Behavioral Health Provider Agrees to Pay $225,000 HIPAA Settlement Following Multiple Data Breaches

Saul Ewing LLP
Contact

Saul Ewing LLP

On July 7, 2025, the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced a $225,000 settlement with Deer Oaks – The Behavioral Health Solution (“Deer Oaks”), a provider of psychological and psychiatric services to residents of long-term care and assisted living facilities, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules. Deer Oaks admitted no wrongdoing as part of the settlement and HHS did not concede that Deer Oaks did not violate HIPAA and is not liable for civil money penalties. The settlement follows OCR’s investigation into two incidents involving the impermissible disclosure of electronic protected health information (“ePHI”), including an online exposure of discharge summaries and a ransomware attack.

What You Need to Know:

  • OCR continues to prioritize enforcement of the HIPAA Security Rule, with a particular focus on entities that fail to conduct comprehensive risk analyses.
  • HIPAA-covered entities and business associates must maintain HIPAA Security Rule and Privacy Rule compliance.
  • Timely breach notification and proper workforce training remain critical compliance requirements.

OCR’s investigation began in May 2023 after it received a complaint alleging that Deer Oaks had made patient discharge summaries publicly accessible online. These summaries included patient names, dates of birth, identification numbers, facilities, and diagnoses. OCR’s investigation confirmed that the ePHI was accessible on the Internet from at least December 2021 until May 2023, affecting 35 individuals. Deer Oaks attributed the disclosure to a coding error in a since discontinued pilot online patient portal.

OCR expanded its investigation in July 2024 after Deer Oaks experienced a breach in August 2023. A threat actor compromised a Deer Oaks account, claimed to have exfiltrated data, and demanded payment to avoid posting the ePHI on the dark web. This incident led to breach notifications to HHS, 171,871 affected individuals, and the media.

Based on its investigations, OCR found that Deer Oaks had failed to conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities to its ePHI as required under the HIPAA Security Rule.

Under the terms of the resolution agreement, Deer Oaks agreed to pay $225,000 and entered into a two-year corrective action plan (“CAP”). As part of the CAP, Deer Oaks agreed to each of the following:

  • Conduct and complete an accurate and thorough analysis of security risks and vulnerabilities, and annual reviews and updates, as necessary, of its risk analysis to determine potential risks to the confidentiality, integrity, and availability of its ePHI.
  • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in its risk analysis.
  • Develop, maintain, and revise, as necessary, policies and procedures to comply with the HIPAA Rules.
  • Provide annual training for each workforce member who has access to PHI on Deer Oaks’ written HIPAA policies and procedures.

A copy of the Deer Oaks resolution agreement and corrective action plan can be accessed here: Deer Oaks Behavioral Health Solutions Resolution Agreement

As part of the HHS OCR press release announcing the Deer Oaks settlement, OCR recommends that health care providers and other parties take the following steps to mitigate or prevent cyber-threats:

  • Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
  • Periodically conduct, and update as needed, a risk analysis and develop and implement a risk management plan to address the risks identified.
  • Ensure audit controls are in place to record and examine information system activity.
  • Implement regular review of information system activity.
  • Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
  • Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
  • Incorporate lessons learned from incidents into the organization’s overall security management process.
  • Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Saul Ewing LLP

Written by:

Saul Ewing LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Saul Ewing LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide