A hospital in Puerto Rico. A health system in Ohio. Senior care facilities. Arizona and Texas clinics. A Brockton, Massachusetts, hospital is still running on downtime procedures two weeks after an attack. The volume is not the story. The story is what these incidents have in common, and what OCR is doing about it.
On April 23, 2026, the HHS Office for Civil Rights announced four simultaneous settlements totaling $1,165,000, covering breaches that exposed the ePHI of 427,000 individuals. The settlements mark OCR’s 19th completed ransomware investigation and the 13th action under its Risk Analysis Initiative. The agency is moving fast, and the pattern across every action is the same: organizations that got hit by ransomware had never completed a defensible risk analysis.
The Fines Are Not About the Ransomware. They Are About What Came Before It.
This is the point most coverage misses. OCR does not fine organizations for being attacked. It fines them for failing to implement the security controls that HIPAA requires before the attack happened.
Assured Imaging, a medical imaging provider in Arizona and California, paid $375,000 after the PYSA ransomware group encrypted and stole the records of nearly 245,000 patients in 2020. OCR’s investigation found the organization had never conducted a compliance risk analysis. Not an inadequate one. Never one at all. Axia Women’s Health paid $320,000 after a ransomware attack exposed the ePHI of nearly 38,000 patients. The central finding was the same: a failure to conduct an accurate and thorough risk analysis. Consociate Health paid $225,000 after a phishing attack gave attackers access to a server holding the ePHI of 136,539 individuals. SG Health Plan paid $245,000 to resolve similar findings.
“Hacking and ransomware are the most frequent types of large breaches reported to OCR,“ said OCR Director Paula Stannard. “Proactively implementing the HIPAA Security Rule before a breach or an OCR investigation not only is the law but also is a regulated entity’s best opportunity to prevent or mitigate the harmful effects of a successful cyberattack.”
Understanding How These Attacks Impact Organizations
Headlines inform us when an attack makes the news. It’s there that we learn about how health care operates day-to-day.
In May 2025, ransomware group Interlock targeted Kettering Health, which operates 14 hospitals across Ohio and cares for 1.5 million patients every year. For three weeks, systems were unusable. Elective procedures were postponed. Ambulances diverted.
Physicians resorted to using paper charts. To date, 44 patients have filed individual lawsuits related to the attack, which have now been consolidated into one complaint; 37 patients are suing for delayed care, while 8 patients are suing for refusal of care. The lawsuit claims Kettering had no plan in place to address the incident and “just stopped seeing patients, stopped taking phone calls, and they started turning everybody away.” Some patients who were turned away were receiving cancer treatment.
Caribbean Medical Center Hospital, Fajardo, Puerto Rico, first noticed a ransomware attack in February 2026 that is now listed on the OCR breach portal as affecting 92,000 individuals. The Gentlemen ransomware gang posted about the attack and threatened to publish the stolen data. Notification letters were mailed in April 2026, more than two months after discovery.
Medical practices in Arizona and Texas each notified individuals about ransomware attacks where names, Social Security numbers, birthdates, and medical information were exposed. Two skilled nursing organizations also sent breach notifications to residents about ransomware attacks after personal information about their medical conditions and finances was stored on their networks.
Brockton Hospital in Massachusetts was operating on downtime procedures 14 days after they were attacked.
This isn’t because these organizations are small or lack the resources to do better. Kettering Health employs 15,000 staff and operates 14 hospitals. Size doesn’t change the pattern.
The Risk Analysis Gap Is Still the Most Common Finding
A decade of OCR enforcement actions points to the same vulnerability: organizations skip the risk analysis, patch what feels urgent, and call it a security program. That approach does not hold up when investigators start pulling records after a breach.
OCR has now closed 13 investigations under its Risk Analysis Initiative, launched after OCR reported a 264% increase in large ransomware-related breaches since 2018. Every settlement has included a corrective action plan and two years of active OCR monitoring.
The month of January 2026 had 46 healthcare organization breaches that potentially compromised over 1.4 million people, with ransomware accounting for the majority. What has changed is OCR’s willingness to pursue enforcement years after the original breach, and its ability to move through its backlog by focusing on risk analysis failures as the central finding. For business associates, Consociate’s settlement is a direct reminder: third-party administrators, billing services, and cloud providers carry their own HIPAA obligations and their own enforcement risk.
New HIPAA Requirements Are Coming. Are You Ready?
The proposed update to the HIPAA Security Rule is moving toward finalization and would introduce requirements that most covered entities and business associates are not currently meeting.
HALOCK has detailed what those new requirements look like. Annual penetration testing would become mandatory for all covered entities and business associates handling ePHI, conducted by qualified professionals simulating real-world attack scenarios. Written incident response plans would move from a flexible requirement to a formalized, fully documented standard defining roles, escalation procedures, and mandatory post-incident reviews. The frequency of penetration testing may be increased beyond annual if a risk analysis determines it is necessary.
HIPAA has required risk analyses for years, but has never explicitly mandated a specific type of security testing. If adopted, the proposed rule would change that, with penetration testing a compliance requirement for HIPAA. The Kettering litigation, centered in part on the absence of a contingency plan, is a preview of what courts and regulators will expect organizations to demonstrate they had in place.
What Duty of Care Demands Here
“Duty of Care” simply inquires and considers the size of your organization, the information you possess, and your threat environment…are you doing enough to be reasonable and defensible? In healthcare, that question has a regulatory component that most industries do not face.
HIPAA security compliance is not a point-in-time achievement. It is a Duty of Care process that operates over time, requiring ongoing monitoring, risk management, and documented evidence that controls over ePHI are reasonable and appropriate. The organizations in OCR’s recent enforcement actions did not fail because they were attacked. They failed because they could not demonstrate they had done the work before the attack happened.
Three Actions to Take Before OCR Comes Knocking
Complete or update your HIPAA risk analysis this quarter. If you cannot produce a documented, comprehensive risk analysis covering all systems that create, receive, maintain, or transmit ePHI, you have the same exposure as every organization in OCR’s recent enforcement actions. HALOCK’s HIPAA Risk Assessment services, built on ISO 27005 and NIST 800-30, produce the documented evidence OCR expects to see.
Review your incident response readiness and plan. Kettering’s litigation makes clear that the absence of a workable contingency plan is actionable in civil court, not just in regulatory proceedings. HALOCK’s Incident Response Planning services, including Incident Response Readiness as a Service (IRRaaS), help healthcare organizations build, test, and maintain plans that hold up when systems go offline and investigators come asking. Many cyber insurers now require a written IRP for coverage. Getting one in place is both a compliance step and a risk management essential.
Start your penetration testing program now, before it becomes mandatory. The proposed HIPAA update would require annual pen testing by qualified professionals simulating real-world attack scenarios. HALOCK’s healthcare web application penetration testing is built specifically for the healthcare environment, with findings ranked by regulatory exposure and patient care impact. Getting ahead of the mandate means you are testing on your timeline, not OCR’s.
HALOCK helps healthcare organizations conduct HIPAA risk analyses that satisfy OCR’s requirements, build defensible security programs, develop tested incident response capabilities, and conduct the penetration testing that new HIPAA requirements are moving toward mandating.
OCR HIPAA Ransomware Enforcement FAQ’s
Why is OCR fining covered entities/business associates for ransomware attacks?
OCR is not fining covered entities because they were attacked. Rather, OCR fined covered entities because they were attacked and didn’t have the HIPAA-required security controls in place prior to the attack. The most common deficiency cited is failure to perform a thorough and accurate risk analysis, which is required by HIPAA’s Security Rule.
Tell me more about OCR’s Risk Analysis Initiative.
OCR’s Risk Analysis Initiative is a targeted enforcement action initiated after OCR announced a 264% increase in large, ransomware-related breaches since 2018. To date, OCR has completed 13 Risk Analysis Initiative investigations. All resulted in settlements that included financial payments and two years of monitored corrective action plans.
Is penetration testing required in HIPAA?
Yes. When finalized, the updated HIPAA Security Rule will require yearly pen testing of systems that create, receive, maintain, or transmit electronic protected health information (ePHI). The required testing must be conducted by a qualified individual or entity that mimics realistic attacks to identify vulnerabilities. Organizations should begin performing annual penetration testing activities now, so they can document everything is working to prevent attacks before it’s too late.
What are the key elements of a defensible HIPAA risk analysis?
A defensible risk analysis identifies all risks and vulnerabilities of ePHI that exist on all systems that create, receive, maintain, or transmit ePHI. It must be documented, repeated any time the environment changes, and completed before implementing a risk management plan that prioritizes risks and implements specific security controls to mitigate risks, and documents efforts to remediate outstanding risks. Learn how HALOCK’s HIPAA risk assessment process conforms to ISO 27005 and NIST 800-30.
Are business associates (BAs) liable for the same level of enforcement risk as covered entities?
Yes. Business associates are liable for HIPAA violations under their own HIPAA Security Rule responsibilities and face the same enforcement risk from OCR as a covered entity. OCR announced a $515,000 settlement with Consociate Health this past April 2026. This should serve as a reminder to all organizations that outsource to a third-party administrator, billing services, cloud providers, or any other type of business associate that OCR will audit and fine business associates when their security programs do not meet HIPAA standards.
What can a healthcare organization do today to help prevent a ransomware attack?
Run a documented risk analysis. If you don’t have one? Run a documented risk analysis and remediate your findings with a risk management plan. Test your incident response plan (IRP) and downtime procedures to confirm they work and your staff knows how to perform them. Start penetration testing to confirm your security controls are working as designed to protect against real-world attacks. Lastly, review ALL of your Business Associate Agreements (BAAs) to confirm your vendors are doing their part to protect PHI.
Review Your HIPAA Risk Posture
AUTHOR: Cindy Kaplan
