Privacy & Information Security Law Blog

On July 7, 2025, the Department of Health and Human Services’ (“HHS’”) Office for Civil Rights (“OCR”) announced a HIPAA enforcement action against Deer Oaks, a health care provider of psychological and psychiatric services to residents of long-term care and assisted living facilities. The settlement follows two separate incidents involving the exposure of electronic protected health information (“ePHI”) and highlights OCR’s continued emphasis on the importance of conducting risk analyses as required by the HIPAA Security Rule.

OCR launched its investigation in May 2023 after receiving a complaint alleging that Deer Oaks had impermissibly disclosed ePHI by making patient discharge summaries publicly accessible online. OCR confirmed that ePHI was inadvertently exposed due to a coding error in a now-defunct online portal pilot. The summaries were indexed by search engines and remained accessible until at least May 19, 2023, affecting the data of 35 individuals.

OCR expanded its investigation in July 2024, after a ransomware attack against the company that occurred in August 2023. Deer Oaks reported the breach to HHS, notified the media and issued notifications to over 171,000 affected individuals.

OCR concluded that Deer Oaks failed to conduct an accurate and thorough risk analysis, in violation of the HIPAA Security Rule. To resolve the matter, Deer Oaks agreed to pay $225,000 and implement a two-year corrective action plan that requires Deer Oaks to:

• conduct and annually update its HIPAA risk analyses;
• develop and implement a risk management plan to address identified vulnerabilities;
• maintain and revise HIPAA-compliant policies and procedures; and
• provide annual workforce training on HIPAA requirements.

This settlement serves as another reminder that OCR expects regulated entities to comply with the HIPAA Security Rule and proactively identify and address risks to ePHI, particularly as cyber threats to ePHI grow more sophisticated.