The HHS Office for Civil Rights has decided, with increasing clarity, that when ransomware actors victimize health care entities, OCR will ask a second question after the criminals have finished their work: What did the victim do to make the crime easier?

That is not how OCR would describe its enforcement program. OCR would say it is enforcing the HIPAA Security Rule, requiring accurate and thorough risk analyses, documented risk management, system activity review, incident response, breach notification, and reasonable safeguards for electronic protected health information. That is all true. But the enforcement posture is unmistakable. OCR is treating ransomware not merely as a criminal attack against a covered entity or business associate, but as evidence that the regulated entity may have failed to anticipate, prevent, detect, contain, or recover from the attack.

On April 23, 2026, OCR announced four HIPAA Security Rule settlements arising from ransomware investigations involving Regional Women’s Health Group, LLC, doing business as Axia Women’s Health; Assured Imaging Affiliated Covered Entities; Consociate, Inc., doing business as Consociate Health; and Star Group, L.P. Health Benefits Plan. Together, the incidents affected more than 427,000 individuals and resulted in $1.165 million in settlement payments, plus two-year corrective action plans. HHS Off. for C.R., HHS’ Office for Civil Rights Settles Four HIPAA Security Rule Ransomware Investigations (Apr. 23, 2026).

The cases are settlements, not judicial opinions. They contain no admissions of liability. They do not establish precedent in the formal sense. But in the real world of HIPAA enforcement, resolution agreements and corrective action plans are OCR’s common law. They show what OCR believes the Security Rule requires, what facts OCR considers aggravating, and what remediation OCR demands when ransomware exposes security weaknesses.

The central theme is not exotic. It is not zero-day malware. It is not state-sponsored tradecraft. It is not the impossibility of defending hospitals, physician groups, imaging centers, third-party administrators, and self-funded health plans against transnational cybercriminal syndicates. It is the old, dull, persistent HIPAA requirement that covered entities and business associates perform an “accurate and thorough assessment of the potential risks and vulnerabilities” to the confidentiality, integrity, and availability of electronic protected health information. 45 C.F.R. § 164.308(a)(1)(ii)(A).

Shared Liability

That is the “blame the victim” move. OCR is not saying that the ransomware actor was blameless. OCR is saying that the victim was regulated. And regulated victims have legal duties before the attack, during the attack, and after the attack.

In the Regional Women’s Health Group, OCR alleged that a December 2020 cyberattack affected 37,989 individuals and that the covered entity failed to conduct an accurate and thorough risk analysis. The settlement required a $320,000 payment and a corrective action plan. HHS Off. for C.R., Regional Women’s Health Group, LLC Resolution Agreement and Corrective Action Plan. The important lesson is in the corrective action plan. OCR required a risk analysis covering all facilities, electronic equipment, data systems, applications, and systems that contain, store, transmit, or receive ePHI. It also required a complete inventory of electronic equipment, data systems, off-site storage facilities, and applications containing or storing ePHI, together with vulnerability scanning and penetration testing.

That is a long way from the three-ring binder labeled “HIPAA Policies.” OCR wants asset inventory, data-flow awareness, technical testing, documented remediation, and repeatable governance. The covered entity that cannot identify where ePHI resides cannot credibly say that it has analyzed risks to that ePHI. The covered entity that has never tested its environment cannot credibly say that its safeguards are reasonable. The covered entity that learns, after encryption, that no one knew where the backups were or whether they were clean has not merely had a bad day. It has created an OCR exhibit.

Assured Imaging is more pointed. OCR alleged that PYSA ransomware encrypted Assured Imaging’s electronic medical records system in May 2020, that attackers exfiltrated data affecting 244,813 individuals, that Assured Imaging had not conducted a compliant Security Rule risk analysis, that there was an impermissible disclosure of ePHI, and that affected individuals were not notified within the required 60-day period. The settlement amount was $375,000. HHS Off. for C.R., Assured Imaging Resolution Agreement and Corrective Action Plan; see also 45 C.F.R. § 164.404(b).

Assured Imaging is the breach-notification lesson. In ransomware events, organizations often want to wait until the forensic report is final, the patient population is fully validated, the files are fully reviewed, the threat actor’s claims are assessed, law enforcement weighs in, and outside counsel has blessed every sentence. HIPAA does not give entities that luxury. Notice must be provided without unreasonable delay and no later than 60 calendar days after discovery of a breach. 45 C.F.R. § 164.404(b). The practical rule is that the notification workstream must begin on day one, not when IT says the incident is “over.”

Consociate Health is the business associate and dwell-time case. Consociate discovered ransomware-encrypted files in January 2021 and later learned that its systems had been compromised six months earlier following a phishing attack. The incident affected approximately 136,539 individuals. OCR again alleged failure to conduct an accurate and thorough risk analysis, and the settlement amount was $225,000. HHS Off. for C.R., Consociate, Inc. Resolution Agreement and Corrective Action Plan.

The ransomware event was the explosion. The compromise was the fuse. That distinction matters. Modern ransomware is rarely just encryption. It often involves credential theft, privilege escalation, lateral movement, staging, compression, exfiltration, and then encryption as leverage. A risk analysis that does not address phishing-resistant authentication, privileged access, remote access, endpoint detection, centralized logging, vulnerability management, and anomalous access review is not meaningfully analyzing ransomware risk. It is analyzing yesterday’s ransomware problem.

Star Group’s Health Benefits Plan is a self-funded plan warning. OCR alleged that Star Group’s self-funded employee benefits plan suffered a ransomware breach affecting about 9,316 individuals and failed to conduct an accurate and thorough risk analysis. The plan paid $245,000. HHS Off. for C.R., SG Health Plan Resolution Agreement and Corrective Action Plan. OCR’s announcement identified affected ePHI as including names, addresses, dates of birth, Social Security numbers, and health insurance information such as member identification numbers, claims data, and benefit selection information. HHS Off. for C.R., HHS’ Office for Civil Rights Settles Four HIPAA Security Rule Ransomware Investigations (Apr. 23, 2026).

This is important because many employers still treat self-funded plan data as if it were ordinary HR information. It is not. A self-funded group health plan is a HIPAA-covered entity. Claims, eligibility, enrollment, benefits, and plan administration data can be PHI. A ransomware event involving the plan’s data environment is therefore not merely an employee-relations matter, a benefits-administration embarrassment, or an IT outage. It is a HIPAA incident.

OCR’s legal theory rests on the Security Rule’s structure. The Security Rule does not require a covered entity to prevent every attack. It does not require perfect security. It requires reasonable and appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. 45 C.F.R. §§ 164.306, 164.308, 164.310, 164.312. It requires risk analysis, risk management, sanction policies, information system activity review, security incident procedures, contingency planning, access controls, audit controls, integrity controls, authentication, and transmission security. 45 C.F.R. §§ 164.308(a)(1), 164.308(a)(6), 164.308(a)(7), 164.312(a)–(e).

OCR’s ransomware guidance makes the enforcement logic even clearer. HHS states that the presence of ransomware or malware on a covered entity’s or business associate’s system is a security incident under the HIPAA Security Rule. HHS also states that when ePHI is encrypted by ransomware, a breach has occurred because the attacker has acquired possession or control of the information, unless the regulated entity can demonstrate a low probability that the PHI has been compromised based on the Breach Notification Rule’s risk assessment factors. HHS Off. for C.R., Fact Sheet: Ransomware and HIPAA (last reviewed Sept. 20, 2021); 45 C.F.R. § 164.402.

That presumption is critical. In an ordinary theft case, the question may be whether PHI was actually acquired or viewed. In a ransomware case, OCR starts from the proposition that the attacker’s control over encrypted ePHI is enough to trigger breach analysis. The entity can rebut the presumption only with evidence. Evidence means logs, forensic artifacts, access records, network telemetry, endpoint data, exfiltration analysis, threat actor communications, file access evidence, and documented mitigation. If the entity lacks logging, lacks retention, lacks endpoint visibility, or lacks forensic preservation, it may lack the very evidence needed to avoid notification or mitigate enforcement.

This is where the “blame the victim” strategy may work. OCR is using after-the-fact enforcement to force before-the-fact discipline. The message is that ransomware preparedness is not optional cybersecurity hygiene. It is HIPAA compliance. An entity that fails to prepare for a reasonably anticipated ransomware attack may be liable not because criminals attacked it, but because ransomware is now a reasonably anticipated threat and the entity failed to address that threat in its risk analysis and risk management program.

There are limits to this strategy. The Fifth Circuit’s decision in University of Texas M.D. Anderson Cancer Center v. United States Department of Health & Human Services, 985 F.3d 472 (5th Cir. 2021), remains a cautionary precedent for OCR. In that case, the court vacated a $4.348 million HIPAA civil money penalty as arbitrary, capricious, and contrary to law. The court rejected HHS’s position that M.D. Anderson failed to implement encryption merely because three devices were not encrypted, reasoning that the regulation required implementation of “a mechanism” for encryption and decryption, not perfect encryption of every device in every circumstance. Id. at 478–80. The decision has not, as of this writing, been overruled, though it is a Fifth Circuit decision and does not bind all courts nationally.

M.D. Anderson explains why OCR prefers settlements. Litigation forces OCR to prove the violation, defend its interpretation of the regulations, justify penalty calculations, and survive Administrative Procedure Act review. Settlements do not. A covered entity facing an OCR ransomware investigation must therefore make a practical decision, not merely a legal one. It can contest OCR’s theory and potentially create precedent. Or it can settle, pay less than the cost of prolonged litigation, accept a corrective action plan, and avoid becoming the next test case.

The 2025 proposed Security Rule amendments show where OCR wants the law to go. HHS proposed modifications to strengthen the cybersecurity of ePHI, including more explicit obligations around technology asset inventories, network maps, risk analysis, vulnerability management, patching, encryption, multifactor authentication, penetration testing, and documentation. HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, 90 Fed. Reg. 898 (Jan. 6, 2025). The proposed rule had not been identified in the sources reviewed here as a final rule, but it is still highly relevant because it expresses OCR’s view that many of these practices are not novel aspirations. They are, in OCR’s view, clarifications of what serious Security Rule compliance already requires.

Covered entities and business associates should therefore assume that future ransomware investigations will begin with a request for the risk analysis and proceed immediately to determine whether the risk analysis was real. The risk analysis should identify all systems that create, receive, maintain, or transmit ePHI. It should include cloud platforms, EHRs, imaging systems, email, file shares, identity providers, backup environments, remote access systems, medical devices, billing platforms, analytics tools, APIs, third-party portals, acquired practices, and outsourced service providers. It should document threats, vulnerabilities, likelihood, impact, existing controls, residual risk, remediation plans, responsible owners, target dates, and risk acceptance decisions.

The risk analysis should not be an annual theater. It should be updated when the environment changes, when a new system is deployed, when an acquisition occurs, when remote access changes, when a new vendor is added, when a material vulnerability is discovered, when a security incident occurs, and when ransomware tactics materially evolve. The proposed rule expressly identifies environmental and operational changes, new technology assets, patching, newly recognized threats, mergers, security incidents, and legal changes as events that may affect ePHI and therefore matter to risk analysis. HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, 90 Fed. Reg. 898 (Jan. 6, 2025).

The risk management plan must then close the loop. The Security Rule requires implementation of security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. 45 C.F.R. § 164.308(a)(1)(ii)(B). For ransomware, that means phishing-resistant multifactor authentication where feasible, especially for remote and privileged access; privileged access management; least privilege; endpoint detection and response; rapid patching of exploited vulnerabilities; secure configuration; network segmentation; email filtering; malicious software controls; immutable or offline backups; restoration testing; centralized logging; vulnerability scanning; penetration testing; security awareness training; and incident response exercises.

Backups deserve special attention. A backup is not a ransomware control unless it is isolated, protected from deletion or encryption, regularly tested, and capable of restoring critical clinical and business systems within tolerable downtime. HIPAA’s contingency planning standard requires a data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedures, and application and data criticality analysis. 45 C.F.R. § 164.308(a)(7). The useful evidence is not “we have backups.” The useful evidence is a dated restoration test showing what was restored, from what backup set, how long it took, whether the data were complete, whether malware was absent, what recovery-time and recovery-point objectives were achieved, and what corrective actions followed.

Logging is equally important because ransomware enforcement is often a proof problem. The covered entity must prove what happened, what did not happen, what PHI was accessed, what PHI was exfiltrated, and whether the risk to PHI was low enough to avoid breach notification. The Security Rule’s information system activity review requirement, 45 C.F.R. § 164.308(a)(1)(ii)(D), should be operationalized through centralized, tamper-resistant logging with retention long enough to investigate attacker dwell time. Logs should capture authentication, privilege changes, administrative activity, file access, database access, remote access, endpoint alerts, network traffic, data transfers, security tool disabling, and backup activity. Logs that are overwritten in seven days or encrypted with the rest of the environment may satisfy no one.

Business associate management must become more muscular. Consociate demonstrates that business associates are direct OCR targets, but covered entities are still exposed when business associates fail. Covered entities should require evidence of HIPAA risk analyses, security control implementation, breach-notification cooperation, subcontractor controls, incident response capability, backup testing, cyber insurance, penetration testing, and vulnerability remediation. Business associate agreements should not merely recite regulatory language. They should contain operational notice obligations, escalation contacts, forensic cooperation duties, data-return and destruction terms, subcontractor flow-down requirements, and clear responsibility for costs arising from security incidents.

Breach notification must be built into the incident response plan. The legal team should not wait for IT to declare finality. The response plan should immediately preserve evidence relevant to the four-factor breach risk assessment under 45 C.F.R. § 164.402: the nature and extent of PHI involved, the unauthorized person who used or received the PHI, whether PHI was actually acquired or viewed, and the extent to which risk has been mitigated. 45 C.F.R. § 164.402. The plan should identify who decides whether notification is required, who drafts notices, who validates addresses, who communicates with OCR, who handles media notices when required, who coordinates substitute notice, who manages call centers, and who tracks the 60-day deadline.

Recognized security practices should be treated as mitigation evidence. Public Law 116-321 amended the HITECH Act to require HHS to consider whether covered entities and business associates have adequately demonstrated recognized security practices in place for the prior 12 months when determining fines, audits, and remedies. HHS discussed implementation of this statutory requirement in its 2022 request for information. Considerations for Implementing the Health Information Technology for Economic and Clinical Health Act, 87 Fed. Reg. 19,833 (Apr. 6, 2022).

This creates a practical defensive file. Every covered entity and business associate should maintain a rolling 12-month evidence binder showing recognized security practices. That file should include the current risk analysis, asset inventory, ePHI data-flow maps, risk management plan, vulnerability scans, penetration-test summaries, patching metrics, MFA deployment metrics, backup restoration tests, tabletop exercises, incident response updates, workforce training records, phishing simulation results, access reviews, vendor security reviews, business associate agreement inventory, board or executive security briefings, and remediation tracking. The purpose is not to make the organization look good after a breach. The purpose is to make the organization prove, contemporaneously, that it acted reasonably before the breach.

NIST Special Publication 800-66 Revision 2 remains one of the best practical tools for this work. NIST describes it as a cybersecurity resource guide for implementing the HIPAA Security Rule, helping regulated entities understand Security Rule concepts and safeguard ePHI. Nat’l Inst. of Standards & Tech., Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, NIST SP 800-66 Rev. 2 (Feb. 2024). NIST guidance is not itself binding law, but it is a credible framework for organizing compliance evidence and translating regulatory standards into operational controls.

Will OCR’s “blame the victim” strategy work? It depends on what one means by “work.”

It may work as deterrence. Health care entities are rational actors operating under constrained budgets, clinical pressures, vendor dependencies, legacy systems, and thin margins. OCR settlements change the cost-benefit calculus. They tell boards, executives, physician groups, benefit-plan committees, and business associates that failing to fund ransomware preparedness is not just an IT risk. It is a regulatory risk.

It may work as a compliance accelerator. The health care sector has been told for years to conduct real risk analyses, implement MFA, patch systems, test backups, train staff, segment networks, monitor logs, and manage vendors. OCR’s settlements convert those recommendations into enforcement expectations. The proposed Security Rule amendments reinforce the direction of travel. The message is no longer “you should.” It is “you should already have.”

It may not work as justice. There is something conceptually uncomfortable about punishing the victim of a crime because the victim was insufficiently hardened against criminals. Hospitals, clinics, imaging centers, and health plans are not ransomware gangs. They are targets. Enforcement after an attack can look like regulatory piling on, especially for smaller entities that lack the resources of national health systems. The government’s strategy risks appearing to say, “You were robbed; now pay the government.”

But HIPAA has always been a regulatory floor, not a sympathy doctrine. OCR’s answer is that health entities hold extraordinarily sensitive information, ransomware is foreseeable, and patients suffer when regulated entities fail to prepare. Patients do not care whether their Social Security numbers, diagnoses, claims data, reproductive health information, imaging records, or prescriptions were exposed because of a sophisticated attacker or a neglected server. They care that the entity entrusted with the data did not protect it.

The hard truth for covered entities and business associates is therefore this: after ransomware, OCR will not grade the attacker. OCR will grade the victim. The exam questions are already known. Where was the ePHI? What were the risks? Who analyzed them? What did management do about them? Were safeguards implemented? Were logs reviewed? Were backups tested? Were vendors managed? Was the workforce trained? Was the incident contained? Was the breach analysis documented? Were notices timely? Were lessons learned incorporated into the security management process?

If the entity can answer those questions with documents created before the ransomware attack, OCR’s blame-the-victim strategy may become survivable. If the entity starts creating those answers after the ransom note appears, the strategy will work exactly as OCR intends.

Recent Articles By Author

• Platform Liability for Virtual Pornography: The FTC’s First TAKE IT DOWN Act Warning Shot
• Location Data, Consent and the App Economy: What Kochava and Meta Really Tell Us
• Hacking for Fun, Profit—and Now, Wagers

More from Mark Rasch