What the April OCR ransomware settlements tell wellness brands about risk analysis
OCR's $1.165M ransomware enforcement wave on April 23 hinges on one missing document. Wellness operators handling any HIPAA-adjacent data should treat this as a deadline.
On April 23, the HHS Office for Civil Rights announced settlements with four regulated entities, totaling $1,165,000, to resolve ransomware investigations under the HIPAA Security Rule. The four breaches together exposed the protected health information of more than 427,000 people, including Social Security numbers, lab results, diagnoses, and insurance details. The settling entities ranged from a multistate women’s health group (Axia Women’s Health) to an imaging network, a third-party administrator, and a self-funded employer health plan. The settlement amounts were modest by federal standards. The common failure was not.
In every one of these cases, OCR found that the entity had not conducted an accurate and thorough risk analysis of the confidentiality, integrity, and availability of electronic PHI across its environment. That single Security Rule requirement, codified at 45 CFR 164.308(a)(1)(ii)(A), has now anchored OCR’s Risk Analysis Initiative for nearly two years. The April 23 announcement brought the initiative’s enforcement total to twelve actions, with the predictable pattern that the ransomware itself is not what triggered the penalty. The penalty was triggered because, after the ransomware, OCR asked to see the risk analysis and the entity could not produce one that met the standard.
For wellness brands, the relevance is broader than it looks. Plenty of operators in this space assume they sit outside HIPAA because they sell direct to consumers, or because they are technically a wellness app rather than a clinical tool. That assumption breaks the moment you accept data from a covered entity, integrate with a telehealth provider, contract with an employer health plan, or run any service that touches PHI on someone else’s behalf. At that point you are likely a Business Associate, and the same Security Rule risk analysis obligation applies to you in full. The Star Group settlement, which involves a self-funded employer health benefits plan, should be a particularly clear signal to wellness benefit providers, EAP vendors, and corporate wellness platforms. OCR is no longer treating the plan sponsor side as low priority.
A risk analysis under the Security Rule is not a SOC 2 report, not a penetration test, and not a vendor questionnaire. It is a documented, organization-specific identification of every system, application, vendor, and data flow where ePHI lives or moves, paired with an assessment of the threats and vulnerabilities to each one, an evaluation of the likelihood and impact of those threats materializing, and the controls in place or planned to address them. OCR has repeatedly published what an inadequate risk analysis looks like, and the recurring problems are the same: incomplete asset inventories, no consideration of remote workers and cloud services, no treatment of third-party vendors, and no documentation that the analysis was updated when systems changed.
The concrete action this quarter is to produce a current, dated, written risk analysis that covers every system in which any health-related personal data is created, received, maintained, or transmitted, and to assign one person ownership of keeping it current as your stack changes.