HHS’ Office for Civil Rights Settles HIPAA Investigation of MMG Fusion, LLC Breach Affecting 15 Million Individuals

Settlement Marks OCR’s 12th Enforcement Action in OCR’s Risk Analysis Initiative

WASHINGTON — March 5, 2026 — Today, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a settlement with MMG Fusion, LLC (MMG), a Maryland software company, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. MMG is a business associate as it receives protected health information (PHI) from HIPAA covered entities and its software is used to communicate directly with patients of covered entities.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules), which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers), and business associates — such as MMG — must follow to protect the privacy and security of PHI. The HIPAA Privacy Rule establishes national standards to protect individuals’ PHI; sets limits and conditions on the uses and disclosures of PHI; and gives individuals certain rights, including the right to timely access their health records. The HIPAA Security Rule establishes national standards to protect and secure our health care system by requiring administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI). The Risk Analysis provision requires regulated organizations (covered entities and business associates) to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by those organizations. The Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.

“When a breach occurs, business associates must notify affected covered entities without unreasonable delay and within 60 calendar days of discovery,” said OCR Director, Paula M. Stannard. “This timeliness is crucial for a covered entity to meet its own breach notification obligations, such as timely notification to HHS and to individuals. As hacking becomes more ubiquitous, HIPAA Security Rule requirements, such as the need to have an accurate and thorough HIPAA risk analysis, are imperative for strengthening cybersecurity before a breach occurs.”

The settlement resolves an investigation that OCR initiated in March 2023 after receiving a complaint concerning an unreported security incident at MMG, and the posting of PHI on the dark web. OCR’s investigation determined that in December 2020, an unauthorized actor infiltrated MMG’s information system and accessed PHI, including names, phone numbers, mailing addresses, email addresses, dates of birth, and dates and times of medical appointments. OCR found that MMG had potentially violated several provisions of the HIPAA Privacy, Security, and Breach Notification Rules, including:

• Impermissibly disclosing the PHI of approximately 15 million individuals;
• Failing to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI held by MMG; and
• Failing to notify covered entities affected by the incident of the breach.

Under the terms of the resolution agreement, MMG agreed to implement a corrective action plan that OCR will monitor for three years and paid $10,000 to OCR. In reaching this settlement, OCR considered the financial condition of MMG. Under the corrective action plan, MMG has committed to take steps to ensure compliance with the HIPAA Rules and protect the security of ePHI, including:

• Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
• Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
• Develop, maintain, and revise, as necessary, written policies and procedures in accordance with the Privacy and Security Rules;
• Ensure that all workforce members are trained with respect to Privacy and Security Rule policies and procedures; and
• Conduct a breach risk assessment of the December 2020 cyber-attack and, to the extent possible, provide affected covered entities with an accurate notice of the beach incident.

OCR recommends that health care providers, health plans, health care clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:

• Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
• Periodically conduct, and update as needed, a risk analysis and develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
• Ensure audit controls are in place to record and examine information system activity.
• Implement regular review of information system activity.
• Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
• Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
• Incorporate lessons learned from incidents into the organization’s overall security management process.
• Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

The resolution agreement and corrective action plan may be found at https://www.hhs.gov/sites/default/files/ocr-mmg-fusion-hipaa-agreement.pdf.

OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of individuals’ health information. Guidance about the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, and the Security Rule’s Risk Analysis requirement, can also be found on OCR’s website.

Covered entities must comply with breach notification obligations under the HIPAA Breach Notification Rule. In submitting a notice of a breach of unsecured PHI to the HHS Secretary, covered entities must use the HHS Breach Portal.

If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR.

Follow HHS OCR on X (formerly Twitter) at @HHSOCR.