Risk Analysis in the Crosshairs: Four Recent Ransomware Resolutions Preview the HIPAA Security Rule Amendments
On April 23, 2026, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced resolution agreements and corrective action plans with four regulated entities following separate ransomware investigations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlements are the culmination of OCR investigations into separate ransomware breaches collectively affecting more than 427,000 individuals and involving the exposure of unsecured electronic protected health information (ePHI) – demographic data, Social Security numbers, financial information, lab results, medications, and diagnoses or conditions. Under the settlements, the regulated entities agreed to implement corrective action plans subject to OCR monitoring for two years and pay a total resolution amount of $1,165,000 to OCR.
U.S. HHS Office of General Counsel Statement of Organization Suggests Potential Consolidation, Expansion of Authority
On March 14, 2025, the U.S. Department of Health and Human Services (HHS) issued a revised Statement of Organization for the Office of the General Counsel (HHS-OGC).1 Changes include a return to an organizational structure more like the early days of the first Trump administration for the lawyers advising the Food and Drug Administration (FDA), as well as the closing of certain regional HHS-OGC offices. Additional changes could potentially signal an effort to consolidate and expand HHS-OGC’s authority, especially with respect to matters currently opined upon by lawyers advising the HHS Office of Inspector General (HHS-OIG). Stakeholders should consider opportunities to engage with HHS in light of the changes announced in the March 2025 Statement of Organization.
