HHS OCR Settles HIPAA Security Rule Investigation with Top of the World Ranch Treatment Center for $103,000
On February 19, 2026, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced a $103,000 settlement with Top of the World Ranch Treatment Center (“TWRTC”), an Illinois substance use disorder treatment provider, to resolve alleged noncompliance with the HIPAA Security Rule’s risk analysis requirement.
According to OCR’s announcement, the investigation stemmed from a March 2023 breach report filed by TWRTC following a phishing attack. An unauthorized third party accessed electronic protected health information (“ePHI”) through a workforce member’s email account, compromising the ePHI of 1,980 patients.
OCR concluded that TWRTC failed to conduct an accurate and thorough risk analysis to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI, as required by the HIPAA Security Rule.
In announcing the settlement, OCR Director Paula M. Stannard emphasized the importance of compliance with the Risk Analysis provision, particularly as regulated entities face increasing cybersecurity threats.
Settlement Terms and Corrective Action Plan
Under the resolution agreement, TWRTC agreed to:
OCR’s Risk Analysis Initiative
OCR identified this matter as its 11th enforcement action under its Risk Analysis Initiative, which focuses on compliance with the Security Rule’s requirement that covered entities and business associates conduct an accurate and thorough assessment of risks and vulnerabilities to ePHI.
OCR also reiterated practical steps regulated entities should take to mitigate cyber threats, including:
The investigation and settlement demonstrate OCR’s commitment to enforcing HIPAA requirements, particularly under the Security Rule.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。