HHS’ Office for Civil Rights Settles Four HIPAA Security Rule Ransomware Investigations

OCR Resolves Investigations from Ransomware Breaches that Affect Over 427,000 Individuals

WASHINGTON—April 23, 2026—Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced settlements with four regulated entities following separate ransomware investigations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. Ransomware is malicious software that blocks access to data—typically by encrypting it with a key known only to the attacker—until a ransom is paid. The resolutions announced mark 19 completed investigations from ransomware breaches and 13 completed investigations in OCR’s Risk Analysis Initiative.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers), and business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule establishes national standards to protect and secure our health care system by requiring administrative, physical, and technical safeguards to ensure the confidentiality, integrity, security, and availability of electronic PHI (ePHI). The Risk Analysis provision requires regulated organizations (covered entities and business associates) to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by those organizations.

“Hacking and ransomware are the most frequent type of large breach reported to OCR,” said OCR Director Paula M. Stannard. “Proactively implementing the HIPAA Security Rule before a breach or an OCR investigation not only is the law but also is a regulated entity’s best opportunity to prevent or mitigate the harmful effects of a successful cyberattack.”

The settlements follow investigations into separate ransomware breaches that collectively affected over 427,000 individuals and involved the exposure of unsecured ePHI. The types of ePHI affected include demographic data, Social Security numbers (SSNs), financial information, lab results, medications, and diagnoses or conditions. Under the settlements, the regulated entities have agreed to implement corrective action plans subject to OCR monitoring for two years and paid a total of $1,165,000 to OCR.

Today’s announcement covers settlements with the following regulated entities.

• Regional Women’s Health Group, LLC (“RWHG”), doing business as Axia Women’s Health, is a network of women’s health care providers in New Jersey, Pennsylvania, Ohio, Indiana, and Kentucky. The ransomware breach affected 37,989 individuals. The types of ePHI affected by the breach included names, addresses, dates of birth, SSNs, driver’s license numbers, diagnoses or conditions, lab results, and medications. RWHG reported in December 2020 that an unauthorized third-party gained access to its IT network and potentially exfiltrated data from RWHG’s electronic medical record database housing patient ePHI. OCR’s investigation found that RWHG failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI. In addition to committing to corrective actions, RWHG paid $320,000 to OCR.
• Assured Imaging Affiliated Covered Entities (“Assured Imaging”) is a medical imaging and screening service provider with corporate headquarters in Arizona and California. The ransomware breach affected 244,813 individuals. The types of affected ePHI included patient names, addresses, dates of birth, diagnosis and conditions, lab results, medications, and treatment information. Assured Imaging reported in May 2020 that a server on its network was infected with ransomware. OCR’s investigation determined that Assured Imaging had impermissibly disclosed PHI, failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI, and failed to timely notify affected individuals of the breach. In addition to committing to corrective actions, Assured Imaging paid $375,000 to OCR.
• Consociate, Inc., doing business as Consociate Health (“Consociate”) is a third-party administrator of employee-sponsored benefit programs that provides health plan administration, plan analytics and consulting services to HIPAA covered entities as a business associate. Approximately 136,539 individuals were affected by the ransomware breach. Affected ePHI included names, addresses, dates of birth, driver’s license numbers, SSNs, credit card/bank account numbers, and diagnoses or conditions. Consociate reported in November and December 2021 that some of its information systems had been encrypted in a ransomware attack. Consociate subsequently learned that, after a successful phishing attack in July 2020, the threat actor gained access to a server that held ePHI. OCR’s investigation determined that Consociate had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by Consociate. In addition to committing to corrective actions, Consociate paid $225,000 to OCR.
• Star Group, L.P. Health Benefits Plan (“SG Health Plan”) is the self-funded employee benefits plan of a Connecticut-based energy provider. About 9,316 individuals were affected by the ransomware breach. Affected ePHI included names, addresses, dates of birth, SSNs, and health insurance information, such as member identification numbers, claims data, and benefit selection information. SG Health Plan reported in October 2021 that an unauthorized actor deployed ransomware on SG Health Plan’s information system and exfiltrated PHI. OCR’s investigation determined that SG Health Plan had impermissibly disclosed PHI and failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI. In addition to committing to corrective actions, SG Health Plan paid $245,000 to OCR.

OCR recommends that health care providers, health plans, health care clearinghouses, and business associates that are covered by the HIPAA Security Rule take the following steps to prevent or mitigate cyber-threats:

• Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
• Periodically conduct, and update as needed, a risk analysis and develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
• Ensure audit controls are in place to record and examine information system activity.
• Implement regular review of information system activity.
• Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
• Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
• Incorporate lessons learned from incidents into the organization’s overall security management process.
• Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

The resolution agreement and corrective action plan for RWHG may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ra-cap-with-rwhg/index.html.

The resolution agreement and corrective action plan for Assured Imaging may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ra-cap-with-assured-imaging/index.html.

The resolution agreement and corrective action plan for Consociate may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ra-cap-with-consociate-health/index.html.

The resolution agreement and corrective action plan for SG Health Plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ra-cap-with-sg-health-plan/index.html.

OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of individuals’ health information. Guidance about the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, and the Security Rule’s Risk Analysis requirement, can also be found on OCR’s website.

Covered entities must comply with breach notification obligations under the HIPAA Breach Notification Rule. In submitting a notice of a breach of unsecured PHI to the HHS Secretary, covered entities must use the HHS Breach Portal.

If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR.

Follow HHS OCR on X (formerly Twitter) at @HHSOCR.