The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has agreed to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) with Deer Oaks – The Behavioral Health Solution for $225,000.
Deer Oaks is a long-term care-focused behavioral healthcare provider that offers psychological and psychiatric services to residents of long-term care and assisted living facilities across the United States. Deer Oaks is an affiliated covered entity and directly owns and operates fourteen affiliated covered entity components, including Deer Oaks Consultation Services (DOCS).
On December 6, 2021, OCR received a complaint that DOCS had impermissibly disclosed electronic protected health information (ePHI) online. Patient discharge forms could be accessed via the Internet without authorization. The forms contained patient names, dates of birth, patient identification numbers, facilities, and diagnoses. The discharge summaries were exposed online due to a coding error in a discontinued pilot program for an online patient portal. The discharge summaries of 35 patients were exposed online from at least December 2021 until May 19, 2023. OCR initiated an investigation of the incident in May 2023.
Deer Oaks also experienced a ransomware attack on August 29, 2023, where a threat actor breached the Deer Oaks network, exfiltrated data, and demanded payment to prevent the publication of the data on the dark web. That incident affected 171,871 individuals. OCR expanded its investigation in July 2024 to also cover the ransomware attack. Based on the investigation of both incidents, OCR determined there had been a disclosure of PHI that was not required or permitted by the HIPAA Privacy Rule – 45 C.F.R. § 164.502(a) – and Deer Oaks had failed to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to ePHI, as required by 45 C.F.R. § 164.308(a)(1)(ii)(A).
In addition to the $225,000 financial penalty, the settlement agreement includes a corrective action plan that requires Deer Oaks to conduct an accurate and thorough analysis of security risks and vulnerabilities to ePHI. The risk analysis must cover all electronic equipment, data systems, programs, and applications that contain, store, transmit, or receive ePHI, and any identified risks must be mitigated and reduced to a reasonable and appropriate level. Policies and procedures must be developed, implemented, and maintained to ensure HIPAA compliance, staff members must be provided with those policies and procedures, and receive annual HIPAA training on the written policies and procedures.
“Identifying potential risks and vulnerabilities to ePHI is a key step in preventing or mitigating breaches of protected health information,” said OCR Director Paula M. Stannard. “An accurate and thorough HIPAA risk analysis can minimize the exposure of ePHI from both malicious actors and inadvertent errors. Based on OCR’s experience enforcing potential HIPAA Security Rule violations, the covered entity or business associate under investigation will often have deficient risk analysis practices. Common deficiencies include lacking a risk analysis entirely or failing to update existing risk analyses when implementing new technologies or expanding operations that affect the security of ePHI.”
This is the 17th financial penalty to be imposed on a HIPAA-regulated entity this year. In 2025, OCR has collected $7,610,566 in settlements and civil monetary penalties.
The post Behavioral Healthcare Provider Settles HIPAA Risk Analysis Investigation for $225,000 appeared first on The HIPAA Journal.
