HHS Settlement Follows Business Associate Breach Exposing 4,304 Individuals’ ePHI on the Internet

The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has announced a settlement with a business associate that provides wellness plans to various clients nationwide.

OCR had been investigating the business associate for violating HIPAA’s security rule after filing four breach reports within three months stating that electronic protected health information (ePHI) was discoverable online. Web crawlers, or automated search devices, gained access to the ePHI due to a software misconfiguration on the ePHI server. The data breach affected 4,304 individuals.

As a result of its investigation, OCR found that the business associate had failed to fully assess “potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.”

The resolution agreement requires the business associate to pay $227,816 and follow a two-year corrective action plan (CAP). Under the CAP, the business associate must develop and submit the following:

• An annually updated risk analysis;
• A risk management plan;
• A process for evaluating environmental and operational changes; and
• Written policies and procedures to address vulnerabilities identified in the risk analysis.

The recent settlement is an enforcement action in OCR’s Risk Analysis Initiative, which is designed to emphasize the need for covered entities and business associates to prioritize the HIPAA security rule’s risk analysis requirement. This settlement is a reminder that covered entities must always investigate and evaluate potential business associates to ensure they have a regularly reviewed and maintained HIPAA-complaint risk analysis.

HBL has experience in all areas of benefits and employment law, offering a comprehensive solution to all your business benefits and HR/employment needs. We help ensure you are in compliance with the complex requirements of ERISA and the IRS code, as well as those laws that impact you and your employees. Together, we reduce your exposure to potential legal or financial penalties. Learn more by calling 470-571-1007.

The following two tabs change content below.

• Bio
• Latest Posts

Hall Benefits Law, LLC

HBL offers employers comprehensive legal guidance on benefits in mergers and acquisitions, Employee Stock Ownership Plans (ESOPs), executive compensation, health and welfare benefits, healthcare reform, and retirement plans. We counsel a wide spectrum of clients including small, mid-sized, and large companies, 401(k) investment advisors, health insurance brokers, accountants, attorneys, and HR consultants, just to name a few. HBL is passionate about advising clients, and we are dedicated to our mission: to provide comprehensive, personalized, and practical ERISA and benefits legal solutions that exceed client expectations.

Latest posts by Hall Benefits Law, LLC (see all)

• Colorado First State to Place Price Cap on Prescription Drug - November 27, 2025