Poor Risk Analysis Cost 4 Firms $1.7 Million in HIPAA Fines

HHS OCR Breach Investigators Again Find All-Too-Common Risk Analysis Failures Marianne Kolbasuk McGee (HealthInfoSec) • April 24, 2026

Faulty or non-existent security risk analyses cost a medical imaging provider, a women's healthcare group, a health plan and a third-party insurance administrator a collective $1.7 million in fines after federal regulators concluded they didn't do enough to prevent ransomware attacks.

See Also: Using the Netskope HIPAA Mapping Guide

The U.S. Department of Health and Human Services' Office for Civil Rights on Thursday said breaches by ransomware hackers at the firms compromised the electronic protected health information - including names, birth dates, addresses, Social Security numbers and medical details - of about 427,000 individuals.

HHS OCR has long stressed that the HIPAA security rule requires businesses to conduct accurate, timely and thorough assessments of the potential risks and vulnerabilities. Yet weak security risk analysis is a ...