OCR Continues Ransomware and Risk Analysis Enforcement Initiatives

7/1/2026
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced the settlement of its HIPAA investigation of the employer-sponsored group health plan (Plan) of Spencer Gifts LLC. By way of background, the Plan filed a breach report with OCR in January 2022 after discovering that an unauthorized actor accessed the company’s network and deployed ransomware, encrypting data on the company’s systems, including servers storing the Plan’s protected health information (PHI), and demanding a ransom. OCR found that the Plan had potentially violated HIPAA, including by failing to conduct an accurate and thorough risk analysis to determine potential risks and vulnerabilities to PHI and failing to implement appropriate HIPAA policies and procedures prior to the breach incident. Under the terms of the settlement, the Plan will pay a $450,000 fine and implement a two-year corrective action plan.







