The US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a settlement with MMG Fusion, LLC (MMG), a Maryland software company, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. MMG is a business associate as it receives protected health information (PHI) from HIPAA-covered entities and its software is used to communicate directly with patients of covered entities. The settlement resolves an investigation that OCR initiated in March 2023 after receiving a complaint concerning an unreported security incident at MMG, and the posting of PHI on the dark web. OCR’s investigation determined that in December 2020, an unauthorized actor infiltrated MMG’s information system and accessed PHI, including names, phone numbers, mailing addresses, email addresses, dates of birth, and dates and times of medical appointments. OCR found that MMG had potentially violated several provisions of the HIPAA Privacy, Security, and Breach Notification rules.