Cyber One Solutions logo.
Get Support

HIPAA Security Rule

OCR Keeps Settling Ransomware Cases Over One Missing Document: The Risk Analysis

July 3, 2026 · Cyber One Solutions

Four ransomware settlements totaling $1.165 million, and every one cites the same missing document: an accurate and thorough risk analysis. While the proposed HIPAA Security Rule update sits unfinalized, OCR is enforcing the current rule, and mid-size healthcare businesses and their vendors are the ones paying.

In April, the U.S. Department of Health and Human Services Office for Civil Rights announced settlements with four organizations over ransomware breaches that together exposed the health information of more than 427,000 people, according to the HHS announcement. The four paid a combined $1,165,000. Behind the different breach stories sits one shared finding: each organization failed to conduct an accurate and thorough risk analysis of the risks to its electronic protected health information.

The four were not careless giants. They were a women's health provider network with about 38,000 affected patients ($320,000), a medical imaging provider with about 245,000 ($375,000), a third-party benefits plan administrator with about 137,000 ($225,000), and a self-funded employee health plan with 9,316 members ($245,000). Each also accepted a corrective action plan with two years of OCR monitoring.

The Pattern Is the Point

OCR described these as its 19th and 20th completed ransomware investigations and the 13th enforcement action in its Risk Analysis Initiative. "Hacking and ransomware are the most frequent type of large breach reported to OCR," OCR Director Paula M. Stannard said in the announcement. The initiative exists because the same gap keeps appearing: organizations that never sat down and documented where their patient data lives, what threatens it, and what they are doing about it.

A month earlier, OCR settled with a dental marketing software vendor after a breach that affected roughly 15 million individuals, as described in the March HHS announcement. The company was a business associate, not a provider. OCR cited the same missing risk analysis, plus a failure to notify affected covered entities within the required 60 days.

Why This Matters for Healthcare Businesses

Three things stand out for medical and dental practices, clinics, and the companies that serve them.

Enforcement reaches well below hospital systems. A 9,316-member health plan drew a $245,000 settlement. The idea that OCR only pursues large health systems does not survive contact with this list.

Business associates are fully in scope. Two of the organizations above were vendors, not providers. If your business touches protected health information for clients, whether in billing, software, benefits administration, or IT, the HIPAA Security Rule applies to you directly, and so do breach notification duties.

The risk analysis is the enforcement centerpiece. It is typically the first document OCR requests after a reported breach. When it does not exist, or exists only as a template nobody filled in, the investigation tends to end in a settlement regardless of how the attackers got in.

Do Not Wait for the New Security Rule

A proposed update to the HIPAA Security Rule, published in January 2025, would make multi-factor authentication and encryption mandatory rather than addressable, require annual risk assessments and vulnerability testing, and tighten documentation expectations, per the HHS overview of the proposed rule. As of this writing, the final rule has not been published and OCR has announced no timeline.

Some organizations have read that delay as permission to defer security work until the rules are settled. The settlements above show why that is a mistake. Every one of them was brought under the current Security Rule, which has required a documented risk analysis for two decades. The proposed rule would raise the bar, but the bar that exists today is already the one organizations keep failing to clear.

What to Do Now

The Bottom Line

OCR is not waiting for the new Security Rule, and neither should you. The organizations on this list paid for a missing document as much as for a breach. A current, honest risk analysis is the least expensive item in HIPAA compliance and the one with the most enforcement weight behind it. Cyber One Solutions builds and maintains HIPAA Security Rule compliance programs for healthcare organizations and their vendors, anchored by IT and security assessments that produce the risk analysis and risk management documentation OCR expects, backed by managed cybersecurity that closes the gaps the analysis finds.

Sources