Poor Risk Analysis Cost 4 Firms $1.7 Million in HIPAA Fines

Governance & Risk Management , HIPAA/HITECH , Risk Assessments Poor Risk Analysis Cost 4 Firms $1.7 Million in HIPAA Fines HHS OCR Breach Investigators Again Find All-Too-Common Risk Analysis Failures Marianne Kolbasuk McGee (HealthInfoSec) • April 24, 2026     Share Post Share Credit Eligible Get Permission Image: Lebedko Inna/Shutterstock Faulty or non-existent security risk analyses cost a medical imaging provider, a women's healthcare group, a health plan and a third-party insurance administrator a collective $1.7 million in fines after federal regulators concluded they didn't do enough to prevent ransomware attacks. See Also: Cloud Security in Healthcare: Shifting from Reactive to Proactive Strategies The U.S. Department of Health and Human Services' Office for Civil Rights on Thursday said breaches by ransomware hackers at the firms compromised the electronic protected health information - including names, birth dates, addresses, Social Security numbers and medical details - of about 427,000 individuals. HHS OCR has long stressed that the HIPAA security rule requires businesses to conduct accurate, timely and thorough assessments of the potential risks and vulnerabilities. Yet weak security risk analysis is a recurrent theme of HIPAA fines (see: Why Do HIPAA Risk Analyses Miss the Mark So Often?). Proponents of assessment say they shouldn't be a paperwork exercise, given the fierce pace of ransomware attacks in the healthcare sector (see: How Attack, Ransom, Breach Trends Are Evolving). "Hacking and ransomware are the most frequent type of large breach reported to OCR," said Paula Stannard, OCR director, in a statement. "Proactively implementing the HIPAA security rule before a breach or an OCR investigation not only is the law but also is a regulated entity’s best opportunity to prevent or mitigate the harmful effects of a successful cyberattack." Fines announced Thursday include a $375,000 settlement with Assured Imaging Affiliated Covered Entities, a medical imaging and screening service provider with headquarters in Arizona and California. The PYSA ransomware gang in 2020 encrypted and stole Assured Imaging's patient data, affecting nearly 245,000 individuals. HHS OCR said the organization "never conducted a compliant" risk analysis. The other fined firms encompass a $320,000 settlement with Regional Women’s Health Group - which does business as Axia Women’s Health, a $245,000 settlement with Star Group, L.P. Health Benefits Plan - known as SG Health Plan and a $225,000 settlement with Consociate Health, a third-party administrator of employee-sponsored benefit programs. Each of the resolutions agreements require corrective action plans with two years of HHS OCR monitoring. The corrective action plans require that the entities conduct and document accurate and thorough assessments of the potential security risks and vulnerabilities to the confidentiality, integrity and availability of all their ePHI - and also implement security measures to address and mitigate the problems identified in the risk assessment. What's So Tough About Risk Assessments? Key omissions frequently arise in security risk analysis among HIPAA regulated entities. They includes not conducting a risk analysis at all - or completing a risk analysis and not documenting it, or taking no demonstrable action to remediate findings. A related common issue is organizations conducting a gap assessment of compliance with HIPAA, rather than a full-fledged security risk analysis. "OCR will not recognize a gap assessment as a risk analysis," said Keith Fricke, partner and principal consultant at security and privacy consultancy tw-Security. "Gap analyses for compliance identify where policies, procedures and plans exist. A risk analysis identifies reasonably anticipated threats, controls, vulnerabilities, a risk ranking and an action plan," he said. Also, a HIPAA risk analysis should include all systems that store, process, or transmit electronic protected health information, something that a gap analysis does not address, he said. Another common pitfall is carrying risks over year-to-year without resolving them. "This could lead to increased fines if a breach resulted from a risk that was known and documented for a long time," Fricke said. HHS OCR offers a free security risk analysis tool that walks users through the security risk assessment process using a wizard-based approach, guiding users through multiple-choice questions, threat and vulnerability assessments, and asset and vendor management (see: Feds Release Updated HIPAA Security Risk Analysis Tool). Many entities often lack the time or expertise to accurately and thoroughly conduct security risk analysis internally - and some don't have financial resources to seek outside help. "Budget is often a primary factor, especially for small healthcare organizations. Some organizations know they are obligated to address risk findings once those risks are identified. Ignorance is not bliss - it can be seen as willful neglect," Fricke said. Cost for security risk analysis conducted by external assessors can depend on the size of an organization and the complexity of its IT environment, devices and applications. "Understand that risk identification is critical to protecting patient data and necessary for any organization providing patient services. Do something," said Kerry McConnell, a partner at tw-Security. Fricke suggested that businesses create and maintain an inventory of all ePHI systems and assess them against threats, documenting the associated controls and vulnerabilities in their efforts to improve their risk analysis and risk management. "Assign risk scores, create an action plan and track remediation," he said. "Don’t over think it. Start small if necessary," McConnell added. "Don’t be afraid to get help - even if only every other year. Stop having the mentality that you only have to run faster that your peers to avoid getting caught by the bear." Frequent risk analysis failures in the healthcare sector helps explain why a proposed update to the HIPAA Security Rule is very prescriptive and detailed about what a risk analysis must include, Fricke said (see: What's in HHS' Proposed HIPAA Security Rule Overhaul?). HHS OCR has not yet said how it might proceed with the proposed update to the HIPAA security rule, published in the final days of the Biden administration (see: Feds Are Still Assessing Proposed HIPAA Security Rule Update).