The Office for Civil Rights (OCR) entered into two recent settlements with covered entities alleging that they failed to conduct security risk assessments. The settlements indicate that OCR will continue to aggressively regulate potential violations of the Health Insurance Portability and Accountability Act (HIPAA), particularly for failure to conduct risk assessments.

Deer Oaks

On July 7, 2025, OCR announced a settlement with Deer Oaks, a behavioral health provider, for alleged violations of HIPAA. The settlement resolves OCR’s allegations that Deer Oaks “failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI that it held.”

OCR commenced an investigation into Deer Oaks following a complaint that it had disclosed patient names, dates of birth, patient identification numbers, facilities, and diagnoses publicly accessible online by disclosing patient discharge summaries. The OCR confirmed that the discharge summaries of 35 individuals were publicly available on the internet from at least December 2021 until May 19, 2023.

OCR expanded its investigation following another incident when Deer Oaks experienced a breach following a compromised account. That incident resulted in exfiltration of data and an extortion threat that electronic personal health information (ePHI) would be posted on the dark web. Following that incident, Deer Oaks provided notification to the Department of Health and Human Services, and 171,871 affected individuals.

Based on its investigation into both incidents, OCR found that Deer Oaks failed to conduct an accurate and thorough risk assessment. The settlement includes payment of $225,000, and implementation of a corrective action plan that OCR will monitor for two years, which requires Deer Oaks to:

• Review and update its risk analysis;
• Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
• Develop, maintain, and revise as necessary, certain written policies and procedures to comply with the HIPAA Rules; and
• Provide annual training for each workforce member who has access to PHI.

Comstar, LLC

On May 30, 2025, OCR announced its settlement with Comstar, LLC, a business associate providing billing and collection services to ambulance companies, for allegations that it had failed to conduct a security risk assessment.

The investigation was initiated after Comstar notified OCR that it was the victim of a ransomware attack that encrypted its network servers and affected the ePHI of approximately 585,621 individuals. The data affected by the ransomware attack included medical assessments and medication administration information. OCR’s investigation “determined that Comstar failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI that it holds.”

Comstar agreed to pay OCR $75,000 and implement a corrective action plan, including its agreement to:

• Conduct a comprehensive and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI that Comstar holds;
• Develop a risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis;
• Review and revise, as necessary, its written policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules; and
• Train its workforce members who have access to PHI on HIPAA policies and procedures.

The requirements OCR set with these two entities provide guidance to covered entities and business associates. HIPAA requires conducting an annual risk assessment, which has been, and will continue to be, a priority for OCR. In addition, entities are required to develop a risk management plan to address the gaps found in the risk assessment, including addressing security gaps, updating policies and procedures to manage the risks, and training employees on an annual basis. These HIPAA requirements are not new. Following the requirements, and heeding the clear guidance provided by OCR will reduce the risk of an OCR enforcement action and potential monetary settlement.