The U.S. Department of Health and Human Services has reached a $227,816 settlement with Health Fitness Corporation for failing to conduct a timely risk analysis.
What happened
On March 21, 2025, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), announced a resolution agreement with Health Fitness Corporation (Health Fitness), a wellness plan provider based in Illinois. The agreement settles violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement stems from multiple data breaches reported by Health Fitness between 2018 and 2019, involving unsecured electronic protected health information (ePHI) that became accessible on the internet due to a server misconfiguration.
Going deeper
Health Fitness, acting as a business associate to various covered entities, submitted four breach notifications to OCR after discovering that sensitive health information had been inadvertently exposed online between August 2015 and June 2018. The breach—caused by a software misconfiguration—allowed web crawlers to access ePHI stored on the company’s servers. Initially, the company reported that 4,304 individuals were affected, although later assessments suggested the number may have been lower.
OCR’s investigation found that Health Fitness failed to conduct an accurate and thorough risk analysis until January 19, 2024, well after the breaches occurred. This failure constitutes a direct violation of the HIPAA Security Rule, which mandates regulated entities to assess and address potential risks to ePHI. As part of the settlement, Health Fitness has agreed to pay $227,816 and implement a comprehensive corrective action plan monitored by OCR over the next two years.
Read also: The proposed removal of limits on HIPAA fines
What was said
Acting OCR Director Anthony Archeval stated that: “Conducting an accurate and thorough risk analysis is not only required but is also the first step to prevent or mitigate breaches of electronic protected health information.” Furthermore, he said that “Effective cybersecurity includes knowing who has access to electronic health information and ensuring that it is secure.”
Why it matters
The enforcement action marks the fifth resolution under OCR’s Risk Analysis Initiative, a program designed to highlight the importance of risk analysis in protecting health data. OCR emphasized that failure to assess vulnerabilities to ePHI is a systemic issue that continues to expose healthcare organizations and their patients to preventable cyber threats.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQS
What is a business associate under HIPAA?
A business associate is any entity or individual who performs services involving the use or disclosure of protected health information (PHI) on behalf of a covered entity, such as a healthcare provider or insurer.
What is the OCR Risk Analysis Initiative?
This is an enforcement effort by the Office for Civil Rights (OCR) to investigate compliance with the HIPAA Security Rule’s risk analysis provision, which requires regulated entities to identify and address vulnerabilities to ePHI.
Read also: How to perform a risk assessment
Tshedimoso Makhene
