Consociate, Inc. Resolution Agreement and Corrective Action Plan

RESOLUTION AGREEMENT

I. Recitals

Parties. The Parties to this Resolution Agreement (“Agreement”) are:
1. The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), which enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic protected health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates, and covered entities and business associates must cooperate with HHS compliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b).
2. Consociate, Inc., d/b/a Consociate Health (“Consociate”) is a business associate, as defined under 45 C.F.R. § 160.103, and therefore is required to comply with the HIPAA Security Rule and certain provisions of the Privacy and Breach Notification Rules. Consociate provides health plan administration, plan analytics, and consulting services to covered entities, which involves the use and disclosure of protected health information (PHI).
3. HHS and Consociate shall together be referred to herein as the “Parties.”
Factual Background and Covered Conduct

On January 14, 2021, Consociate discovered that some of its information systems had been encrypted in a ransomware attack. Consociate subsequently learned that its information systems had been compromised six months earlier following a successful phishing attack, and that the threat actor had since undertaken significant malicious activity against Consociate’s network environment, culminating in the ransomware attack. The threat actor gained access to a server that held the PHI of approximately 136,539 individuals. HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”):
1. Consociate failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI) that it holds. See 45 C.F.R. § 164.308(a)(1)(ii)(A).
No Admission. This Agreement is not an admission of liability by Consociate.
No Concession. This Agreement is not a concession by HHS that Consociate is not in violation of the HIPAA Rules and not liable for civil money penalties.
Intention of Parties to Effect Resolution. This Agreement is intended to resolve HHS Transaction Number 22-451220 and any violations of the HIPAA Rules related to the Covered Conduct specified in paragraph I.2 of this Agreement. In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below.

II. Terms and Conditions

Payment. HHS has agreed to accept, and Consociate has agreed to pay HHS, the amount of $225,000 (“Resolution Amount”). Consociate agrees to pay the Resolution Amount in one lump sum on the Effective Date of this Agreement as defined in paragraph II.14 by automated clearing house transaction pursuant to written instructions to be provided by HHS.
Corrective Action Plan. Consociate has entered into and agrees to comply with the Corrective Action Plan (“CAP”), attached as Appendix A, which is incorporated into this Agreement by reference. If Consociate breaches the CAP and fails to cure the breach as set forth in the CAP, then Consociate will be in breach of this Agreement and HHS will not be subject to the Release set forth in paragraph II.8 of this Agreement.
Release by HHS. In consideration of and conditioned upon Consociate’s performance of its obligations under this Agreement, HHS releases Consociate from any actions it may have against Consociate under the HIPAA Rules arising out of or related to the Covered Conduct identified in paragraph I.2 of this Agreement. HHS does not release Consociate from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct and referred to in this paragraph. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
Agreement by Released Parties. Consociate shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. Consociate waives all procedural rights granted under section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) and 45 C.F.R. Part 160 Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount.
Binding on Successors. This Agreement is binding on Consociate and its successors, heirs, transferees, and assigns.
Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement.
No Additional Releases. This Agreement is intended to be for the benefit of the Parties only and by this instrument the Parties do not release any claims against or by any other person or entity.
Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement shall be set forth in writing and signed by all Parties.
Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) upon the date of signing of this Agreement and the CAP by the last signatory (“Effective Date”).
Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a civil money penalty (“CMP”) must be imposed within six years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this Agreement, Consociate agrees that the time between the Effective Date of this Agreement (as set forth in paragraph 14) and the date the Agreement may be terminated by reason of Consociate’s breach, plus one-year thereafter, will not be included in calculating the six (6) year statute of limitations applicable to the violations which are the subject of this Agreement. Consociate waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the covered conduct identified in paragraph I.2 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Agreement.
Disclosure. HHS places no restriction on the publication of the Agreement. This Agreement and information related to this Agreement may be made public by either Party.
Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement.
Authorizations. The individual signing this Agreement on behalf of Consociate represents and warrants that they are authorized to execute this Agreement. The individual signing this Agreement on behalf of HHS represents and warrants that they are signing this Agreement in their official capacity and that they are authorized to execute this Agreement.

[SIGNATURES ON FOLLOWING PAGE]

For Consociate, Inc.

/s/

Darren Reynolds
Chief Executive Officer and President
Consociate, Inc.

December 15, 2025

For the United States Department of Health and Human Services

/s/

Barbara Stampul
Regional Manager
Office for Civil Rights

December 18, 2025

Appendix A

CORRECTIVE ACTION PLAN

BETWEEN THE

U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES

AND

CONSOCIATE, INC.

I. Preamble

Consociate, Inc. (“Consociate”) hereby enters into this Corrective Action Plan (“CAP”) with the United States Department of Health and Human Services, Office for Civil Rights (“HHS”). Contemporaneously with this CAP, Consociate is entering into a Resolution Agreement (“Agreement”) with HHS, and this CAP is incorporated by reference into the Agreement as Appendix A. Consociate enters into this CAP as part of the consideration for the release set forth in paragraph II.8 of the Agreement.

II. Contact Persons and Submissions

Contact Persons Consociate has identified the following individual as its authorized representative and contact person regarding the implementation of this CAP and for receipt and submission of notifications and reports: Darren Reynolds, Chief Executive Officer and President
Consociate, Inc.
2828 North Monroe Street
Decatur, IL 62526
HHS has identified the following individual as its authorized representative and contact person with whom Consociate is to report information regarding the implementation of this CAP:
Barbara Stampul, Regional Manager
Regional Manager
Enforcement Division
Office for Civil Rights
U.S. Department of Health and Human Services
Sam Nunn Atlanta Federal Center, Suite 16T70
61 Forsyth Street, S.W.
Atlanta, GA 30303-8909
Consociate and HHS agree to promptly notify each other of any changes in the contact persons or the other information provided above.
Proof of Submissions. Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, electronic mail, or hand delivery, provided there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt.

III. Effective Date and Term of CAP

The Effective Date for this CAP shall be calculated in accordance with paragraph II.14 of the Agreement (“Effective Date”). The period for compliance (“Compliance Term”) with the obligations assumed by Consociate under this CAP will begin on the Effective Date of this CAP and end two (2) years from the Effective Date, unless HHS notifies Consociate under section VIII below of its determination that Consociate has breached this CAP. In the event of such a notification by HHS under section VIII, the Compliance Term will not end until HHS notifies Consociate that it has determined that the breach has been cured. After the Compliance Term ends, Consociate will still be obligated to: (a) submit the final Annual Report as required by section VI; and (b) comply with the document retention requirement in section VII. Nothing in this CAP is intended to eliminate or modify Consociate’s obligation to comply with the document retention requirements in 45 C.F.R. §§ 164.316(b) and 164.530(j).

IV. Time

In computing any period of time prescribed or allowed by this CAP, all days referred to will be calendar days. The day of the act, event, or default from which the designated period of time begins to run will not be included. The last day of the period so computed will be included, unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of the next day which is not one of the aforementioned days.

V. Corrective Action Obligations

Consociate agrees to the following:
Conduct a Risk Analysis
1. Consociate will conduct and document an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of all the electronic protected health information (“ePHI”) held by Consociate (“Risk Analysis”). The Risk Analysis shall incorporate all of Consociate’s facilities and must include an evaluation of the risks to the security of ePHI in electronic equipment, information systems, programs, applications, devices, and media controlled, administered, or owned by Consociate that create, store, transmit, or receive ePHI. The Risk Analysis shall also include an assessment of the risks to ePHI security in the physical environment. As part of this process, Consociate will develop a complete inventory of its physical locations and facilities, and any hardware, software and data assets that maintain or provide access to ePHI, and then incorporate this information into the Risk Analysis.
2. Within 30 days of the Effective Date, Consociate will submit to HHS the scope and methodology by which it proposes to conduct the Risk Analysis. HHS will notify Consociate whether the proposed scope and methodology is or is not consistent with 45 C.F.R. § 164.308 (a)(l)(ii)(A).
3. Within 60 days of receiving notice of HHS’ approval of the scope and methodology, Consociate will submit to HHS the Risk Analysis for HHS’ review.
4. Upon submission by Consociate, HHS will review and recommend changes to the Risk Analysis. Upon receiving HHS’ recommended changes, Consociate will have 30 days to submit a revised Risk Analysis. This process will continue until HHS approves the Risk Analysis.
5. Consociate will review the Risk Analysis annually. Consociate will also promptly update the Risk Analysis in response to environmental or operational changes affecting the security of ePHI. During the Compliance Term, Consociate will submit subsequent risk analyses for review by HHS, in the same manner as described in this section.
Develop and Implement a Risk Management Plan
1. Consociate will develop a risk management plan and implement security measures to address and mitigate to a reasonable and appropriate level any security risks or vulnerabilities identified in the Risk Analysis detailed in section V.A.1, (the “Risk Management Plan”). The Risk Management Plan will include a process and timeline for Consociate’s implementation, evaluation, and review of its risk management activities.
2. Within 60 days of HHS’ approval of the Risk Analysis, described in section V.A.1 above, Consociate will submit to HHS a Risk Management Plan for HHS’ review and approval. HHS will approve, or, if necessary, require revisions to the Risk Management Plan.
3. Upon receiving notice of HHS’ required revisions, if any, Consociate will have 30 days to revise the Risk Management Plan accordingly and forward to HHS for review and approval. This process will continue until HHS approves the Risk Management Plan.
4. Within 30 days of HHS’ approval of the Risk Management Plan, Consociate will finalize, officially adopt, and implement the Risk Management Plan in accordance with Consociate’s applicable administrative procedures.
Policies and Procedures
1. Consociate will develop, review, and revise, as necessary, its written policies and procedures to comply with the Federal Standards for the Privacy of Individually Identifiable Health Information and the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules), and the requirements for Notification in the Case of Breach of Unsecured Protected Health Information (45 C.F.R. Parts 160 and 164, Subpart D, the Breach Notification Rule) (the “HIPAA Rules”). The policies will address the following provisions of the HIPAA Rules:
  1. Risk Analysis – 45 C.F.R. § 164.308(a)(1)(ii)(A);
  2. Risk Management – 45 C.F.R. § 164.308(a)(1)(ii)(B);
  3. Information System Activity Review – 45 C.F.R. § 164.308(a)(1)(ii)(D);
  4. Audit Controls – 45 C.F.R. § 164.312(b);
  5. Security Awareness and Training – 45 C.F.R. § 164.308(a)(5);
  6. Breach Risk Assessment and Notification by a Business Associate – 45 C.F.R. §§ 164.400 et seq.
2. Consociate will submit the policies and procedures described in section V.C.1. to HHS within 60 days of HHS’ approval of the Risk Management Plan described in section V.B., above. HHS will approve, or, if necessary, require revisions to policies and procedures.
3. Upon receiving HHS’ notice of required revisions, if any, Consociate will have 30 days to revise the policies and procedures accordingly and provide the revised policies to HHS for review and approval. This process will continue until HHS approves the policies and procedures.
4. Consociate will finalize and implement the policies and procedures within 30 days of HHS’ approval of said policies and procedures.
Distribution of Policies and Procedures
1. Consociate will distribute the policies and procedures described in section V.C. to all appropriate workforce members within 30 days of HHS’ approval of the policies and procedures. Consociate will also distribute such policies and procedures to new workforce members, as applicable, within 30 days of their beginning of service.
2. When Consociate distributes the policies and procedures, Consociate will obtain a signed written or electronic initial compliance certification from each workforce member recipient stating that the workforce member has read, understands, and will abide by the policies and procedures.
3. Consociate will not provide a workforce member access to PHI if that workforce member has not signed or provided the written or electronic certification required in section V.D.2.
4. Consociate will review its policies and procedures at least annually and where appropriate, update information to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, or other relevant developments.
Training
1. Within 30 days of HHS’ approval of the policies and procedures described in section V.C., Consociate will develop or augment where needed, training materials on Consociate’s HIPAA policies and procedures, to include training related to the policies and procedures required by section V.C., for all Consociate workforce members who have access to PHI. The training materials should include general instruction on compliance with Consociate’s HIPAA policies and procedures and how to report and respond to potential security or breach incidents. Within the same 30-day period, Consociate will submit its proposed training materials to HHS for review and approval. HHS will approve, or if necessary, require revisions to Consociate’s training materials.
2. Upon receiving HHS’ notice of required revisions, if any, Consociate will have 30 days to revise the training materials accordingly and forward to HHS for review and approval. This process will continue until HHS approves the training materials.
3. Within 60 days of HHS’ approval of the training materials, or during Consociate’s reoccurring annual training, whichever comes first, and annually thereafter, Consociate will provide training to each workforce member who has access to PHI.
4. Consociate will provide training to each new workforce member with access to PHI within 30 days of their beginning of service.
5. Each workforce member who is required to attend training shall certify, in electronic or written form, that he or she has received the training. The training certification shall specify the date training was received. All training materials shall be retained in compliance with section VII of this CAP.
6. Consociate will review its training materials at least annually and where appropriate, update information to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, or other relevant developments.
Reportable Events
1. During the Compliance Term, Consociate will, upon learning that a workforce member likely failed to comply with its policies and procedures described in section V.C., promptly investigate this matter. If Consociate, after review and investigation, determines that a workforce member has failed to comply with its policies and procedures, Consociate will report such events to HHS as specified in section VI.B.1.c. on a quarterly basis. Such violations shall be known as “Reportable Events.” The report to HHS will include the following:
  1. A complete description of the event, including the relevant facts, the persons involved, and the applicable provision(s) of Consociate’s HIPAA policies and procedures;
  2. A description of the actions taken and any further steps Consociate plans to take to address the matter to mitigate any harm, and to prevent it from recurring, including application of any appropriate sanctions against workforce members who failed to comply with its HIPAA policies and procedures.
  3. If no Reportable Events occur during the Compliance term, Consociate will so inform HHS in the Implementation Report as specified in section VI.

VI. Implementation Report and Annual Reports

Implementation Report
1. Within 60 days of receipt of HHS’ approval of the training required by section V.E., Consociate will submit a written report to HHS summarizing the status of its implementation of the requirements of this CAP. This report, known as the “Implementation Report,” will include:
  1. An attestation signed by an owner or officer of Consociate attesting that the policies and procedures approved by HHS in section V.C. are being implemented;
  2. An attestation signed by an owner or officer of Consociate attesting that all workforce members have completed the initial training required by section V.E.; and
  3. An attestation signed by an owner or officer of Consociate stating that he or she has reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.
Annual Reports
1. The one (1) year period after the Effective Date and each subsequent one (1) year period during the course of the Compliance Term shall be known as a “Reporting Period.” Within 60 days after the close of each corresponding Reporting Period, Consociate will submit a report to HHS regarding Consociate’s compliance with this CAP for each corresponding Reporting Period (“Annual Report”). The Annual Report shall include:
  1. An attestation signed by an owner or officer of Consociate attesting that all workforce members have completed the training required by section V.E. during the Reporting Period;
  2. An attestation signed by an owner or officer of Consociate attesting that any revision(s) to the policies and procedures required by section V.C. were finalized and adopted within 30 days of HHS’ approval of the revision(s), which shall include a statement affirming that Consociate distributed the revised policies and procedures to all appropriate members of Consociate’s workforce within 60 days of HHS’ approval of the revision(s);
  3. A summary of Reportable Events (defined in section V.F.), if any, the status of any corrective and preventative action(s) relating to all such Reportable Events, or an attestation signed by an owner or officer of Consociate stating that no Reportable Events occurred during the Compliance Term; and
  4. An attestation signed by an owner or officer of Consociate attesting that he or she has reviewed the Annual Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.

VII. Document Retention

Consociate shall maintain for inspection and copying, and shall provide to HHS, upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date.

VIII. Requests for Extensions and Breach Provisions

Timely Written Requests for Extensions. Consociate may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP. A “timely written request” is defined as a request in writing received by HHS at least five (5) days prior to the date such an act is required or due to be performed. This requirement may be waived by HHS only.
Notice of Breach of this CAP and Intent to Impose Civil Monetary Penalty. The parties agree that a breach of this CAP by Consociate constitutes a breach of the Agreement. Upon a determination by HHS that Consociate has breached this CAP, HHS may notify Consociate of: (1) Consociate’s breach; and (2) HHS’ intent to impose a CMP, pursuant to 45 C.F.R. Part 160, or other remedies, for the Covered Conduct set forth in paragraph I.2 of the Agreement and for any other conduct that constitutes a violation of the HIPAA Privacy, Security, and Breach Notification Rules (“Notice of Breach and Intent to Impose CMP”).
Consociate’s Response. Consociate will have 30 days from the date of receipt of the Notice of Breach and Intent to Impose CMP to demonstrate to HHS’ satisfaction that:
1. Consociate is in compliance with the obligations of the CAP that HHS cited as the basis for the breach;
2. The alleged breach has been cured; or
3. The alleged breach cannot be cured within the 30-day period, but that: (a) Consociate has begun to take action to cure the breach; (b) Consociate is pursuing such action with due diligence; and (c) Consociate has provided to HHS a reasonable timetable for curing the breach.
Imposition of CMP. If at the conclusion of the 30-day period, Consociate fails to meet the requirements of this CAP to HHS’ satisfaction, HHS may proceed with the imposition of the CMP against Consociate pursuant to 45 C.F.R. Part 160 for any violations of the Covered Conduct set forth in paragraph 1.2 of the Agreement and for any other act or failure to act that constitutes a violation of the HIPAA Rules. HHS will notify Consociate in writing of its determination to proceed with the imposition of the CMP.