In the past several weeks, the U.S. Department of Health and Human Services ("HHS"), Office for Civil Rights ("OCR") has announced settlements with three health care organizations — Comstar, LLC ("Comstar"); Guam Memorial Hospital Authority ("GMHA"); and Vision Upright MRI (“Vision Upright”) — for alleged violations of the HIPAA Security Rule and Breach Notification Rule. These settlements reflect OCR’s ongoing enforcement efforts under the Trump Administration targeting ransomware incidents, inadequate risk analyses, and failure to timely notify affected individuals following data breaches. Importantly, the failure by these parties to perform risk analyses is a continuation of OCR’s 2024 Risk Analysis Initiative begun by OCR under the Biden Administration.
What You Need to Know:
- OCR continues to prioritize enforcement of the HIPAA Security Rule, with a particular focus on entities that fail to conduct comprehensive risk analyses.
- HIPAA-covered entities and business associates must maintain HIPAA Security Rule and Privacy Rule compliance.
- Timely breach notification and proper workforce training remain critical compliance requirements.
Comstar Settlement
On May 30, 2025, OCR announced a settlement with Comstar, a Massachusetts company that provides billing, collection, and related services to non-profit and municipal emergency ambulance services. OCR initiated its investigation after receiving Comstar’s breach report that an unknown actor had gained unauthorized access to Comstar’s network servers in March 2022. The ransomware attack, which Comstar did not detect for one week, compromised the ePHI of approximately 585,621 individuals. At the time, Comstar served as a business associate to over seventy HIPAA-covered entities.
OCR determined that Comstar failed to conduct an accurate and thorough risk analysis as required under the Security Rule. The exposed ePHI included sensitive clinical information, such as medical assessments and medication administration details.
To resolve the matter, Comstar entered into a settlement agreement that includes a payment of $75,000 to OCR and a two-year corrective action plan requiring Comstar to:
- Conduct a comprehensive and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI that Comstar holds;
- Develop a risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis;
- Review and revise, as necessary, its written policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules; and
- Train its workforce members who have access to PHI on its HIPAA policies and procedures.
GMHA Settlement
On April 17, 2025, OCR reached a settlement with GMHA, a public hospital on the U.S. Territory, island of Guam, following two separate complaints involving unauthorized access to ePHI. The first complaint, submitted in January 2019, concerned a ransomware attack impacting approximately 5,000 individuals. The second, in March 2023, alleged additional unauthorized access to patient records.
OCR’s investigation concluded that GMHA had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to its ePHI. The settlement agreement includes a payment of $25,000 to OCR and a three-year corrective action plan requiring GMHA to:
- Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
- Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
- Develop a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
- Develop, maintain, and revise, as necessary, written policies and procedures to comply with the HIPAA Privacy, Security and Breach Notification Rules;
- Augment its existing HIPAA and security training program so all workforce members with access to PHI understand the HIPAA requirements and GMHA’s HIPAA policies and procedures;
- Enhance workforce security and information access management by reviewing all access credentials that have been granted access to ePHI; and
- Conduct breach risk assessments and provide evidence to OCR that all breach notification obligations have been conducted.
Vision Upright Settlement
In a separate action, on May 15, 2025, OCR entered into a resolution agreement with Vision Upright, a California-based healthcare provider specializing in radiology services. OCR initiated its investigation after discovering that Vision Upright had suffered a breach involving unauthorized access to its Picture Archiving and Communication System (“PACS”) server, exposing the medical images of 21,778 individuals.
OCR found that Vision Upright had never conducted a HIPAA risk analysis and failed to comply with the Breach Notification Rule's 60-day notification requirement. Under the resolution agreement, Vision Upright paid $5,000 to OCR and agreed to a two-year corrective action plan where Vision Upright will take steps to improve its compliance with the HIPAA Security and Breach Notification Rules and protect the security of ePHI, including:
- Providing required breach notifications to affected individuals, HHS and the media;
- Submitting to OCR its most recently completed risk analysis to include all electronic media, regardless of its source or location (i.e. electronic equipment, data systems, programs, off-site data storage and applications) that contains, stores, transmits or receives ePHI;
- Developing and implementing a risk management plan to address and mitigate any security risks and vulnerabilities identified in its risk analysis;
- Developing, maintaining, and revising, as necessary, written policies and procedures to comply with the HIPAA Rules; and
- Providing workforce training on HIPAA policies and procedures to all workforce members that have access to ePHI.
OCR’s Recommendations for Covered Entities and Business Associates
In connection with these settlements, OCR recommends that health care providers and other parties take the following steps to mitigate or prevent cybersecurity threats and maintain HIPAA compliance:
- Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
- Integrate risk analysis and risk management into the organization’s business processes.
- Ensure that audit controls are in place to record and examine information system activity.
- Implement regular reviews of information system activity.
- Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
- Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
- Incorporate lessons learned from incidents into the organization’s overall security management process.
- Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.
Ongoing risk analysis remains an important compliance step that HIPAA-covered entities and business associates should implement. Many of the recent HIPAA settlements include a requirement that the affected party must perform a risk analysis as one element of its corrective action plan. Ransomware incidents continue to be prevalent in the health care delivery system and an effective and regular risk analysis assessment can be a very important compliance initiative that helps the entity in the short term and can be an important longer term mitigating factor if OCR investigates a covered entity or business associate.
