The U.S. Department of Health and Human Services Office for Civil Rights (OCR) continues to stress the importance of conducting risk analyses. OCR recently announced yet another breach settlement — this time with an employer-sponsored group health plan — and noted that it failed to conduct an accurate and thorough risk analysis. This is the 14th enforcement action in OCR’s Risk Analysis Initiative.

The Biden administration launched the Risk Analysis Initiative as a targeted effort to reduce breaches tied to weak or non-existent risk analyses, according to cybersecurity and compliance company Clearwater. “But under the Trump administration, the initiative has continued, with enforcement actions and expectations becoming more explicit. Now under the leadership of  OCR Director, Paula M. Stannard, it is clear that a comprehensive risk analysis is vital in today’s environment, as ransomware and supply chain threats continue to escalate,” the Clearwater description continued. 

In the most recent announcement, OCR described a settlement with Spencer Gifts LLC Flexible Benefits and Welfare Benefit Plans, the employer-sponsored group health plan of Spencer Gifts LLC, a national retail company, over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

“Effective cybersecurity starts with Security Rule compliance, ensuring that Security Rule provisions are implemented before a cyberattack occurs,” said Stannard in a statement. “Regulated entities — including covered group health plans — should ensure these protections are firmly in place well before a cyberattack occurs, so the privacy and security of individuals’ health information remain safeguarded.”

OCR noted that the risk analysis provision of the HIPAA Security Rule requires regulated entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI) held by those organizations.

The settlement resolves an investigation that OCR initiated after the plan filed a breach report on January 24, 2022. The plan had received employee complaints that employees were unable to connect to the virtual private network. The plan discovered that in November 2021, an unauthorized actor accessed the company’s network and deployed ransomware, encrypting data on the company’s systems, including servers storing the plan’s PHI, and demanding a ransom. The PHI of 10,023 individuals was potentially affected by the breach, including health plan members' names, addresses, zip codes, phone numbers, email addresses, and Social Security numbers.

OCR found that the plan had potentially violated provisions of the Privacy and Security Rules, including:
• Failing to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the plan prior to the breach incident; and
• Failing to implement reasonable and appropriate policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules prior to the breach incident.


Under the terms of the resolution, the plan paid $450,000 and agreed to a two-year corrective action plan monitored by OCR. Under the corrective action plan, the plan has committed to:
• Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
• Review and, to the extent necessary, revise its current Privacy, Security, and Breach Notification Rule policies and procedures to comply with the HIPAA Rules; and
• Ensure that all workforce members are trained with respect to its Privacy, Security, and Breach Notification Rule policies and procedures.
• Periodically conduct, and update as needed, a risk analysis and develop and implement a risk management plan to address identified risks to the confidentiality, integrity, and availability of ePHI.
• Ensure audit controls are in place to record and examine information system activity.
• Implement regular review of information system activity.
• Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
• Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
• Incorporate lessons learned from incidents into the organization’s overall security management process.
• Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

In April 2026 OCR announced settlements with four regulated entities following separate ransomware investigations. In each of these cases, the covered entities were cited for not conducting thorough risk analyses. 

The settlements follow investigations into separate ransomware breaches that collectively affected over 427,000 individuals and involved the exposure of unsecured ePHI. The types of ePHI affected include demographic data, Social Security numbers (SSNs), financial information, lab results, medications, and diagnoses or conditions. Under the settlements, the regulated entities have agreed to implement corrective action plans subject to OCR monitoring for two years and paid a total of $1,165,000 to OCR.