The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a $225,00 settlement with Deer Oaks Behavioral Health Solution to resolve its alleged Health Insurance Portability and Accountability Act (HIPAA) violations.
Deer Oaks is a healthcare provider focused on long-term behavioral healthcare that provides psychiatric and psychological services to those living in long-term care and assisted living facilities throughout the United States. Deer Oaks manages fourteen affiliated covered entities, which include Deer Oaks Consultation Services (DOCS).
OCR received a complaint against DOCS on December 6, 2021, alleging impermissible disclosure of electronic protected health information (ePHI) on the internet. Patient release forms can be viewed online with no required authorization. The forms included data, such as, patient names, birth dates, patient ID numbers, diagnoses, and facilities. The discharge summaries were compromised on the web because of a coding error in a terminated pilot program for a patient online portal. The 35 patients’ discharge summaries were posted online from around December 2021 up to May 19, 2023. OCR started investigating the incident in May 2023.
Deer Oaks likewise encountered a ransomware attack on August 29, 2023. The threat actor accessed the Deer Oaks network, extracted information, and asked for ransom payment to stop the exposure of the information on the dark web. That attack impacted 171,871 persons. OCR extended its investigation in July 2024 to include the ransomware attack. According to the investigation of the two incidents, OCR confirmed a disclosure of PHI, which violated the HIPAA Privacy Rule – 45 C.F.R. § 164.502(a). Deer Oaks failed to carry out a detailed and correct risk analysis to determine risks and vulnerabilities to ePHI, as demanded by 45 C.F.R. § 164.308(a)(1)(ii)(A).
Besides the $225,000 financial penalty, included in the settlement agreement is a corrective action plan that calls for Deer Oaks to perform a complete evaluation of security threats and vulnerabilities to ePHI. Risk analysis should be done on all electronic equipment, data systems, software, and apps that keep, send, or receive ePHI, and any determined risks should be mitigated and minimized to an acceptable and proper level. Guidelines and procedures should be developed, enforced, and kept to ensure HIPAA compliance. Employees must be aware of those guidelines and procedures, and get yearly HIPAA training about the written guidelines and procedures.
Determining potential threats and vulnerabilities to ePHI is an important part in avoiding or mitigating PHI breaches,” stated by OCR Director Paula M. Stannard. A proper and complete HIPAA risk analysis can lessen the compromise of ePHI caused by malicious actors and accidental mistakes. According to OCR’s experience enforcing the HIPAA Security Rule against violations, the covered entity or business associate involved in the investigation will frequently lack risk analysis procedures. Typical inadequacies include missing a risk analysis completely or not being able to update current risk analyses when enforcing new systems or growing operations that impact the ePHI security.
This is OCR’s 17th financial penalty issued to a HIPAA-regulated entity this 2025. The total collection from settlements and civil monetary penalties for 2025 is $7,610,566.