The HHS Office for Civil Rights’ (OCR) continued focus on the Risk Analysis Initiative (RAI), launched in October 2024, remained evident in the enforcement actions announced in the third quarter of 2025. Although just three actions were announced, they all related to ransomware incidents (see summaries at the bottom of this article). In the nine months ending September 30, 2025, 17 of 19 enforcement actions (89%) were related to ransomware or other cyber incidents. By comparison, OCR issued a total of 15 actions in all of 2024, 9 of which were related to cyber incidents. Click here for a downloadable PDF of the 2025 Enforcement Actions to date.
In October 2024, then-OCR Director Melanie Fontes Ranier stated, “Ransomware attacks often reveal a provider’s underlying failures to comply with the HIPAA Security Rule requirements such as conducting a risk analysis or managing identified risks and vulnerabilities to health information. Such failures can make our doctors and hospitals attractive targets for cyberattacks and can lead to break downs in our health care system.” She stated further, “OCR created the Risk Analysis Initiative to increase the number of completed investigations and highlight the need for more attention and better compliance with this Security Rule requirement.”
Q3 2025 Enforcement Actions:
- July 7, 2025: In relation to allegations Deer Oaks – The Behavioral Health Solution impermissibly disclosed PHI by making patient discharge forms publicly accessible online, and suffered a ransomware attack in 2023, Deer Oaks was found to have disclosed PHI in an impermissible manner and to have failed to conduct an accurate and thorough Security Risk Assessment (SRA). A potential monetary penalty was not disclosed, and Deer Oaks entered into a Corrective Action Plan (CAP).
- July 23, 2025: In relation to a breach notification report filed by Syracuse ASC notifying of a ransomware attack in March 2021, Syracuse was found to have failed to conduct an accurate and thorough SRA, and to timely notify the HHS Secretary and affected individuals. Syracuse was assessed a $250,000 monetary penalty and entered into a CAP.
- August 18, 2025: In relation to a breach notification report filed by BST & Co. CPAs notifying of a ransomware attack in December 2019, BST was found to have failed to assess potential risks and vulnerabilities to ePHI. BST was assessed a $175,000 monetary penalty and entered into a CAP.
Notably, of the 16 CAPs announced so far in 2025 and disclosed by OCR, all have required the sanctioned entity to conduct, revise, or otherwise update an accurate and thorough Security Risk Assessment. Learn more about the assistance SunHawk can provide in conducting SRAs here.
Martin E. Hellmer, CPA
Managing Director
SunHawk Consulting
Martin spent 23 years leading complex investigations of criminal and national security offenses for the FBI. As a Special Agent in Phoenix, he investigated healthcare fraud, crypto scams, money laundering, Ponzi schemes, and other white-collar crimes. He formed and then led the FBI’s Arizona Cyber Crime Task Force, responsible for the prevention, detection, and investigation of computer attacks from domestic and foreign threats.
SunHawk experts are highly experienced professionals ready to assist you within our focus areas of:
Healthcare Compliance | Corporate Investigations
Corporate Compliance | Litigation Disputes
Have a question? We are ready to answer it.