Today, the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a settlement with Top of the World Ranch Treatment Center (TWRTC), a substance use disorder treatment provider in Illinois, for a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves an investigation of TWRTC that OCR initiated after receiving a breach report that TWRTC filed in March 2023. TWRTC reported that, as a result of a successful phishing attack, an unauthorized third party accessed ePHI through a workforce member’s email account. TWRTC concluded that the electronic protected health information PHI (ePHI) for 1,980 patients was compromised by the attack. OCR’s investigation found evidence that TWRTC failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI TWRTC holds as required by the HIPAA Security Rule.