OCR Settles $1.5M HIPAA Breach Case with Community Health Network
HHS Office for Civil Rights reached a $1.5M settlement with a multi-site community health center for a breach affecting 28,000 patient records. Root cause: unencrypted email containing PHI sent to third-party vendor without a current Business Associate Agreement.
Settlement requires 3-year corrective action plan including annual risk assessments, workforce training, and BAA remediation. Pattern consistent with FQHCs that lack formalized HIPAA compliance programs.
Key takeaways
- $1.5M settlement for breach affecting 28,000 patient records at multi-site community health center
- Root cause: unencrypted email with PHI sent to vendor without current BAA
- 3-year corrective action plan required: annual risk assessments, workforce training, BAA remediation
Primary source
HHS Office for Civil RightsFQHC Talent. (2026, March 1). OCR Settles $1.5M HIPAA Breach Case with Community Health Network. Primary source: HHS Office for Civil Rights. Retrieved June 12, 2026, from https://www.fqhctalent.com/intel/ocr-hipaa-breach-settlement-march-2026
More in Risk & Compliance
Jul 5
Section 1557 Language Access Annual Notice Year 1 Anniversary — July 5, 2026 Compliance Window
Jun 9
FTCA CY2027 redeeming applications due June 26 — miss it and your FQHC has a malpractice-coverage gap
Jun 1
Two Compliance Signals for FQHCs: HRSA's FY2026 340B Manufacturer-Audit Results Go Live, and OCR's Ransomware Settlements Preview a Tougher HIPAA Security Rule
Jun 1
Eli Lilly Gives ~50 Covered Entities Five Days to Hand Over 340B Claims Data — or Lose Their Discounts