Today, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Vision Upright MRI, a small California healthcare provider that conducts magnetic resonance imaging and related services, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Breach Notification and Security Rules. The settlement resolves an OCR investigation concerning the breach of an unsecured server containing the medical images of 21,778 individuals. OCR initiated a compliance review of Vision Upright MRI after learning that the provider experienced a breach of ePHI stored on its Picture Archiving and Communication System (PACS) server for storing, retrieving, managing, and accessing radiology images, due to an unauthorized third party’s impermissible access. OCR’s investigation revealed that Vision Upright MRI had never conducted a HIPAA risk analysis and that it had failed to complete timely breach notification, within 60 days of discovering the breach, to the 21,778 individuals affected.