HIPAA/HITECH,
Standards, Regulations & Compliance
Settlement Follows Federal Investigation Into Data Leak and Ransomware Attack
A Texas-based mental healthcare provider has incurred a fine of $225,000 due to its negligence in conducting a comprehensive risk analysis. This follows a federal investigation triggered by an accidental data leak, which was compounded by a ransomware attack in 2023.
The Department of Health and Human Services’ Office for Civil Rights (HHS OCR) announced that Deer Oaks Behavioral Health, located in San Antonio, will need to implement a corrective action plan alongside being monitored for a period of two years, as outlined in a recent resolution agreement.
Founded in 1992, Deer Oaks provides psychological and psychiatric services to residents in long-term care and assisted living facilities. The settlement stems from an inquiry initiated in May 2023, sparked by a complaint regarding unauthorized disclosure of electronic protected health information (ePHI) on publicly accessible discharge summaries. The data breach affected 35 patients and included sensitive information such as names, dates of birth, and diagnoses.
Investigators learned that a coding error from a now-discontinued pilot program for an online patient portal was responsible for the data’s exposure, which remained accessible via search engines from December 2021 until May 19, 2023. However, this issue was only part of a broader inquiry as HHS OCR intensified its examination in July 2024 after a hacking incident on Deer Oaks’ IT network on August 29, 2023, attributed to a compromised account.
Cybercriminals allegedly obtained sensitive data and demanded a ransom to prevent its release on the dark web, though settlement documents do not clarify whether Deer Oaks complied with this demand. The breach was reported to HHS OCR on July 31, 2024, with the impact affecting an estimated 171,871 individuals.
Analysis of Risk Management Failures
HHS OCR’s investigation revealed that Deer Oaks failed to conduct a thorough and accurate security risk analysis, a requirement under HIPAA regulations. Paula Stannard, director of HHS OCR, emphasized the importance of identifying potential risks and vulnerabilities to ePHI as a key measure in mitigating breaches.
This settlement marks at least the tenth enforcement action related to inadequate HIPAA risk analysis by HHS OCR since the agency designated risk analysis as a top priority in October 2024. Past experiences indicate that entities involved in such investigations frequently possess deficient risk analysis practices.
Common deficiencies observed include either the absence of a risk analysis or the failure to update existing analyses in response to new technological implementations or operational expansions impacting ePHI security.
Under the stipulations of the two-year corrective action plan, Deer Oaks is required to conduct annual reviews and updates of its risk analysis, develop a risk management plan, maintain relevant policies, and provide annual HIPAA training for employees with access to protected health information.
Deer Oaks has yet to respond to inquiries regarding the settlement terms, which assert that the resolution does not imply an admission of liability nor a concession by HHS OCR regarding any potential violations of HIPAA rules. This settlement represents HHS OCR’s 17th enforcement action against HIPAA violations for 2025, notably including six settlements during the Biden administration and 11 during the Trump administration.
