The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Deer Oaks – The Behavioral Health Solution (Deer Oaks), a behavioral health provider, resolving potential violations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security rules. Deer Oaks provides psychological and psychiatric services to residents of long-term care and assisted living facilities. The settlement resolves an investigation that OCR initiated in May 2023 after receiving a complaint alleging that Deer Oaks impermissibly disclosed the electronic protected health information (ePHI) of individuals, including patient names, dates of birth, patient identification numbers, facilities, and diagnoses, by making patient discharge summaries publicly accessible online. OCR’s investigation substantiated the allegations and verified that the ePHI was accessible publicly via the Internet. According to Deer Oaks, a coding error in a now discontinued pilot program for an online patient portal, caused the ePHI to be exposed and cached by search engine providers from at least December 2021 until May 19, 2023. OCR’s investigation found that Deer Oaks impermissibly disclosed the ePHI of 35 individuals when it allowed the discharge summaries and initial assessments of those individuals to be accessible to the public online.