Industry - Data Breach
Executive Summary
The U.S. Department of Health and Human Services' Office for Civil Rights settled with four healthcare entities following ransomware investigations that collectively exposed the protected health information of over 427,000 individuals, including Social Security numbers, diagnoses, lab results, and financial data. The investigations found that entities like Regional Women's Health Group and Assured Imaging failed to conduct proper risk analyses of their systems and, in some cases, delayed noti...
What Happened
In April 2026, the U.S. Department of Health and Human Services' Office for Civil Rights announced settlements with four healthcare entities following ransomware investigations. These separate ransomware attacks collectively exposed protected health information of over 427,000 individuals, including names, Social Security numbers, diagnoses, lab results, medications, and financial data. The breaches occurred between 2020 and the investigation period, with entities like Regional Women's Health Group (37,989 individuals affected) and Assured Imaging (244,813 individuals affected) failing to conduct proper security risk analyses and, in Assured Imaging's case, delaying breach notifications to affected individuals.
Who Is Affected
Over 427,000 patients who received care from these four healthcare providers across multiple states are affected, including patients of Regional Women's Health Group in New Jersey, Pennsylvania, Ohio, Indiana, and Kentucky, and patients of Assured Imaging in Arizona and California. The exposed information includes highly sensitive data such as Social Security numbers, driver's license numbers, medical diagnoses, lab results, medications, and treatment information that could be used for identity theft or insurance fraud.
Why It Matters
This resolution represents the 19th completed ransomware investigation by OCR and demonstrates continued regulatory enforcement against healthcare entities that fail to implement basic security protections required under HIPAA. The settlements totaling over $1 million emphasize that healthcare providers face financial consequences not just from ransomware payments but from regulatory penalties when they fail to conduct risk analyses that could have prevented or mitigated these breaches. The cases establish that delayed breach notification to patients is itself a separate violation subject to enforcement action.
What You Should Do
If you were a patient at Regional Women's Health Group (Axia Women's Health or Sincera Reproductive Medicine), Assured Imaging, or the other two settled entities during the breach periods (around 2020), contact these providers to confirm whether your data was affected and what notification you should have received. Place a fraud alert or security freeze on your credit reports with the three major credit bureaus, monitor your credit reports and medical insurance statements for unauthorized activity, and consider filing your taxes early to prevent tax fraud using your Social Security number. If you experience identity theft or medical identity theft, report it to the Federal Trade Commission at IdentityTheft.gov and request a corrected medical record from any provider where fraudulent inf...
Summary generated from verified sources and reviewed before publication. How we summarize.
Sources
Related Events
- Industry - LawsuitApr 23, 2026
Absolute Dental agreed to a $3.3 million settlement after a data breach between ...
- Industry - Data BreachApr 21, 2026
The Chattanooga Heart Institute has agreed to pay up to $3.75 million to settle ...
- Industry - LawsuitApr 14, 2026
Cardiovascular Consultants agreed to pay $3.85 million to settle a class action ...
- Industry - Data BreachApr 16, 2026
WebTPA, a third-party healthcare administrator, disclosed a data breach affectin...
- Industry - Data BreachApr 16, 2026
Cookeville Regional Medical Center in Tennessee disclosed a ransomware attack th...