HHS OCR Settles with Dental Software Company MMG Fusion — 15M PHI Records Exposed; FQHCs Using This Software Must Verify BAAs
HHS OCR settled with MMG Fusion LLC (dental practice management software) for an impermissible disclosure of PHI affecting approximately 15 million individuals — OCR's 11th enforcement action under its Security Risk Analysis Initiative. Penalty: $10,000 + 3-year corrective action plan. Any FQHC using MMG Fusion must verify its BAA and reassess vendor risk. OCR's SRA Initiative is now 12+ enforcement actions in: organizations without documented annual security risk analyses face real enforcement risk.
Key takeaways
- FQHCs using MMG Fusion dental software: verify your Business Associate Agreement immediately and conduct a vendor risk assessment
- OCR's Security Risk Analysis Initiative is accelerating — organizations without an annual documented SRA face increasing enforcement exposure
Primary source
HHS OCRFQHC Talent. (2026, March 5). HHS OCR Settles with Dental Software Company MMG Fusion — 15M PHI Records Exposed; FQHCs Using This Software Must Verify BAAs. Primary source: HHS OCR. Retrieved April 28, 2026, from https://www.fqhctalent.com/intel/ocr-hipaa-mmg-fusion-dental-software-2026
More in Risk & Compliance
Jul 5
Section 1557 Language Access Annual Notice Year 1 Anniversary — July 5, 2026 Compliance Window
May 11
URGENT: HHS Section 504 WCAG 2.1 AA Digital Accessibility Deadline Hits FQHCs May 11, 2026 — 3 Weeks Away
Apr 27
HRSA 340B Rebate Model ICR Burden Comment Window Closes April 27 — Second Window for FQHCs After April 20 Main Deadline
Apr 22
Section 504 / WCAG 2.1AA 'Red Alert' — Enforcement Interpretation May Be Contested in Final Weeks Before May 11