HIPAA Enforcements Adding up Fast in 2025

The HHS Office of Civil Rights (OCR) had a busy start to 2025, handing down several HIPAA enforcements. The penalties stem from phishing attacks, ransomware attacks, patient access violations, and more. The increased settlement activity happened just before the Biden administration left office and new leadership assumes control of HHS.

Here are the details of some of the HIPAA enforcements from January 2025.

Solare Medical Supplies

Solare, a company specializing in the home delivery of medical devices, was fined $3,000,000 after a phishing attack. The attackers accessed eight employee email accounts containing electronic protected health information (ePHI) including Social Security numbers, credit card information, bank account numbers, diagnosis and conditions information, medication, and more. As of January 2025, the breach affected 114,007 people.

Following the phishing attack, Solara sent notification letters about the incident to the wrong mailing addresses. The mailing mistake led to the disclosure of PHI of 1,531 people.

The investigation into the breach found Solara potentially committed the following HIPAA violations:

• Failure to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
• Failure to implement sufficient security measures.
• Solara did not provide timely notification to each person whose unsecured PHI had been or was reasonably believed to have been accessed.
• Solara did not provide timely notification to prominent media outlets serving the area where the breach occurred.
• Failure to provide timely notification to the HHS Secretary.

Along with the financial penalty, Solara agreed to a Corrective Action Plan that includes:

• Conducting a risk analysis
• The development and implementation of a risk management plan
• The development and distribution of policies and procedures
• Security training

USR Holdings

USR Holdings, a behavioral health holding company, was hit with a $337,750 fine following the deletion of ePHI. The investigation into the incident found that:

• USR impermissibly disclosed the ePHI of 2,903 individuals to unauthorized individuals who deleted the ePHI.
• The company did not conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the ePHI it holds.
• USR had not implemented procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
• USR did not have procedures to create and maintain retrievable exact copies of ePHI.

Memorial Healthcare System

Memorial Healthcare System (MHS) paid a $60,000 penalty after a patient did not receive the specific medical records he requested. HIPAA requires covered entities to respond to PHI access requests within thirty days.

An OCR investigation found the complainant requested his PHI via MHS’s patient portal on December 30, 2020, and again on April 25, 2021. The complainant also requested a copy of the same records via the mail on April 26. A follow-up request was made on May 23, via the patient portal. The Complainant did not receive the EEG tracing until September 29, 2021, after OCR initiated its investigation of MHS.

Elgon Information Systems

Elgon Information Systems, an electronic medical record and billing support company, was fined $80,000 after a ransomware attack.

On March 25, 2023, an unknown actor accessed an Elgon server through open ports on Elgon’s firewall. Elgon detected the attack on March 31, 2023, when a ransom note was found. Elgon’s breach report stated that approximately 31,248 individuals were affected. The PHI disclosed included demographic information and clinical information.

OCR’s investigation determined that Elgon failed to conduct a thorough risk analysis to identify potential risks and vulnerabilities to ePHI. As part of the settlement agreement, OCR will monitor Elgon for three years to ensure compliance with HIPAA. Elgon agreed to implement a corrective action plan that includes updating its risk management plan and employee HIPAA training.

Two other covered entities were hit with HIPAA enforcements stemming from ransomware attacks. OCR fined Virtual Private Network Solutions $90,000. Northeast Surgical Group was penalized $10,000.

CompliancePoint has a team dedicated to helping healthcare organizations with cybersecurity and data privacy. Contact us at connect@compliancepoint.com to learn more about how we can help with your HIPAA compliance efforts.