OCR Settles 4 HIPAA Ransomware Cases — $1.165M Bundled Penalty, 427K Patients Exposed

On April 23, 2026, HHS Office for Civil Rights announced settlements with four healthcare entities (Regional Women's Health Group/Axia Women's Health, Assured Imaging, Consociate Health, and Star Group LP Health Benefits Plan) for HIPAA ransomware breaches affecting 427,000 patients. Total penalty: $1,165,000 + 2-year corrective action plans for each. Common root cause across all four: failure to conduct accurate Security Rule risk analysis. This is OCR's 19th ransomware investigation completed under its dedicated ransomware enforcement initiative, and the first time it bundled multiple settlements in a single press release — signaling a more aggressive, organized ransomware enforcement posture. Strategic implication for CA FQHCs: every FQHC running OCHIN Epic, eClinicalWorks, NextGen, or athenahealth is squarely in scope. Three protective actions are non-negotiable for FY26-27: (1) document a current Security Rule risk analysis (annual minimum), (2) inventory all Business Associate Agreements with PHI vendors, (3) confirm tested backup-restore procedures. Pairs with the May 11 Section 504 deadline as a one-two compliance hit — and arrives during the same week as the AltaMed cybersecurity incident class action investigation extends into May.