On March 5, 2026, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with MMG Fusion, LLC (MMG). MMG is a Maryland software company that was the subject of a complaint filed with OCR in January 2023 based upon an unreported HIPAA security incident. Although MMG, a HIPAA business associate, admitted no wrongdoing as part of the OCR settlement, OCR noted that MMG had potentially violated provisions in the HIPAA Privacy, Security, and Breach Notification Rules. OCR's investigation of MMG's December 2020 incident was related to a person accessing MMG's information system and disclosing PHI, including names, phone numbers, mailing addresses, email addresses, dates of birth, and dates and times of medical appointments for MMG's HIPAA-covered entity clients.
According to the OCR press release announcing the settlement, MMG may have:
- Impermissibly disclosed the PHI of approximately 15 million individuals, which ended up on the 'dark web';
- Failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI it held; and
- Failed to notify covered entities affected by the incident of the breach.
As a result of the OCR settlement, MMG agreed to pay $10,000 and enter into a three-year corrective action plan (CAP) with HHS. Despite the quantity of the PHI that was exposed, it appears the settlement amount was slight due to MMG's financial condition.
As part of the CAP, MMG agreed to:
- conduct a "comprehensive, accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability" of the electronic PHI held by MMG and timely provide the risk analysis to HHS;
- review and revise its HIPAA policies and procedures for HHS' review and approval and then distribute the same to members of its workforce;
- include 11 specific policies addressing HIPAA Privacy Rule and Security Rule provisions;
- provide HHS with its breach risk assessment of the December 2020 incident;
- provide workforce training; and
- prepare an implementation report and annual reports for the duration of the CAP.
This MMG settlement is OCR's 12th enforcement action as part of its risk analysis initiative. The MMG Resolution Agreement can be reviewed here. HIPAA-covered entities and business associates should carefully review each of the announced OCR settlements and be sure that their HIPAA, privacy, security, and breach notification policies and procedures are current and are adhered to.
Saul Ewing attorneys routinely help HIPAA-covered entities and business associates with drafting and revising HIPAA policies and assisting in responding to breaches.
