The Office for Civil Rights (OCR) entered into two recent settlements with HIPAA covered entities alleging that they failed to conduct security risk assessments. Robinson & Cole LLP discusses the enforcement actions.
Deer Oaks
On July 7, 2025, OCR announced a settlement with Deer Oaks, a behavioral health provider, for alleged violations of HIPAA. The settlement resolves OCR’s allegations that Deer Oaks “failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI that it held.”
OCR commenced an investigation into Deer Oaks following a complaint that it had disclosed patient names, dates of birth, patient identification numbers, facilities, and diagnoses publicly accessible online by disclosing patient discharge summaries. The OCR confirmed that the discharge summaries of 35 individuals were publicly available on the internet from at least December 2021 until May 19, 2023.
OCR expanded its investigation following another incident when Deer Oaks experienced a breach following a compromised account.
and:
Comstar, LLC
On May 30, 2025, OCR announced its settlement with Comstar, LLC, a business associate providing billing and collection services to ambulance companies, for allegations that it had failed to conduct a security risk assessment.
The investigation was initiated after Comstar notified OCR that it was the victim of a ransomware attack that encrypted its network servers and affected the ePHI of approximately 585,621 individuals. The data affected by the ransomware attack included medical assessments and medication administration information. OCR’s investigation “determined that Comstar failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI that it holds.”
Read more at OCR’s investigations, findings, and settlements at The National Law Review.
