Today, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Guam Memorial Hospital Authority (GMHA), a public hospital on the US Territory, island of Guam, concerning a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following the receipt of two complaints alleging that the electronic protected health information (ePHI) of GMHA patients was impermissibly disclosed. OCR initiated an investigation following the receipt of a complaint in January 2019 alleging that GMHA experienced a ransomware attack affecting the ePHI of approximately 5,000 individuals. During the investigation, OCR received another complaint in March 2023 alleging that hacker(s) had accessed patient records. OCR’s investigation determined that GMHA had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI held by GMHA.