On April 23, 2026, U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced four HIPAA Security Rule ransomware settlements, including one involving a self-funded group health plan. This underscores the need for employer-sponsored health plans, especially those that create, receive, or maintain electronic protected health information (ePHI), to perform regular risk analyses and implement strong safeguards to protect it.
OCR enforces the HIPAA Security Rule, requiring health plans and their business associates to safeguard ePHI. A thorough risk analysis is a core requirement; it identifies vulnerabilities and guides the safeguards you need to protect your organization’s electronic health information.
Star Group, L.P.’s self-funded health plan suffered an October 2021 ransomware attack affecting 9,316 individuals, exposing names, addresses, dates of birth, Social Security numbers, and health insurance details. OCR found the plan had impermissibly disclosed ePHI and failed to conduct a proper risk analysis, resulting in a $245,000 settlement and a required corrective action plan.
OCR encourages covered entities to take practical, proactive steps to strengthen security and reduce cyber risk, including:
Download the bulletin for more details.