HIPAA Compliance June 15, 2026 8 min read

OCR Fines Four Healthcare Entities in April 2026 Ransomware Sweep

By Sam Cherkaoui, CIPP/US Certified Data Privacy Advisor

Quick Answer

Four settlements, one day: On April 23, 2026, OCR collected a combined $1,165,000 from four regulated entities following separate ransomware investigations that exposed the ePHI of more than 427,000 individuals; all four entities were placed under two-year corrective action plan monitoring.
One violation appeared in every case: All four settlements cited 45 C.F.R. § 164.308(a)(1)(ii)(A), the HIPAA Security Rule's risk analysis requirement, as the primary violation; in three of the four cases it was the only violation cited.
Assured Imaging drew the largest fine ($375,000): OCR found the company never completed a risk analysis and also failed to notify 244,813 affected individuals within the required 60-day breach notification window, making it the only one of the four to face a breach notification rule violation as well.
Enforcement reaches beyond traditional providers: A business associate (Consociate Health, a third-party health plan administrator) and a self-funded employer health plan (Star Group, L.P.) were both fined directly, confirming that HIPAA Security Rule enforcement is not limited to hospitals and physician practices.
The corrective action plans are a compliance roadmap: OCR required all four entities to complete written asset inventories, ePHI data flow mapping, vulnerability scans, penetration testing, documented network segmentation, patch management reviews, and annual risk analysis updates, monitored for two years.

Quick answer

On April 23, 2026, HHS OCR announced settlements with four regulated entities, collecting a combined $1,165,000 after ransomware attacks exposed the ePHI of more than 427,000 individuals. Every settlement cited the same violation: failure to conduct a required risk analysis under 45 C.F.R. § 164.308(a)(1)(ii)(A). The four entities (a women’s health network, an imaging company, a business associate health plan administrator, and a self-funded employer health plan) were each placed under two-year corrective action plan monitoring. Texas healthcare practices and employers sponsoring self-funded health plans face the same enforcement exposure.

In the first four months of 2026, OCR completed six HIPAA enforcement actions and collected $1,278,000 in total penalty payments. The biggest single day in that stretch was April 23, when OCR announced four settlements at once, each the result of a separate ransomware investigation. The timing reflects a deliberate enforcement posture. Since the Change Healthcare attack of February 2024 (which ultimately affected 192.7 million individuals, roughly two-thirds of the U.S. population), OCR has treated ransomware as a top enforcement priority. In 2024 alone, healthcare providers reported 725 large HIPAA breaches to HHS, roughly two per day, and the FBI counted 238 ransomware events targeting healthcare, more than any other critical infrastructure sector in the country.

Understanding exactly who got fined, for what, and what OCR required them to fix is the clearest window into whether your practice or health plan is carrying the same risk.

Who were the four entities and what did they pay?

Axia Women’s Health (Regional Women’s Health Group, LLC): $320,000. A December 2020 ransomware attack exposed the names, Social Security numbers, driver’s license numbers, diagnoses, lab results, and medications of 37,989 individuals across this multi-state women’s health network.

Assured Imaging Affiliated Covered Entities: $375,000. This was the largest of the four settlements. A May 2020 ransomware attack exposed the ePHI of 244,813 individuals. OCR found two violations: Assured Imaging never completed a risk analysis, and it failed to notify affected individuals within the required 60-day window under 45 C.F.R. § 164.404. That second finding made Assured Imaging the only one of the four to face a breach notification rule violation in addition to the Security Rule violation.

Consociate Health (Consociate, Inc.): $225,000. Consociate is a third-party health plan administrator, which makes it a business associate rather than a covered entity. A phishing attack in July 2020 gave threat actors a foothold; ransomware was not deployed until November-December 2021, a gap of roughly 17 months. By then, the ePHI of 136,539 individuals had been exposed.

Star Group, L.P. Health Benefits Plan: $245,000. An October 2021 ransomware attack hit this self-funded employer-sponsored group health plan, exposing the ePHI of 9,316 plan participants, including Social Security numbers, member IDs, claims data, and benefit selection information.

Together, the four settlements collected $1,165,000 and placed all four entities under two-year corrective action plan monitoring.

What violation did OCR cite in every single case?

All four settlements cited 45 C.F.R. § 164.308(a)(1)(ii)(A), the HIPAA Security Rule’s risk analysis requirement. The regulation requires covered entities and business associates to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” In three of the four cases, this was the only regulatory violation cited. Assured Imaging added a breach notification failure on top of it.

OCR’s Risk Analysis Initiative, launched on October 31, 2024, was built precisely to target this gap. The initiative’s first enforcement action was a $90,000 settlement against Bryan County Ambulance Authority of Oklahoma, paired with a three-year corrective action plan. By April 23, 2026, OCR had completed 13 investigations under that initiative and 19 total ransomware-related HIPAA investigations. OCR Director Melanie Fontes Rainer stated when the initiative launched: “Failure to conduct a HIPAA Security Rule risk analysis leaves health care entities vulnerable to cyberattacks, such as ransomware. Knowing where your ePHI is held and the security measures in place to protect that information is essential for compliance with HIPAA.”

The initiative has continued across the change in presidential administration, generating roughly $900,000 in settlements from eight organizations by April 2025 and growing to 13 completed investigations a year later. Its persistence signals that risk analysis enforcement is not a short-term political priority; it is now a standing OCR program.

Does this enforcement reach business associates and employer health plans?

Yes, and that is one of the most important takeaways from April 2026.

The Consociate Health settlement confirmed that business associates are directly liable for Security Rule violations under the same CFR section applied to hospitals and physician practices. Consociate never treated a patient. It is a third-party administrator that handles health plan operations. Yet OCR cited it directly for failing to conduct an adequate risk analysis. Texas practices that share ePHI with vendors, billing companies, clearinghouses, or IT service providers should treat this as a direct signal to audit their business associate agreements and review their vendors’ compliance posture.

The Star Group settlement carries an equally important message for Texas employers. Star Group L.P. Health Benefits Plan is a self-funded employer-sponsored group health plan, not a healthcare provider. Its $245,000 fine confirms that Texas employers sponsoring self-funded health plans are independently subject to HIPAA Security Rule enforcement. Analysts have flagged this as a relatively rare direct OCR enforcement action against a plan sponsor and a specific warning to small-business self-funded plans, which are common across Texas.

What did OCR require the four entities to fix?

The corrective action plans from the April 2026 settlements give a clear picture of what OCR considers adequate Security Rule compliance. Collectively, the four entities were required to:

Develop a complete written technology asset and network inventory.
Perform ePHI data flow mapping to document where protected health information lives and moves across systems.
Conduct vulnerability scans and penetration testing.
Document network segmentation.
Review patch management policies and audit logs.
Submit annual risk analysis updates, all monitored over two years.

These requirements also map directly to the proposed HIPAA Security Rule amendments published in the Federal Register on January 6, 2025 (90 FR 898). That proposed rule (the first proposed update to the Security Rule since 2013) would eliminate the current distinction between “required” and “addressable” implementation specifications. Under the proposal, encryption of all ePHI at rest and in transit, multi-factor authentication, network segmentation, and anti-malware protections would become mandatory for all covered entities and business associates. Additional specific deadlines in the proposal include applying critical-risk patches within 15 calendar days, restoring critical systems within 72 hours of an outage, maintaining ePHI backups no older than 48 hours, and revoking a departing employee’s ePHI access within 1 hour of separation. HHS estimated first-year implementation costs for all regulated entities at approximately $9.3 billion, with roughly $6 billion per year in recurring costs for years two through five.

What additional obligations do Texas practices face after a ransomware breach?

Texas practices carry a dual compliance burden that many overlook. Federal HIPAA law requires covered entities to notify affected individuals without unreasonable delay and no later than 60 calendar days after discovering a breach. When a breach affects more than 500 residents of any single state, the covered entity must also notify prominent media outlets serving that state within 60 days, under 45 C.F.R. § 164.406.

Texas state law adds a shorter deadline on top of the federal one. Texas Business and Commerce Code § 521.053(b-1), which took effect September 1, 2023, requires any business experiencing a breach affecting 250 or more Texas residents to report electronically to the Texas Attorney General within 30 days of discovery. That state deadline runs faster than the federal 60-day clock. The Texas Identity Theft Enforcement and Protection Act also authorizes the Texas AG to impose civil penalties of $2,000 to $50,000 per violation, plus up to $250,000 in additional penalties for notification failures. Those state penalties run concurrently with any federal HIPAA fines from OCR.

A ransomware event hitting a Houston or Dallas practice that serves 500 or more patients could simultaneously trigger OCR notification requirements, Texas AG reporting, mandatory media notification, and state civil penalty exposure, all on overlapping timelines.

What to do next

The April 2026 settlements function as a detailed compliance checklist, because OCR told the four penalized entities exactly what they needed to build. A completed written risk analysis, ePHI data flow mapping, a full asset inventory, tested backup and recovery procedures, documented patch management, network segmentation documentation, and annual reviews: these are the same items OCR will look for if your practice or employer health plan is ever investigated.

If your organization has not completed a formal HIPAA Security Rule risk analysis within the past 12 months, or if you have never had one done at all, the April 2026 enforcement record makes the cost of delay concrete. Our HIPAA risk analysis service walks Texas healthcare practices and health plan sponsors through each of these requirements, produces the written documentation OCR expects to see, and identifies gaps before a ransomware incident forces the issue.

Last Updated: June 15, 2026

Frequently Asked Questions

What triggered OCR's April 2026 enforcement sweep?

On April 23, 2026, OCR announced settlements with four regulated entities following separate ransomware investigations, collecting a combined $1,165,000. The attacks occurred between 2020 and 2021, and each investigation found the affected entity had failed to conduct a required HIPAA Security Rule risk analysis. OCR has prioritized ransomware enforcement since the Change Healthcare breach of February 2024, which ultimately affected 192.7 million individuals.

What is the HIPAA risk analysis requirement and why does it keep appearing in settlements?

Under 45 C.F.R. § 164.308(a)(1)(ii)(A), all covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Without this assessment, organizations cannot identify or fix the security gaps that ransomware exploits. OCR's Risk Analysis Initiative, launched in October 2024, specifically targets this requirement and had completed 13 investigations by April 23, 2026.

Are business associates like third-party administrators subject to HIPAA Security Rule fines?

Yes. The April 2026 Consociate Health settlement confirmed this directly. Consociate is a third-party health plan administrator, not a healthcare provider, yet OCR fined it $225,000 for failing to conduct an adequate risk analysis after a ransomware attack exposed 136,539 individuals' ePHI. Texas practices that share ePHI with vendors, billing companies, or IT service providers should audit their business associate agreements and their vendors' compliance posture.

Do self-funded employer health plans have to comply with HIPAA?

Yes. The Star Group L.P. Health Benefits Plan settlement, a $245,000 fine against a self-funded employer-sponsored group health plan, makes this clear. OCR enforces the HIPAA Security Rule against employer-sponsored health plans directly, regardless of whether the employer is a healthcare provider. Texas has a high concentration of small-business self-funded plans, and this settlement is a direct warning to their sponsors.

What are Texas-specific breach notification deadlines after a ransomware attack?

Texas practices face two overlapping timelines. Federal HIPAA law requires covered entities to notify affected individuals within 60 calendar days of breach discovery under 45 C.F.R. § 164.404, and to notify prominent media outlets within 60 days when a breach affects more than 500 residents of any single state. Texas Business and Commerce Code § 521.053(b-1) adds a shorter state deadline: electronic reporting to the Texas Attorney General within 30 days of discovery for breaches affecting 250 or more Texas residents.

What are the proposed changes to the HIPAA Security Rule and when would they take effect?

HHS published a Notice of Proposed Rulemaking on January 6, 2025 (90 FR 898) proposing the first significant update to the Security Rule since 2013. It would eliminate the current addressable vs. required distinction, making encryption of all ePHI, multi-factor authentication, network segmentation, and anti-malware protections mandatory. New operational deadlines include applying critical-risk patches within 15 calendar days, restoring critical systems within 72 hours, maintaining ePHI backups no older than 48 hours, and revoking a departing employee's ePHI access within 1 hour. Regulated entities would have 180 days from the final rule's publication to comply.

Last updated: June 15, 2026. This article reflects current US HIPAA and state privacy law enforcement practice. NPA is not a law firm; for case-specific legal advice, consult licensed counsel in your jurisdiction.

Need help with HIPAA compliance or US data privacy law?

NPA helps small healthcare practices and small to mid-sized businesses build and maintain audit-ready compliance programs. CIPP/US certified. Houston-based, serving practices nationwide.

Book a Consultation