Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Freedom 250 banner logo Join HHS in Celebrating Freedom 250
    • About HHS

      HHS is a U.S. executive department that touches the lives of nearly all Americans by protecting your rights, research, food safety, health care, aging, and much more.

      Explore About HHS
    • About the Department
      • Leadership
      • HHS Divisions
      • Organizational Chart
      • Priorities
      • Budget in Brief
      • Contact Us
    • Press Room
      • Press Releases
      • Request for Comment
      • Request for Interview
      • Connect on Social Media
      • HHS Live
      • Podcasts
    • Careers
      • Working at HHS
      • Opportunities for Attorneys
      • Join the Health Workforce
      • I am HHS
      • New Employee Orientation
      • Transportation Services
    • Standards and Compliance
      • Gold Standard Science
      • Accessibility
      • Plain Writing
      • Digital Communications Standards
      • Records Management
    • Accountability and Transparency
      • Freedom of Information Act (FOIA)
      • Open Government
      • No Fear Act
      • Privacy at HHS
  • RealFood.gov
  • MAHA
    • Programs & Services

      HHS is responsible for public health, health care, and human/social services for the United States of America. This includes administering over 100 programs and services.

      Explore Programs & Services
    • Health Care
      • Find a Health Center
      • Find an Indian Health Service Facility
      • Find Support for Mental Health, Drugs, or Alcohol
      • Find a Cancer Center
      • Dental Care Options
      • Telehealth
    • Health Insurance
      • Medicare – 65+ or With Disability
      • Medicaid - Low-Income, With Disability, or Pregnant
      • Children’s Health Insurance Programs (CHIP)
      • Find Health Insurance Coverage
      • Insurance Help for Mental Health and Substance Use
      • No Surprise Medicals Bills
    • Social Services
      • Programs for Children and Families
      • Programs for People with Disabilities
      • Programs for Older Adults
      • Resources for Caregivers
    • Public Health and Prevention
      • Emergency Preparedness and Response
      • Healthy Lifestyle
      • Mental Health and Substance Use
      • Food Safety and Nutrition
      • Drug and Product Safety
    • Health Research and Information
      • National Library of Medicine
      • Surgeon General Reports
      • Health Data
      • National Center for Health Statistics
      • Medline Plus
      • Clinical Research Studies
      • Volunteering to Participate in Research
    • Laws & Regulations

      HHS protects and helps you understand the laws and regulations, also known as "rules," that govern the nation. You also have the power to voice your opinion on these laws and regulations.

      Explore Laws & Regulations
    • Regulatory Information
      • What is a Rule?
      • Find Rules by Division
      • Comment on Open Rules
      • Suggest Deregulatory Actions
      • Understand Key Federal Laws
    • Civil Rights
      • Your Civil Rights
      • Civil Rights Laws Enforced by HHS
      • Health Information Privacy
      • Substance Use Disorder Patient Confidentiality
      • Conscience and Religious Freedom
    • Laws and Regulations by Topic
      • HIPAA Privacy Rule
      • Health Insurance Protections
      • Health IT Legislation
      • Food and Drug Safety
      • Public Health Emergencies
    • Human Research Protections
      • The Belmont Report
      • Regulations, Policy, and Guidance
      • Human Subjects Regulations (45 CFR 46)
      • Register IRBs and Obtain FWAs
      • Trainings, Tutorials, and Workshops
      • International Research
    • Complaints and Appeals
      • File a Medicare Complaint
      • File a HIPAA Complaint
      • File a Civil Rights Complaint
      • Appeal an Insurance Company Decision
      • Report Fraud, Waste, and Abuse to OIG
      • Report a Problem to the FDA
      • Report a Tip on the Chemical and Surgical Mutilation of Children
    • Grants & Contracts

      HHS gives the most money in grants of any federal agency in the U.S. Find out about our grants and how your organization can apply for them. We also provide information on how you can work with us and our support of small businesses.

      Explore Grants & Contracts
    • Grants
      • Get Ready for Grants Management
      • Grant Policies and Regulations
      • Research Grants and Funding from NIH
      • Search Grants.gov
      • Avoid Grant Scams
      • Contact HHS Grant Officials
    • Contracts
      • Get Ready to Do Business with HHS
      • Programs for Businesses
      • Contract Policies and Regulations
      • Search Opportunities on SAM.gov
      • Contact HHS Contracting Managers
    • Small Business
      • Contract Opportunities
      • Small Business Programs
      • Small Business Resources
      • Contact Small Business Staff
    • Radical Transparency

      HHS protects and helps you understand the laws and regulations, also known as "rules," that govern the nation. You also have the power to voice your opinion on these laws and regulations.

      Explore Radical Transparency
    • CDC’s ACIP Conflicts of Interest
    • Ending Anti-Semitism on College Campuses
    • Ending Wasteful Spending
    • Keeping Food Ingredients Safe
    • Chemical Contaminants Transparency Tool
Breadcrumb
  1. Home
  2. Press Room
  3. HHS’ Office for Civil Rights Settles Ransomware Investigation with Health Plan
  • Press Room
  • HHS Live
  • Podcasts
    • The Secretary Kennedy Podcast
  • Social Media
FOR IMMEDIATE RELEASE
June 18, 2026
Contact: HHS Press Office
202-690-6343
Submit a Request for Comment

HHS’ Office for Civil Rights Settles Ransomware Investigation with Health Plan

Settlement Marks OCR’s 20th Ransomware Enforcement Action and 14th Enforcement Action in OCR’s Risk Analysis Initiative

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) today announced a settlement with Spencer Gifts LLC Flexible Benefits and Welfare Benefit Plans (the Plan), the employer-sponsored group health plan of Spencer Gifts LLC, a national retail company, over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

“Effective cybersecurity starts with Security Rule compliance, ensuring that Security Rule provisions are implemented before a cyberattack occurs,” said OCR Director Paula M. Stannard. “Regulated entities — including covered group health plans — should ensure these protections are firmly in place well before a cyberattack occurs, so the privacy and security of individuals’ health information remain safeguarded.”

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules), which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers), and business associates (collectively, regulated entities) must follow to protect the privacy and security of protected health information (PHI). The risk analysis provision of the HIPAA Security Rule requires regulated entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI) held by those organizations.

The settlement resolves an investigation that OCR initiated after the Plan filed a breach report on January 24, 2022. The Plan had received employee complaints that employees were unable to connect to the virtual private network. The Plan discovered that in November 2021, an unauthorized actor accessed the company’s network and deployed ransomware, encrypting data on the company’s systems, including servers storing the Plan’s PHI, and demanding a ransom. The PHI of 10,023 individuals was potentially affected by the breach, including health plan members' names, addresses, zip codes, phone numbers, email addresses, and Social Security numbers. OCR found that the Plan had potentially violated provisions of the Privacy and Security Rules, including:

  • Failing to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the Plan prior to the breach incident; and
  • Failing to implement reasonable and appropriate policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules prior to the breach incident.

Under the terms of the resolution, the Plan paid $450,000 and agreed to a two-year corrective action plan monitored by OCR. Under the corrective action plan, the Plan has committed to:

  • Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
  • Review and, to the extent necessary, revise its current Privacy, Security, and Breach Notification Rule policies and procedures to comply with the HIPAA Rules; and
  • Ensure that all workforce members are trained with respect to its Privacy, Security, and Breach Notification Rule policies and procedures.

OCR recommends that regulated entities, including health care providers, health plans, healthcare clearinghouses, and business associates take the following steps to mitigate or prevent cyber-threats:

  • Identify where ePHI exists in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
  • Periodically conduct, and update as needed, a risk analysis and develop and implement a risk management plan to address identified risks to the confidentiality, integrity, and availability of ePHI.
  • Ensure audit controls are in place to record and examine information system activity.
  • Implement regular review of information system activity.
  • Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
  • Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
  • Incorporate lessons learned from incidents into the organization’s overall security management process.
  • Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

The resolution agreement and corrective action plan can be found at: https://www.hhs.gov/sites/default/files/ocr-ra-cap-spencer.pdf.

OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of individuals’ health information. The HIPAA Privacy Rule establishes national standards to protect individuals’ PHI; sets limits and conditions on the uses and disclosures of PHI; and gives individuals certain rights, including the right to timely access their health records. The HIPAA Security Rule establishes national standards to protect and secure our health care system by requiring administrative, physical, and technical safeguards to ensure the security, confidentiality, integrity, and availability of ePHI.

Guidance about the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, and the Security Rule’s Risk Analysis requirement, can also be found on OCR's website.

Covered entities must comply with breach notification obligations under the HIPAA Breach Notification Rule. When submitting a notice of a breach of unsecured PHI to the HHS Secretary, covered entities must use the HHS Breach Portal.

If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR.

Follow HHS OCR on X at @HHSOCR.

###
Note: All HHS press releases, fact sheets and other news materials are available in our Press Room.
Like HHS on Facebook, follow HHS on X @HHSgov, @SecKennedy, and sign up for HHS Email Updates.
Last revised: June 18, 2026

Submit a request for comment

For media inquiries, please submit a request for comment.

Sign up to receive our press releases

Sign Up

Related Press Releases

  • HHS Informs Covered Entities of Partial Vacatur of 2024 ACA Nondiscrimination Final Rule; Core Protections Remain in Effect post Tennessee v. Kennedy

    • June 1, 2026 Press Release
  • HHS Announces Restructuring of its Office for Civil Rights

    • May 18, 2026 Press Release
  • HHS’ Office for Civil Rights Extends Web and Mobile Accessibility Compliance Deadline

    • May 7, 2026 Press Release

Related Blog Posts

  • HHS Blog thumbnail

    Commemorating the 26th Olmstead Anniversary and the Importance of the Olmstead Decision to Make America Healthy Again

Content last reviewed June 18, 2026
Back to top
Secretary Robert F. Kennedy Jr.

Follow @SecKennedy

HHS icon

Follow @HHSGov

HHS Email updates

Receive email updates from HHS.

Subscribe

HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​

  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • Press Room
  • HHS Archive
  • Accessibility Statement
  • Privacy Policy
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov
  • Vulnerability Disclosure Policy