On March 5, 2026, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with a Maryland software company concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification rules. The software company is a business associate because it receives protected health information (PHI) from HIPAA-covered entities, and its software is used to communicate directly with patients of covered entities. The settlement marks the 12th enforcement action under OCR’s Risk Analysis Initiative.
The settlement resolves an investigation that OCR initiated in March 2023 after receiving a complaint concerning an unreported security incident at the software company and the posting of PHI on the dark web. OCR’s investigation determined that in December 2020, an unauthorized actor infiltrated the company’s information system and accessed PHI, including names, phone numbers, mailing addresses, email addresses, dates of birth, and dates and times of medical appointments. OCR found that the company had potentially violated several provisions of the HIPAA Privacy, Security, and Breach Notification rules, including:
- Impermissibly disclosing the PHI of approximately 15 million individuals;
- Failing to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the company; and
- Failing to notify covered entities affected by the incident of the breach.
Under the terms of the resolution agreement, the company agreed to implement a corrective action plan that OCR will monitor for three years and paid $10,000 to OCR. In reaching this settlement, OCR considered the financial condition of the company. Under the corrective action plan, the company has committed to take steps to ensure compliance with the HIPAA rules and protect the security of ePHI, including:
- Conducting an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
- Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
- Developing, maintaining, and revising, as necessary, written policies and procedures in accordance with the Privacy and Security rules;
- Ensuring that all workforce members are trained with respect to Privacy and Security rule policies and procedures; and
- Conducting a breach risk assessment of the December 2020 cyberattack and, to the extent possible, provide affected covered entities with an accurate notice of the breach incident.
Compliance Perspective
Issue
The HIPAA Privacy, Security, and Breach Notification rules require covered entities—such as health plans, healthcare clearinghouses, and most healthcare providers—and their business associates to protect the privacy and security of PHI. The Privacy Rule sets national standards for the use and disclosure of PHI and grants individuals certain rights, including access to their health records. The Security Rule requires safeguards—administrative, physical, and technical—to ensure the confidentiality, integrity, and availability of ePHI, including conducting regular risk analyses to identify vulnerabilities. The Breach Notification Rule mandates notifying affected parties following a breach of unsecured PHI. Failure to implement these safeguards and processes can lead to unauthorized disclosures, data breaches, and regulatory enforcement actions.
Discussion Points
- Review policies and procedures addressing HIPAA compliance, including risk analysis, risk management, incident response, breach notification, and the safeguarding of PHI and ePHI. Policies should clearly outline responsibilities for identifying and mitigating security risks and responding to potential breaches. Periodic policy reviews, including those conducted with the assistance of external compliance consultants, can help organizations identify gaps and ensure that policies remain aligned with current regulatory expectations and emerging cybersecurity threats.
- Train staff who use or maintain the organization’s computer systems on HIPAA Security Rule requirements, including conducting risk assessments and safeguarding ePHI. Include instruction on avoiding phishing, malware, unauthorized disclosures, and detecting and reporting security threats. Med-Net Academy offers the course HIPAA Security Rule Security Incident Procedures, which covers the background of the Security Rule, developing policies and procedures for security incidents, forming incident response teams, audit log review, threat mitigation, data backup strategies, documenting incidents, and breach reporting obligations.
- Periodically audit systems, policies, and workforce practices to confirm that HIPAA safeguards are being implemented and followed. Audits may include reviews of access controls, system activity logs, breach response procedures, and risk analysis documentation. Facilities may also benefit from independent compliance assessments or mock reviews conducted with external consultants to identify vulnerabilities and strengthen oversight before issues result in regulatory scrutiny.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*