Jun 12026

Risk Analysis in the Crosshairs: Four Recent Ransomware Resolutions Preview the HIPAA Security Rule Amendments

Michael C. Hochman, Sasha Hondagneu-Messner and Brad A. Carney
, , ,

Overview

On April 23, 2026, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced resolution agreements and corrective action plans with four regulated entities[1] following separate ransomware investigations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.[2] The settlements are the culmination of OCR investigations into separate ransomware breaches collectively affecting more than 427,000 individuals and involving the exposure of unsecured electronic protected health information (ePHI) – demographic data, Social Security numbers, financial information, lab results, medications, and diagnoses or conditions. Under the settlements, the regulated entities agreed to implement corrective action plans subject to OCR monitoring for two years and pay a total resolution amount of $1,165,000 to OCR.

The settlements reinforce OCR’s focus on pre-breach compliance, particularly risk analyses and pre-incident security preparations. Although the resolution agreements contain no admission of liability, OCR identified the same core deficiency in all four matters: inadequate risk analysis. That requirement is set forth in 45 C.F.R. § 164.308(a)(1)(ii)(A): “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

This approach also tracks a broader enforcement trend.  The pending Security Rule amendments would codify requirements appearing in guidance and corrective action plans into the Security Rule, including greater specificity for risk analysis, asset inventories, ePHI mapping, multi-factor authentication (MFA), encryption, vulnerability management, granular technical controls, and an annual audit of compliance with the Security Rule. The Unified Agenda for HHS currently identifies the proposed rule as in the final rule stage, with a May 2026 final action target. If finalized as proposed, regulated entities would have 240 days from publication to come into compliance. HHS’ recent reorganization of OCR to include a distinct division on Health Information Privacy, Data, and Cybersecurity also indicates an increased focus on HIPAA enforcement.

Key Takeaways

Risk analysis is the through-line. According to OCR, all four settlements include a failure to conduct an accurate and thorough risk analysis prior to the breaches (45 CFR § 164.308(a)(1)(ii)(A)). Two settlements also cite impermissible disclosures of ePHI, and one cites a failure to timely notify affected individuals of a breach. In addition, each entity agreed to pay a resolution amount to OCR: Regional Women’s Health Group, LLC ($320,000 in connection with a 2020 breach affecting 37,989 individuals); Assured Imaging Affiliated Covered Entities ($375,000 in connection with a 2020 breach affecting 244,813 individuals); Consociate, Inc. ($225,000 in connection with a ransomware attack discovered in January 2021 affecting 136,539 individuals); and Star Group, L.P. Health Benefits Plan ($245,000 in connection with a 2021 breach affecting 9,316 individuals).

Regulated entities whose risk analyses do not reflect current ePHI flows and asset inventories, or whose security controls fall short of those contemplated in the proposed Security Rule amendments, face compounding exposure: current enforcement risk under existing Security Rule requirements, and the prospect of a compressed compliance window if the rule is finalized as proposed. Doing so now may better position regulated entities to comply within the 240-day window if the rule is finalized as currently proposed. Critically, OCR estimates that implementation could cost regulated entities more than $9 billion in first year implementation costs, with roughly $6 billion in recurring annual costs for years two through five. Early scoping and prioritization of the proposed Security Rule’s requirements may help organizations identify higher-risk gaps and plan for potential remediation efforts.

Why This Matters Now

  1. OCR Is Focusing on a Particular, Recurring Event – Inadequate Risk Analysis

The shared focus of these four settlements is that according to OCR, each of the settling organizations lacked a risk analysis in compliance with the HIPAA Security Rule.

As reflected in these settlements, OCR is approaching a ransomware event as a way to assess pre-incident governance. In an effort to prevent similar breaches in the future, OCR, as part of its Risk Analysis Initiative, recommends any entity looking to comply with the HIPAA Security Rule do the following:

  1. Identify where ePHI is located and how it moves through information systems;
  2. Periodically conduct, and update as needed, a risk analysis, as required by HIPAA;
  3. Ensure audit controls are in place to record and examine information system activity;
  4. Implement regular reviews of system activity;
  5. Use authentication mechanisms to ensure only authorized users access ePHI;
  6. Encrypt ePHI in transit and at rest;
  7. Incorporate lessons learned from previous incidents into security management; and
  8. Provide workforce members with regular HIPAA training.

In practical terms, OCR appears to be inquiring whether the organization should have managed its ransomware exposure more responsibly before the attack.

  1. OCR Is Treating Risk Analysis as an Operational Control

The corrective action plans reflect what OCR appears to consider a defensible risk analysis. From OCR’s perspective, a defensible risk analysis should be tied to a current asset inventory, ePHI data flows, vulnerability information, control effectiveness, accountable owners, remediation timelines, and change management. OCR’s corrective action plans also require submission of scope and methodology, OCR review, revisions until approval, risk management plans, annual reassessment, and policy updates. That sequence makes risk analysis the starting point for remediation.

For example, the Consociate plan requires a risk analysis that incorporates all facilities and evaluates risks across electronic equipment, data systems, programs, and applications. It also must include a complete inventory, vulnerability scans, and penetration testing. Similarly, the prescribed action plan for SG Health Plan requires an inventory of facilities, electronic equipment, data systems, and applications, along with documented review of controls involving network segmentation, infrastructure, vulnerability scanning, logging and alerts, and patch management, and separation between the plan sponsor and health plan.

OCR’s posture in these settlements appears to align closely with the proposed Security Rule amendments, providing more prescriptive and granular requirements.

  1. The Rulemaking Points Toward More Prescriptive Requirements

The proposed Security Rule reinforces this enforcement approach. OCR has indicated the proposed amendment is intended to address changes in health care delivery, increases in breaches and cyberattacks, common deficiencies observed in OCR investigations, cybersecurity best practices, and court decisions affecting enforcement. The proposed amendment, once finalized, would expressly codify activities that OCR views as important to risk analysis, including technology asset inventories and mapping how ePHI moves through information systems. It also would require encryption of ePHI, with limited exceptions.

Another noteworthy proposed change is the removal of the distinction between “addressable” and “required” implementation specifications. Under the proposed amendment, implementation specifications would become mandatory, subject to specific limited exceptions. As noted above, the proposed amendment also includes more detailed standards for vulnerability scanning, monitoring authoritative vulnerability sources, penetration testing, patching, MFA, network segmentation, audit logs, and data backup and recovery.

Conclusion

OCR’s ransomware settlements with Regional Women’s Health Group, Assured Imaging Resolution, Consociate, Inc, and SG Health Plan reflect the agency adjusting focus from post-breach review toward pre-breach accountability. The agency is not limiting its inquiry to whether an organization responded appropriately after encryption or exfiltration. OCR is probing whether the organization had already identified its ePHI, understood its technical environment, evaluated foreseeable vulnerabilities, and connected those findings to remediation.

The settlements suggest that static risk assessments, generic policies, business associate agreements without technical verification, or remediation plans untethered to actual assets, may face increasing regulatory risk. The anticipated Security Rule amendment may increase that risk by turning current enforcement expectations into more prescriptive requirements. OCR’s recent enforcement action coupled with the proposed amendment to the Security Rule suggest that pre-breach risk analysis is the focus point for evaluating HIPAA-related cybersecurity compliance.

Taken together, the four settlements and pending Security Rule amendment suggest that OCR increasingly views pre-breach risk analysis as the foundation of HIPAA cybersecurity compliance.

[1] The entities included Regional Women’s Health Group, LLC (d/b/a Axia Women’s Health), a health care provider network; Assured Imaging Affiliated Covered Entities, an imaging provider; Consociate, Inc. (d/b/a Consociate Health); a business associate third-party administrator, and Star Group, L.P. Health Benefits Plan, a self-funded health plan. The settlement agreements are available here: Regional Women’s Health Group; Assured Imaging Resolution; Consociate, Inc; and, SG Health Plan.

[2] HHS’ Office for Civil Rights Settles Four HIPAA Security Rule Ransomware Investigations.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Michael C. Hochman

Washington, D.C.

michael.hochman@sidley.com

Sasha Hondagneu-Messner

New York

shondagneumessner@sidley.com

Brad A. Carney

Washington, D.C.

brad.carney@sidley.com

You might also like
Scientific Research and the GDPR: EDPB Issues Long-Awaited Guidelines

On 15 April 2026, the European Data Protection Board (“EDPB”) published its long-awaited draft Guidelines 1/2026 on the processing of personal data for scientific research purposes (the “Guidelines”), marking the most comprehensive regulatory statement to date on how the GDPR applies to scientific research activities.

European Biotech Act I: Navigating the EDPB/EDPS Vision for the Future of Clinical Trials

On 12 March 2026, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a Joint Opinion (the “Joint Opinion”) on the proposed European Biotech Act I (the “Biotech Act”). The Joint Opinion broadly supports the EU’s ambition to strengthen its biotechnology sector. However, it emphasises that data protection safeguards must be tightened, particularly where health data is involved. The recommendations signal forthcoming scrutiny during the legislative process and highlight key compliance considerations for organisations involved in clinical trials.

Seventh Circuit Limits Potential Damages Under BIPA, Holds 2024 Amendment Applies Retroactively

Last week, the Seventh Circuit issued a critical opinion for companies facing lawsuits under the Illinois Biometric Information Privacy Act (“BIPA”). In Clay v. Union Pacific Railroad Co., No. 25-2185, 2026 WL 891902 (7th Cir. Apr. 1, 2026), the court held that a 2024 amendment to BIPA that limited damages to one recovery per person and not “per-scan” (each time a biometric identifier is collected) applies retroactively to cases pending at the time the amendment was enacted.