OCR Settles $1.5M HIPAA Breach Case with Community Health Network
HHS Office for Civil Rights reached a $1.5M settlement with a multi-site community health center for a breach affecting 28,000 patient records. Root cause: unencrypted email containing PHI sent to third-party vendor without a current Business Associate Agreement. Settlement requires 3-year corrective action plan including annual risk assessments, workforce training, and BAA remediation. Pattern consistent with FQHCs that lack formalized HIPAA compliance programs.
Key takeaways
- $1.5M settlement for breach affecting 28,000 patient records at multi-site community health center
- Root cause: unencrypted email with PHI sent to vendor without current BAA
- 3-year corrective action plan required: annual risk assessments, workforce training, BAA remediation
Primary source
HHS Office for Civil RightsFQHC Talent. (2026, March 1). OCR Settles $1.5M HIPAA Breach Case with Community Health Network. Primary source: HHS Office for Civil Rights. Retrieved April 28, 2026, from https://www.fqhctalent.com/intel/ocr-hipaa-breach-settlement-march-2026
More in Risk & Compliance
Jul 5
Section 1557 Language Access Annual Notice Year 1 Anniversary — July 5, 2026 Compliance Window
May 11
URGENT: HHS Section 504 WCAG 2.1 AA Digital Accessibility Deadline Hits FQHCs May 11, 2026 — 3 Weeks Away
Apr 27
HRSA 340B Rebate Model ICR Burden Comment Window Closes April 27 — Second Window for FQHCs After April 20 Main Deadline
Apr 22
Section 504 / WCAG 2.1AA 'Red Alert' — Enforcement Interpretation May Be Contested in Final Weeks Before May 11