HIPAA's No Joke: Gag Gift Firm's Health Plan Pays $450K Fine
Data Breach TodayArchived Jun 20, 2026✓ Full text saved
Investigation of Spencer's Gifts Ransomware Breach Unearths Data Privacy Violations The employer-sponsored health plan of novelty merchandise retailer Spencer Gift has paid a $450,000 HIPAA penalty and agreed to implement a corrective action plan to resolve findings of a federal breach investigation into a 2021 attack by now-defunct ransomware gang Conti.
Full text archived locally
✦ AI Summary· Claude Sonnet
Data Privacy , Data Security , Fraud Management & Cybercrime
HIPAA's No Joke: Gag Gift Firm's Health Plan Pays $450K Fine
Investigation of Spencer's Gifts Ransomware Breach Unearths Data Privacy Violations
Marianne Kolbasuk McGee (HealthInfoSec) • June 19, 2026
Credit Eligible
Get Permission
The employee health plan of novelty gift retailer Spencer's has paid $450,000 to settle findings of a federal HIPAA investigation into a 2021 ransomware breach. (Image: Spencer's)
The employer-sponsored health plan of novelty merchandise retailer Spencer's Gifts has paid a $450,000 HIPAA penalty and agreed to implement a corrective action plan to resolve findings of a federal breach investigation into a 2021 attack by now-defunct ransomware gang Conti.
See Also: OnDemand | Transform API Security with Unmatched Discovery and Defense
The New Jersey-based health plan reported the data breach in January 2022 as affecting 10,023 people, potentially compromising health plan members' names, addresses, zip codes, phone numbers, email addresses and Social Security numbers, said the U.S. Department of Health and Human Services' Office for Civil Rights on Thursday.
The health plan reported that it first learned of the incident when employees complained that they were unable to connect to the its virtual private network. "The plan discovered that in November 2021, an unauthorized actor accessed the company's network and deployed ransomware, encrypting data on the company's systems, including servers storing the plan's PHI, and demanding a ransom," HHS OCR said.
Ransomware gang Conti claimed responsibility for the incident on its dark website in January 2022.
An HHS OCR investigation found the health plan prior to the breach had potentially violated provisions of the HIPAA privacy and security rules, including failing to conduct an accurate and thorough security risk analysis and failing to implement policies and procedures to comply with the HIPAA rules.
Besides paying the financial penalty, under the resolution agreement with HHS OCR, Spencer's Gifts will implement a corrective action plan that the federal agency will monitor for two years. Under that plan, the company agreed to conduct an accurate and thorough HIPAA security risk analysis; review an revise as needed its current HIPAA privacy, security and breach notification rule policies and procedures; and ensure that its workforce is trained in those policies and procedures.
Spencer's didn't immediately respond to ISMG's request for comment on the settlement and for additional details involving the ransomware incident.
The settlement marks HHS OCR's 20th enforcement action related to ransomware breaches and its 14th enforcement action spotlighting HIPAA security risk analysis deficiencies since the agency launched those two regulatory initiatives a few years ago.
"Effective cybersecurity starts with Security Rule compliance, ensuring that Security Rule provisions are implemented before a cyberattack occurs," said Paula Stannard, HHS OCR director in a statement.
"Regulated entities - including covered group health plans - should ensure these protections are firmly in place well before a cyberattack occurs, so the privacy and security of individuals' health information remain safeguarded."
The size of the financial settlement with Spencer's - nearly half a million dollars - is noteworthy because of the relatively small number of people affected - about 10,000. Some regulated organizations have faced similar regulatory scrutiny in the wake of much larger HIPAA breaches but paid considerably smaller settlements to HHS OCR.
For instance, in April, HHS OCR disclosed that Assured Imaging, a California-based medical imaging and screening service provider, agreed to pay $375,000 to settle an investigation into a ransomware breach affecting 244,813 people. Like the Spencer's health plan breach investigation, HHS OCR found Assured Imaging also failed to conduct an accurate and thorough risk analysis (see: Poor Risk Analysis Cost 4Firms $1.7 Million in HIPAA Fines).
"OCR's 20th ransomware settlement underscores that the agency is very serious about the quality and strength of compliance programs - not just breach size," said Rachel Seeger, founder and principal of North Country Communications, a consultancy specializing in healthcare crisis response and compliance.
"For regulated entities, the lesson is straightforward: Ransomware is a predictable threat, and a breach can open the door to deeper scrutiny," said Seeger, a former longtime adviser at HHS OCR.
"It's 2026. OCR expects organizations to know where electronic PHI resides, conduct and update risk analyses regularly, and ensure policies, procedures, and training are operational and routinely exercised," she said.