Healthcare

OCR’s April Ransomware Settlements: A Risk Analysis Wake Up Call

Brittany brown

Brittany Brown

Manager, Healthcare Advisory

May 13, 2026
Advisory OCRs April Ransomware Settlements 3

Four enforcement actions, one recurring finding: organizations still are not conducting an “accurate and thorough” risk analysis.

On April 23, 2026, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced four settlements with HIPAA-regulated entities after separate ransomware investigations.  In total, the incidents affected more than 427,000 individuals and resulted in $1,165,000 in settlements.

Across all four cases, OCR’s message was consistent: the organizations “failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.”

That’s why the HIPAA Security Rule Notice of Proposed Rulemaking (NPRM) is worth a close read: it doesn’t just reiterate the requirement of a risk analysis; it gets specific about what an accurate and thorough risk analysis should look like. Here is what HHS expects an accurate and thorough risk analysis to include:
 

What “Accurate and Thorough” Looks Like 

  1.  Inventory your assets. Maintain a complete inventory of systems and technologies that create, receive, maintain, or transmit ePHI or could impact its confidentiality, integrity, or availability.
  2. Map ePHI data flows. Document how ePHI moves across systems and networks using data‑flow diagrams or network diagrams, including business associate technologies outside your environment.
  3. Identify where ePHI resides. Clearly document all locations where ePHI is stored or processed, such as applications, databases, endpoints, cloud services, backups, and shared storage.
  4. Identify and prioritize risks. Document relevant threats and vulnerabilities, then assess likelihood and impact to prioritize remediation efforts.
  5. Account for supplychain risk. Include vendors and contractors that handle ePHI and maintain a documented process to assess and manage business associate risk.
  6. Document and manage risk. Record the results of the risk analysis and implement risk management measures to reduce identified risks.
  7. Keep it current. Update the analysis when systems, processes, or threats change and after incidents or significant events.

And of course, what is a blog without mentioning AI. If you’re using AI tools that touch ePHI or influence decisions about ePHI, include them in your inventory, data-flow mapping, and threat modeling.
 

The Takeaway

OCR’s April 2026 settlements are a reminder to ensure your organization is conducting an accurate, thorough, and timely risk analysis. Now is the time to refresh it, document it, and tie it directly to a holistic risk management program.

Need help conducting an accurate and thorough risk analysis to protect the confidentiality, integrity, and availability of ePHI? Ask us.

Coalfire’s Healthcare team has extensive experience guiding healthcare organizations in adhering to HIPAA regulatory requirements and preparing for the HIPAA Security Rule Notice of Proposed Rulemaking. 

Coalfire helps operationalize HIPAA risk analyses, application risk assessments, and facility assessments utilizing frameworks such as NIST 800-53. Our approach turns compliance requirements into practical security improvements and measurable risk reduction.