OCR Fines Health Plan $245K Over HIPAA Lapses After Ransomware Breach

OCR fined a self-funded group health plan $245,000 for failing HIPAA risk analysis after a ransomware attack.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has announced a $245,000 enforcement action against a self-funded employer group health plan after a 2021 ransomware event exposed extensive health information.

• Attackers accessed electronic protected health information (ePHI)—defined under HIPAA as any protected health data created, received, stored, or transmitted electronically. Exposed data included names, Social Security numbers, dates of birth, insurance info, and claims details.
• OCR’s investigation found the plan did not conduct an adequate risk analysis, a cornerstone of the HIPAA Security Rule, which requires covered entities to regularly assess risks and vulnerabilities to ePHI.
• The plan must now implement a two-year corrective action plan that includes performing a thorough risk analysis, adopting a risk management plan, and submitting to ongoing federal monitoring (read the official HHS announcement).
• This case is part of what experts refer to as OCR’s "Risk Analysis Initiative"—a targeted effort in recent years to enforce risk analysis standards for health plans and healthcare providers (JD Supra).

OCR’s action underscores a clear message: health plans—especially self-funded ones—face increased oversight on privacy safeguards. Legal and compliance counsel should ensure regular, documented assessments of all risks to ePHI, implement robust risk management plans, and maintain detailed records in line with HIPAA requirements.

Yes, but: While OCR’s focus is clear, guidance on the specifics of adequate risk analysis remains detailed but flexible, requiring organizations to tailor their approach to their size and complexity.

What's next: Further enforcement notices targeting insufficient risk analysis are likely as OCR continues its initiative.