On April 23, 2026, U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced four HIPAA Security Rule ransomware settlements, including one involving a self-funded group health plan. This underscores the need for employer-sponsored health plans, especially those that create, receive, or maintain electronic protected health information (ePHI), to perform regular risk analyses and implement strong safeguards to protect it.
Background
OCR enforces the HIPAA Security Rule, requiring health plans and their business associates to safeguard ePHI. A thorough risk analysis is a core requirement; it identifies vulnerabilities and guides the safeguards you need to protect your organization’s electronic health information.
HIPAA Settlement
Star Group, L.P.’s self-funded health plan suffered an October 2021 ransomware attack affecting 9,316 individuals, exposing names, addresses, dates of birth, Social Security numbers, and health insurance details. OCR found the plan had impermissibly disclosed ePHI and failed to conduct a proper risk analysis, resulting in a $245,000 settlement and a required corrective action plan.
Key Compliance Steps
OCR encourages covered entities to take practical, proactive steps to strengthen security and reduce cyber risk, including:
- Identify where ePHI lives in your systems and how it enters, moves through, and exits your organization;
- Regularly complete and update a risk analysis, and put a risk management plan in place to address threats to your ePHI;
- Put strong audit controls in place and routinely review system activity for unusual or unauthorized access;
- Schedule routine reviews of system activity to catch issues early;
- Use strong authentication tools so only authorized users can access ePHI;
- Encrypt ePHI in transit and at rest to help prevent unauthorized access;
- Incorporate lessons learned from incidents into your ongoing security program; and
- Offer ongoing, role-specific HIPAA training tailored to your organization.
Download the bulletin for more details.
