they took, and how quickly the breach was contained. What OCR's April 2026 announcement of four simultaneous ransomware settlements makes clear is that investigators arrive with a different priority in mind. Before examining the attacker's methods and reviewing the organization's incident response, they look for a document that HIPAA has required since 2005: an accurate, thorough, enterprise-wide security risk analysis. In all four cases, covering four unrelated organizations in different states, affecting populations ranging from 9,316 to 244,813 individuals, the document was either absent or inadequate. The penalties, totaling $1,165,000 across the four settlements, followed directly from that finding.

OCR Director Paula M. Stannard framed the agency's position in the announcement, stating, "Hacking and ransomware are the most frequent types of large breach reported to OCR. Proactively implementing the HIPAA Security Rule before a breach or an OCR investigation is not only the law but also is a regulated entity's best opportunity to prevent or mitigate the harmful effects of a successful cyberattack."

The four cases and what investigators found

Regional Women's Health Group, operating under the Axia Women's Health name across New Jersey, Pennsylvania, Ohio, Indiana, and Kentucky, reported in December 2020 that an unauthorized third party had gained access to its IT network and potentially exfiltrated data from its electronic medical record database, exposing the names, addresses, dates of birth, Social Security numbers, driver's license numbers, diagnoses, lab results, and medications of 37,989 individuals. OCR's investigation identified one primary failure: the organization had not conducted an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI. The settlement reached $320,000.

Assured Imaging, a medical imaging and screening provider headquartered across Arizona and California, reported in May 2020 that a server on its network had been infected with ransomware, exposing the names, addresses, diagnoses, lab results, medications, and treatment information of 244,813 individuals, the largest breach of the four. OCR's investigation found the absent risk analysis, an impermissible disclosure of PHI, and a separate violation that is worth examining closely: Assured Imaging failed to notify affected individuals within the required timeframe under the HIPAA Breach Notification Rule. Breach notification lateness is a stackable violation, meaning it compounds the penalties from the underlying security failure rather than being absorbed into the same settlement. The total reached $375,000.

Consociate Health, a third-party administrator of employee-sponsored benefit programs, reported in late 2021 that some of its information systems had been encrypted by ransomware, exposing names, addresses, Social Security numbers, credit card and bank account numbers, and medical diagnoses belonging to 136,539 individuals. OCR's investigation revealed something that the breach report itself had obscured: the attacker had first gained access to Consociate's systems through a successful phishing attack in July 2020, sixteen months before the ransomware was deployed. During those sixteen months, the attacker had quiet, undetected access to a server holding ePHI access that adequate activity monitoring, itself a Security Rule requirement that should have been identified through a proper risk analysis, would have been designed to detect. The settlement reached $225,000.

SG Health Plan, the self-funded employee benefits plan of a Connecticut energy provider, reported in October 2021 that ransomware had been deployed and PHI exfiltrated, affecting 9,316 individuals whose names, addresses, Social Security numbers, member IDs, claims data, and benefit information were exposed. OCR's investigation found the same absent risk analysis, plus an impermissible disclosure. The settlement reached $245,000.

Read more: What is ransomware? | What is phishing?

Why the Consociate timeline matters more than the penalty

The sixteen-month gap between Consociate's phishing compromise and the ransomware deployment is the most instructive detail across all four cases, because it shows what an undetected breach looks like in practice and why the risk analysis requirement exists beyond mere compliance.

A security risk analysis that identifies where ePHI lives and how it flows through the organization's systems is the foundation from which all other Security Rule requirements are derived. Without it, organizations cannot know which systems require audit controls, which access points need authentication, or which data flows require encryption. The absence of a documented risk analysis at Consociate meant the absence of the monitoring infrastructure that would have detected an active attacker operating on the network for more than a year. According to Paubox's 2025 Healthcare Email Security Report, only 5% of known phishing attacks are reported by employees to security teams, which means the phishing email that gave Consociate's attacker initial access in July 2020 almost certainly went unreported by the person who clicked it. What should have caught that attacker in the months that followed was technology, specifically, the audit logging and activity monitoring that a proper risk analysis would have flagged as necessary.

According to Paubox's 2025 Mid-Year Email Breach Data report, failure to conduct an adequate enterprise-wide risk analysis has been cited in more than 75% of HIPAA resolution agreements involving security incidents from 2020 to 2024. The Consociate case is not unusual, it is representative.

What the Risk Analysis Initiative signals about enforcement direction

These four settlements mark OCR's 19th completed ransomware investigation and its 13th under the Risk Analysis Initiative, a targeted enforcement strategy the agency launched specifically to address what it found consistently after breaches: organizations that had been attacked and had never documented the security posture that should have protected them. According to Nixon Peabody's legal analysis of the four settlements, a documented enterprise-wide risk analysis covering all ePHI is now effectively the first thing OCR looks for after a ransomware incident, and the organization's best outcome in any subsequent investigation is a negotiated settlement, which requires demonstrating genuine remediation rather than just paying the penalty.

Two aspects of the initiative's reach deserve particular attention. The first is that the scale of the breach does not determine whether OCR investigates or penalizes. SG Health Plan's 9,316 affected individuals produced a $245,000 settlement and a two-year corrective action plan. The second is that business associates are subject to the same enforcement as covered entities: Consociate is a third-party administrator with no direct patient care relationship, and OCR investigated, penalized, and placed it under monitoring regardless. Any organization that touches ePHI on behalf of a covered entity carries identical Security Rule obligations and faces identical enforcement risk.

Analysis from Shook Hardy & Bacon of broader OCR enforcement patterns found that OCR collected $9.4 million in HIPAA penalties from the start of 2024 through early 2025, with the Security Rule involved in 15 of the 20 enforcement matters reviewed. Organizations that settled informally paid roughly 18% less on average than those that proceeded to adjudication, a difference that shows the practical value of early engagement and demonstrated remediation effort rather than a reduced consequence for the underlying violation.

What the corrective action plans actually require

Every settlement included a two-year corrective action plan subject to OCR monitoring, and the requirements within those plans are worth examining because they reveal what OCR considers the minimum acceptable baseline after a breach investigation. Each organization must conduct an accurate and thorough enterprise-wide risk analysis and use its findings to develop and implement a documented risk management plan, ensure audit controls are in place to record and examine system activity and that those logs are reviewed regularly, implement mechanisms to authenticate users accessing ePHI, encrypt ePHI both in transit and at rest, and provide regular HIPAA training tailored to specific workforce roles rather than generic compliance instruction.

For Assured Imaging specifically, the corrective action plan addresses breach notification timeliness, which serves as a reminder that the 60-day clock under the HIPAA Breach Notification Rule runs from the date of discovery, not from the date the organization has fully assessed the scope of the breach. Organizations that delay notifications while conducting extended forensic analysis frequently find themselves with a stacked violation that multiplies the financial exposure from the underlying security failure.

According to Paubox's report on what healthcare gets wrong about HIPAA and email security, the most persistent compliance misconception across healthcare organizations is that purchasing security tools satisfies the Security Rule's requirements. What the four corrective action plans make clear is that OCR expects documented evidence of the risk analysis process, written risk management plans tied to specific identified vulnerabilities, and verifiable audit logs demonstrating that controls were actually implemented and monitored, as well as enabled in a vendor dashboard.

Where email sits in the enforcement picture

Phishing was the confirmed initial access vector in the Consociate breach and is the most frequently documented entry point across healthcare ransomware broadly, including in Microsoft Threat Intelligence analysis of 13 hospital systems, where 93% of observed malicious activity was traced to email-based threats. A properly conducted risk analysis at Consociate would have required the organization to assess the risks associated with email as an ePHI access vector and to document the controls in place to address those risks. That process, had it been completed, would have led directly to questions about inbound filtering, authentication requirements, and activity monitoring that might have shortened or eliminated the attacker's sixteen-month window.

Pre-delivery email filtering that removes phishing attempts before they reach employees ' addresses addresses the entry point at which most healthcare ransomware chains begin. According to Paubox's 2026 Healthcare Email Security Report, attacks avoiding native email defenses rose 47% in 2025, and phishing emails increased 17%, meaning that organizations relying on Microsoft 365 or Google Workspace default filtering as their primary inbound defense are operating with a documented gap between what they believe their email security covers and what it actually catches. Paubox Inbound Email Security uses AI to analyze sender behavior, message intent, and tone, detecting phishing attempts that bypass signature-based systems before they reach clinical and administrative staff.

FAQs

What does a HIPAA risk analysis actually require an organization to do?

A compliant risk analysis must identify every location where ePHI exists across the organization's information systems, including how it enters, flows through, and leaves those systems. It must then assess the potential threats and vulnerabilities to the confidentiality, integrity, and availability of that information, document the likelihood and impact of each identified risk, and feed those findings into a written risk management plan that addresses the vulnerabilities with specific controls. An analysis that covers only the EHR while ignoring email, billing systems, or third-party connections does not satisfy the requirement.

Why does OCR penalize organizations for failing the risk analysis even when a sophisticated attacker was responsible for the breach?

OCR's enforcement position is that the attacker's capability is not a mitigating factor when the organization failed to implement the foundational Security Rule requirements that were designed to reduce vulnerability. A risk analysis might have identified the unpatched server, the missing activity monitoring, or the authentication gaps that the attacker exploited. The penalty addresses the compliance failure, not the fact of being targeted.

How does the Assured Imaging case show that breach notification timing is a separate violation?

Under the HIPAA Breach Notification Rule, covered entities must notify affected individuals within 60 days of discovering a breach. Assured Imaging failed to meet that deadline, and OCR charged the late notification as a separate violation that stacked on top of the penalties for the underlying security failures. Organizations that delay notifications while conducting forensic investigations frequently discover that the delay itself becomes a big part of their enforcement exposure.

Does the size of a breach determine whether OCR investigates?

The four settlements make clear that it does not. SG Health Plan's breach affected 9,316 individuals, which is well below the 500-person threshold that triggers automatic public posting on the HHS breach portal, yet the organization still received a $245,000 penalty and a two-year corrective action plan. OCR's Risk Analysis Initiative is specifically designed to reach organizations of all sizes and types, and the consistent finding of absent risk analyses across the initiative's investigations suggests the problem is neither rare nor limited to large organizations.

Why are business associates subject to the same enforcement as covered entities?

The HIPAA Security Rule applies directly to business associates under the HITECH Act, and OCR enforces against them on the same basis as covered entities. The Consociate settlement illustrates this plainly: a third-party benefits administrator with no direct patient relationship was investigated, penalized $225,000, and placed under two-year monitoring. Any organization that creates, receives, maintains, or transmits ePHI on behalf of a covered entity carries the full weight of the Security Rule compliance obligations.

Learn more: Paubox Inbound Email Security | Paubox's report on what healthcare gets wrong about HIPAA | Paubox's 2026 Healthcare Email Security Report