In April 2026, the HHS Office for Civil Rights announced four HIPAA Security Rule settlements resolving separate ransomware investigations. The cases — against Regional Women’s Health Group (Axia Women’s Health), Assured Imaging, Consociate Health, and the Star Group Health Benefits Plan — affected more than 427,000 individuals and produced $1,165,000 in penalties, with Assured Imaging alone paying $375,000 for a breach touching 244,813 people.

Four separate entities, four separate ransomware events, four separate corrective action plans under two years of OCR monitoring. And one recurring finding underneath all of them: the failure to conduct an accurate and thorough risk analysis. That common thread is the entire story. OCR is not penalizing these organizations for being hit by ransomware — it is penalizing them for never having understood, in any rigorous way, where their electronic protected health information lived and what threatened it. With the proposed HIPAA Security Rule amendments poised to make risk analysis dramatically more prescriptive, these settlements function as a preview of the standard healthcare organizations will be held to next.

The Pattern: Risk Analysis as the Universal Failure

OCR’s risk-analysis enforcement initiative, launched in 2023, has become the agency’s most reliable basis for resolution, and 2026 has been its most active year yet. The reason is structural. The Security Rule’s requirement at 45 CFR 164.308(a)(1)(ii)(A) — to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of all ePHI — is the foundation on which every other safeguard rests. If an organization has not done it, OCR can establish a clear, documented violation regardless of how the breach itself unfolded.

In each of the four 2026 cases, the agency found that the entity had failed to conduct a compliant risk analysis. In several, OCR also cited downstream failures that a proper analysis would have surfaced and forced the organization to address: inadequate access controls, insufficient monitoring, and — in Assured Imaging’s case — a failure to notify affected individuals within the 60-day window the Breach Notification Rule requires. The lesson is that the missing risk analysis is rarely an isolated paperwork gap. It is the absence of the very exercise that would have driven the controls whose absence let the ransomware succeed.

Why This Is a Preview, Not Just a Recap

What makes these settlements worth studying now, rather than filing away as routine enforcement, is their timing against the proposed HIPAA Security Rule amendments. The notice of proposed rulemaking published in January 2025 would, if finalized, substantially raise the bar for what “accurate and thorough” risk analysis means — moving the obligation from a flexible, addressable exercise toward a far more prescriptive set of requirements.

The proposed direction includes obligations that compliance teams should read directly into the current enforcement posture, because OCR is already resolving cases against their spirit:

  • A written technology asset inventory and network map tracing how ePHI moves through systems. The Assured Imaging-style finding — that an entity could not demonstrate it understood where its ePHI was — is precisely what an asset inventory and data-flow map exist to prevent.
  • Mandatory multifactor authentication across systems that access ePHI, with limited exceptions. Ransomware that enters through compromised credentials is the canonical failure MFA addresses.
  • Encryption of ePHI at rest and in transit, again with narrow exceptions.
  • Greater specificity and regular cadence in the risk-analysis process itself, with documentation requirements that make a thin or stale assessment far harder to defend.

The proposed rule’s spring-2026 finalization window has passed without a final rule, and there is no confirmed timeline. But the absence of a finalized regulation has not slowed enforcement — it has channeled it through the existing risk-analysis requirement. Organizations that treat the proposed controls as optional because the rule is not final are misreading the room. OCR is already penalizing the underlying failures under the rule as it stands.

What an “Accurate and Thorough” Risk Analysis Actually Requires

The four settlements, read together, define the floor by showing what falls below it. A defensible risk analysis in 2026 is not a checklist, a vendor questionnaire, or a one-time engagement filed and forgotten. At minimum it must:

  • Inventory all ePHI and the systems that create, receive, maintain, or transmit it. You cannot assess risk to data whose location you have not mapped. This is the single most common failure point and the one the proposed asset-inventory requirement directly targets.
  • Identify threats and vulnerabilities to each, including ransomware-relevant exposures — credential compromise, unpatched systems, flat networks, absent or weak MFA, and inadequate backups.
  • Assess likelihood and impact with enough specificity to prioritize remediation, not merely to catalog risks.
  • Drive a risk management plan that actually closes the gaps the analysis identifies. An analysis that surfaces vulnerabilities the organization never remediates is, in OCR’s eyes, close to no analysis at all.
  • Be current. A risk analysis from three years and one infrastructure migration ago is not thorough as to the environment that was actually breached. Refresh it on a regular cadence and after material changes.
  • Be documented. In enforcement, an undocumented analysis is an analysis that did not happen.

What To Do Now

For HIPAA-covered entities and business associates, the four settlements collapse into a single directive: get the risk analysis right, and let it drive everything else. Concretely:

  • Locate your most recent risk analysis and judge it honestly against the standard above. If it is a generic template, a checklist, or more than a year old, it will not survive an OCR investigation.
  • Build the technology asset inventory and ePHI data-flow map now, ahead of any final rule. It is the foundation of a thorough analysis and is almost certainly coming as a mandate.
  • Deploy MFA and encryption as if they were already required, because for practical enforcement purposes they effectively are. Both are addressable now and will be near-mandatory under the proposed rule.
  • Confirm your 60-day breach-notification process works under pressure. Assured Imaging’s late notification was an independent violation. The notification clock is unforgiving, and “we were busy with incident response” is not a defense.
  • Document the risk management plan, not just the risk analysis, and track remediation of identified vulnerabilities to closure.

OCR has been unusually clear about where it is looking. For deeper background on the agency’s enforcement priorities and the practical MFA and encryption steps these cases demand, see our HIPAA Security Rule 2026 enforcement action plan. The four ransomware settlements are not four anomalies. They are four illustrations of a single message: the risk analysis is the obligation, and the rest of the Security Rule is what a good one makes you do.

This article is provided for informational purposes only and does not constitute legal advice.