OCR Continues Ransomware and Risk Analysis Enforcement Initiatives

BACK TO INSIGHTS     Articles

7/1/2026

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced the settlement of its HIPAA investigation of the employer-sponsored group health plan (Plan) of Spencer Gifts LLC. By way of background, the Plan filed a breach report with OCR in January 2022 after discovering that an unauthorized actor accessed the company’s network and deployed ransomware, encrypting data on the company’s systems, including servers storing the Plan’s protected health information (PHI), and demanding a ransom. OCR found that the Plan had potentially violated HIPAA, including by failing to conduct an accurate and thorough risk analysis to determine potential risks and vulnerabilities to PHI and failing to implement appropriate HIPAA policies and procedures prior to the breach incident. Under the terms of the settlement, the Plan will pay a $450,000 fine and implement a two-year corrective action plan.

The settlement marks OCR’s 20th ransomware enforcement action and 14th enforcement action in its Risk Analysis Initiative. OCR continues to emphasize that HIPAA covered entities and their business associates should take steps to mitigate or prevent cyberthreats, including:

  • Identify where ePHI exists in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
  • Periodically conduct, and update as needed, a risk analysis and develop and implement a risk management plan to address identified risks to the confidentiality, integrity, and availability of ePHI.
  • Ensure audit controls are in place to record and examine information system activity.
  • Implement regular review of information system activity.
  • Utilize mechanisms to authenticate information to ensure that only authorized users are accessing ePHI.
  • Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
  • Incorporate lessons learned from incidents into the organization’s overall security management process.
  • Provide workforce members with regular HIPAA training that is specific to the organization and the workforce members’ respective job duties.

If you need assistance with your organization’s privacy and security program, contact:
Lani M. Dornfeld, CHPC | 973.403.3136 | ldornfeld@bracheichler.com

*This is intended to provide general information, not legal advice. Please contact the authors if you need specific advice.

Related Practices:   Healthcare Law

Related Attorney:   Lani M. Dornfeld

Related Industry:   Healthcare