The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced settlements with four regulated entities following separate ransomware investigations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The resolutions announced mark 19 completed investigations from ransomware breaches and 13 completed investigations in OCR’s Risk Analysis Initiative. The settlements follow investigations into separate ransomware breaches that collectively affected over 427,000 individuals and involved the exposure of unsecured ePHI. The types of ePHI affected include demographic data, Social Security numbers (SSNs), financial information, lab results, medications, and diagnoses or conditions. Under the settlements, the regulated entities have agreed to implement corrective action plans subject to OCR monitoring for two years and paid a total of $1,165,000 to OCR.