In the past week, several high‑impact developments have surfaced that affect HIPAA compliance, healthcare data privacy and cybersecurity. Enforcement actions from the Office for Civil Rights (OCR), state‑level directives and lawsuits highlight increasing legal scrutiny.  Multiple breaches and a significant ransomware attack remind organizations that vendor management and incident response remain critical.  This newsletter distills the key events and offers guidance to help compliance teams protect patient data and stay ahead of regulatory expectations.

Regulatory & Legal Updates

OCR settlement with MMG Fusion

What happened:  The U.S. Department of Health and Human Services (HHS) Office for Civil Rights announced a settlement with dental marketing firm MMG Fusion, LLC following a breach that exposed approximately 15 million individuals’ data.  OCR’s investigation determined that MMG failed to perform a thorough risk analysis and did not comply with the Privacy, Security and Breach Notification Rules.  The company agreed to pay $10,000 and implement a comprehensive corrective action plan, including conducting risk analyses, updating policies and procedures, workforce training and notifying covered entities of the breach.

Why it matters:  This is one of the first major settlements in 2026 and underscores OCR’s continued focus on business associates.  Although the monetary penalty was modest, the corrective action plan demonstrates OCR’s expectation that companies proactively identify and mitigate risks before a breach occurs.

Recommended actions:

• Conduct and document risk analyses for all systems handling electronic protected health information (ePHI).  Address identified vulnerabilities promptly.
• Ensure business associate agreements are current and require partners to notify covered entities of incidents immediately.
• Train workforce members on HIPAA obligations and incident reporting procedures.

OCR complaint form revision notice

What happened:  A Federal Register notice published March 5 invited public comment on revisions to the Civil Rights and Conscience Complaint and Health Information Privacy, Security & Breach Notification Complaint forms (OMB #0945‑0002).  The revisions aim to clarify instructions and reduce burden on complainants; estimated reporting time per complaint is 45 minutes.  OCR also seeks to align complaint forms with Executive Order 14168 and recent court decisions.

Why it matters:  Updating the complaint process is part of OCR’s broader effort to streamline enforcement and make it easier for individuals to report HIPAA violations.

Recommended actions:

• Monitor the Federal Register for finalization of the revised forms; be prepared to adjust internal complaint‑handling procedures accordingly.
• Encourage staff and patients to use official OCR channels for reporting potential HIPAA violations.
• Submit comments by the deadline if there are concerns about burden or clarity.

HIPAA civil penalty updates for 2026

What happened:  Compliance consultants highlighted the updated four‑tier penalty structure for HIPAA violations.  Tier 1 (lack of knowledge) now carries a minimum penalty of $145 per violation, Tier 2 (reasonable cause) starts at $1,379, Tier 3 (willful neglect corrected within 30 days) at $13,785, and Tier 4 (willful neglect not corrected) at $68,928 with caps up to $2,190,294.  Recent enforcement actions include multimillion‑dollar settlements for health systems.

Why it matters:  Penalties are assessed per violation and can quickly reach millions.  The updated figures reflect inflation adjustments and signal that OCR expects robust compliance programs.

Recommended actions:

• Review HIPAA policies and procedures to ensure they align with current regulations.
• Document compliance efforts and remedial actions to demonstrate diligence if investigated.
• Invest in encryption, strong access controls and comprehensive risk assessments to mitigate exposure.

Texas directive on Chinese‑manufactured medical equipment

What happened:  On March 9, Governor Greg Abbott directed Texas state agencies and state‑owned medical facilities to assess cybersecurity risks associated with medical equipment manufactured in the People’s Republic of China.  Agencies were ordered to review procurement policies and prioritize equipment that protects personal data.  The directive cites multiple U.S. advisories about vulnerabilities in Chinese patient‑monitoring devices and aligns with Texas initiatives such as the Texas Cyber Command and executive orders GA‑47, GA‑48 and GA‑49.

Why it matters:  The order reflects rising concern over supply‑chain security and geopolitical risk.  Other states may follow suit, which could affect vendor selection and procurement processes nationwide.

Recommended actions:

• Cross-reference medical device inventory against the Texas Prohibited Technologies List (updated Feb 2026)..
• Work with biomedical engineering and procurement teams to evaluate alternative equipment options and update supplier due diligence.
• Stay informed about CISA and FDA advisories regarding medical device vulnerabilities.

IU Health sues Change Healthcare over cyberattack losses

What happened:  Indiana University Health filed a $66 million lawsuit against healthcare technology vendor Change Healthcare.  IU Health alleges that Change failed to institute adequate cybersecurity safeguards, leading to the 2024 ransomware attack that shut down payment processing and insurance claim services.  The health system says it incurred millions in extra costs to continue operations during the outage.

Why it matters:  The lawsuit underscores the financial and operational impact of vendor breaches on covered entities.  It also highlights the importance of robust business associate management and contractual requirements for security controls.

Recommended actions:

• Review contracts with vendors and ensure they include clear cybersecurity obligations and indemnification clauses.
• Assess critical service providers’ incident response and business continuity plans.
• Conduct tabletop exercises with vendors to test how joint incident responses would work during an outage.

Breach & Incident Notices

TriZetto Provider Solutions (TPS) breach

What happened:  Health‑tech company TriZetto Provider Solutions, owned by Cognizant, filed a breach notice after discovering that attackers siphoned data from its web portal for nearly a year.  The intrusion began in November 2024 and was detected on October 2, 2025.  The breach exposed personal and health insurance data—including names, birth dates, Social Security numbers, health insurance member numbers and provider information—for approximately 3.4 million individuals.  TriZetto says payment card and bank information were not affected, and the company is offering identity theft monitoring services.

Why it matters:  This is one of the largest healthcare breaches disclosed this year.  The long dwell time (nearly a year) underscores the need for continuous monitoring and timely detection.

Recommended actions:

• If your organization uses TPS services, contact the vendor to confirm whether your patients’ data were involved and ensure breach notifications are sent.
• Provide guidance to affected individuals on enrolling in credit and identity‑theft monitoring services and monitoring explanation of benefits statements.
• Incorporate lessons from this breach into vendor risk assessments and require periodic security audits.

HCIactive breach update

What happened:  New disclosures reveal that a July 2025 cyberattack on HealthCare Interactive, Inc. (HCIactive) affected 3,056,950 individuals, far more than the initial placeholder of 501 records.  A threat actor copied data from HCIactive’s network, including names, addresses, Social Security numbers, health insurance enrollment data, medical record numbers, diagnoses, and laboratory results.  HCIactive has notified regulators, is offering credit‑monitoring and identity‑protection services, and continues to work with cybersecurity experts.

Why it matters:  The significant increase in affected individuals illustrates how initial breach reports often underestimate the scope.  It also highlights that sensitive clinical data were compromised.

Recommended actions:

• Verify whether your organization had data stored with HCIactive and ensure all patients receive timely notification letters.
• Offer guidance on credit monitoring and watch for potential misuse of medical or insurance information.
• Update incident response plans to prepare for large‑scale breaches and consider whether cyber‑insurance coverage is adequate.

Houston Health Department data breach

What happened:  The Houston Health Department disclosed a data security incident after learning on December 12, 2025 of unauthorized access by a third‑party contractor managing insurance pre‑verification.  The department contained the issue, notified affected individuals and posted a public notice.  According to class‑action notices, the breach was reported to HHS on February 10, 2026 and affects approximately 7,445 individuals, with potential exposure of personally identifiable information and protected health information such as names, contact details, medical records and health insurance information.

Why it matters:  Even small municipal health departments face cyber‑risks from third‑party contractors.  This incident demonstrates the importance of oversight of vendors handling pre‑registration and insurance data.

Recommended actions:

• Review contracts with third‑party service providers and ensure they include security requirements and breach notification obligations.
• Educate patients about steps to protect themselves, including placing fraud alerts or credit freezes and monitoring medical bills for irregularities.
• Conduct periodic security audits of external partners managing patient data.

North East Medical Services (NEMS) & WIRX Pharmacy breaches

What happened:  According to a 2026 ransomware report, North East Medical Services (NEMS) notified 91,513 patients of an October 2025 breach involving its third‑party software provider, UnitedLayer.  The compromised data include Social Security numbers and medical information.  Separately, WIRX Pharmacy notified 20,104 individuals of a December 2025 cyber incident that allowed unauthorized access to files containing names, dates of birth, payment card details, protected health information and insurance data.

Why it matters:  These incidents highlight continued targeting of small and mid‑sized healthcare providers and pharmacies.  Outsourced IT services and hosted systems remain a common attack vector.

Recommended actions:

• Ensure third‑party providers have robust security controls and multi‑factor authentication for remote access.
• Monitor state attorney general notifications and OCR’s breach portal to determine whether your organization’s partners have been affected.
• Train staff to recognize phishing and ransomware tactics to prevent credential compromise.

⚠️ 2026 Trend: The Year of the Business Associate. This week’s updates confirm that your biggest HIPAA risk isn't internal—it's your vendors. 80% of the major breaches reported this month originated at the BA level.

Cybersecurity Alerts & Best‑Practice Insights

University of Mississippi Medical Center ransomware attack and recovery

What happened:  The University of Mississippi Medical Center (UMMC) temporarily closed its clinics statewide after a late‑February ransomware attack took its Epic electronic health record (EHR) system offline and restricted access to phone and email systems.  Hospitals and emergency departments remained open using downtime procedures.  On March 2, 2026 UMMC began reopening clinics, rescheduling canceled appointments and operating extended hours.  The health system is working with the FBI and federal experts to investigate and recover operations.  Officials noted that the extent of the intrusion is still being assessed and emphasized that ransomware can severely disrupt care delivery.

Why it matters:  This attack demonstrates the real‑world impact of ransomware on patient care.  EHR downtime forces organizations to switch to paper workflows and delays appointments.  UMMC’s rapid communication with patients and collaboration with federal authorities are best practices for incident response.

Recommended actions:

• Review and test downtime procedures for critical clinical systems, including EHRs and communication tools.
• Ensure cyber‑resilience plans include coordination with federal law‑enforcement and public‑health agencies.
• Educate clinicians about manual documentation processes to maintain care quality during system outages.

Ransomware trends in February 2026

What happened:  A February 2026 ransomware report recorded 82 publicly disclosed ransomware incidents, with healthcare representing 31 % of reported attacks.  Twenty‑four different ransomware groups were linked to these incidents, illustrating the diversity of threat actors.  Notable healthcare incidents included NEMS, WIRX Pharmacy and Catalyst RCM.  The report notes that RansomHouse claimed responsibility for encrypting UnitedLayer’s data in the NEMS incident, while the Everest group targeted medical revenue cycle provider Catalyst RCM, compromising data of more than 139,000 individuals.

Why it matters:  Healthcare remains one of the most targeted sectors for ransomware.  The diversity of threat groups and the reliance on third‑party vendors mean that even organizations with strong internal security controls can be indirectly exposed.

Recommended actions:

• Implement proactive controls such as network segmentation, endpoint detection and response (EDR), and regular patching to reduce dwell time.
• Verify that off‑site backups are isolated from production networks and can be restored quickly.
• Include third‑party vendors in your incident response and ransomware playbooks.

Final Thoughts

This week’s events reinforce several themes.  OCR’s enforcement action against MMG Fusion and the revisions to the complaint process demonstrate that regulators expect organizations to perform thorough risk analyses and maintain robust complaint‑handling mechanisms.  The Houston Health Department and HCIactive breaches, along with disclosures from TriZetto, NEMS and WIRX Pharmacy, show that both large and small healthcare entities are vulnerable when third‑party vendors are compromised.  The Texas directive and IU Health’s lawsuit signal that organizations are scrutinizing supply chains and vendor performance more closely.  Finally, the UMMC ransomware attack underscores the importance of preparing for disruptions to clinical systems and working with federal authorities to mitigate impacts.

Actionable takeaways:

• Conduct comprehensive risk analyses and refresh HIPAA policies now that updated penalty tiers are in effect.
• Review vendor contracts and supply‑chain risks—especially for medical devices and hosted IT services.
• Strengthen ransomware preparedness with offline backups, multi‑factor authentication and tested downtime procedures.
• Encourage a culture of compliance where workforce members understand how to report incidents and why timely notification matters.

By staying informed and proactively addressing these issues, compliance teams can better protect patient information and reduce regulatory and litigation risks.

‍