OCR's 2026 Enforcement Expansion: Risk Management Joins Risk Analysis Scrutiny -- Plus the $590,000 Comstar Lesson in What Happens When a Healthcare Business Associate Has No Security Program
I. Two Enforcement Stories, One Urgent Message
On February 19, 2026, HHS Office for Civil Rights Director Paula M. Stannard announced OCR's 11th enforcement action under its Risk Analysis Initiative -- a $103,000 settlement with an Illinois substance use disorder treatment provider whose email systems were compromised in a phishing attack. Three days later, OCR announced its 12th action against a dental practice software company whose patient data ended up on the dark web, with an explicit enforcement emphasis on the failure to notify affected covered entities in a timely manner.
On January 28, 2026 -- three weeks before those OCR announcements -- the Attorneys General of Massachusetts and Connecticut jointly announced a $515,000 settlement with Comstar LLC, a Rowley, Massachusetts-based ambulance billing and collections company. The core violation: Comstar had no adequate Written Information Security Program when a March 2022 ransomware attack exfiltrated and encrypted patient data belonging to approximately 349,000 New England residents across 70 of Comstar's healthcare clients.
What makes the Comstar case particularly instructive is that it was the second time Comstar paid for the same breach. OCR had already settled with Comstar in May 2025 for $75,000. The January 2026 state AG action added $515,000 more. Total financial exposure from one 2022 ransomware incident: $590,000. Total affected individuals in the federal OCR filing: 585,621. Plus two multi-year corrective action plans and three years of annual security assessments submitted to state regulators.
These two enforcement tracks -- OCR's expanding initiative and aggressive state AG action -- represent the full dimensions of HIPAA enforcement in 2026. This article covers both, documents the specific settlement history behind OCR's initiative, and tells you exactly what both enforcement trends require of your organization right now.
II. OCR's Risk Analysis Initiative: From Checkbox to Management
The Initiative and Its Scope
OCR launched the dedicated Risk Analysis Initiative in 2024 as a focused enforcement program targeting the most commonly identified violation in HIPAA Security Rule investigations: failure to conduct an accurate and thorough risk analysis under Sec. 164.308(a)(1)(ii)(A). The initiative uses hacking incident breach reports as the triggering mechanism -- when an organization reports a breach, OCR's investigation specifically probes whether the organization had a documented, comprehensive risk analysis in place before the incident.
The track record: Inadequate risk analysis has been a finding in 90 percent of all OCR HIPAA Security Rule enforcement actions historically. The Risk Analysis Initiative has now produced at least 12 formal enforcement actions with financial penalties and corrective action plans as of March 2026 -- with more announced in the months following the initiative's launch.
The 2026 Expansion: Risk Management Is Now the Target
OCR Director Stannard confirmed in a January 2026 interview with North Country Communications that the Risk Analysis Initiative is evolving. The expansion to risk management -- Sec. 164.308(a)(1)(ii)(B) -- means OCR will now scrutinize not only whether a risk analysis was performed, but whether the identified risks were actively mitigated.
OCR's Q1 2026 cybersecurity newsletter explicitly signals this direction, focusing on system hardening and vulnerability reduction as the practical expression of risk management. The newsletter specifies that risk analysis must identify vulnerabilities like unpatched software and device firmware gaps and be paired with risk management practices that actively reduce those vulnerabilities.
| WHAT RISK MANAGEMENT MEANS IN PRACTICE: Under Sec. 164.308(a)(1)(ii)(B), risk management requires implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. OCR's 2026 enforcement expansion means auditors will ask: Did you identify the risk? Yes. Did you then implement a specific control to address it? Show us. Do you have a risk register with implementation dates? Produce it. A risk analysis that sits in a file drawer with no documented follow-through is now an enforcement liability, not a compliance checkmark. |
The Settlement Record: 12 Actions Through March 2026
The following table documents the confirmed enforcement actions under the Risk Analysis Initiative through March 2026. Use it as a reference for the range of organizations, penalty amounts, and specific violations involved.
| # | Date | Entity (Type) | Penalty | Core Violation |
| 1 | Oct 2024 | Oklahoma EMS Provider (CE) | $90,000 | Ransomware; no accurate risk analysis; 14,273 patients affected |
| 2 | Jan 2025 | Massachusetts BA -- cloud EHR/billing (BA) | $80,000 | Ransomware; risk analysis failure; 31,248 patients affected |
| 3 | Jan 2025 | Virginia data hosting / cloud BA (BA) | $90,000 | Ransomware; risk analysis failure; 12 covered entities affected |
| 4 | 2025 | Michigan surgical group (CE) | Undisclosed | Ransomware; risk analysis failure; 15,298 patients affected |
| 5-7 | 2025 | Multiple hacking investigations (CE/BA) | Varies | Consistent pattern: missing or inadequate risk analysis across all six |
| 8 | Jul 2025 | Deer Oaks Behavioral Health (CE) | $225,000 | Insufficient risk analysis; failure to implement required safeguards |
| 9 | Jul 2025 | Syracuse ASC (CE) | $250,000 | Ransomware; no adequate risk analysis; 2-year CAP required; 24,891 patients |
| 10 | Aug 2025 | BST & Co. CPAs, LLP (BA) | $175,000 | 2019 ransomware; risk analysis failure confirmed; 2-year CAP; 12 covered entities downstream |
| 11 | Feb 19, 2026 | TWRTC / Top of the World Ranch Treatment Center (CE) | $103,000 | Phishing attack; email account compromise; no accurate risk analysis; 1,980 patients |
| 12 | Feb 2026 | MMG Fusion, LLC -- oral healthcare software (BA) | Undisclosed | Unreported security incident; PHI on dark web; risk analysis failure; BA notification failure |
| OCR has confirmed the Risk Analysis Initiative is expanding in 2026 to cover risk MANAGEMENT -- Sec. 164.308(a)(1)(ii)(B). Future enforcement actions will scrutinize not only whether a risk analysis was performed, but whether identified risks were actively mitigated and documented. | ||||
Key pattern: Penalties range from $75,000 (Comstar, federal) to $250,000 (Syracuse ASC). The size of the organization and the number of individuals affected influence the penalty amount, but small providers and business associates have been penalized at the same rate as larger ones. The corrective action plans are often more burdensome than the financial penalty -- two-year monitoring programs with required annual submissions are standard.
Director Stannard's Enforcement Philosophy
The quotes from Director Stannard across the 2025-2026 enforcement announcements are consistent and direct. Two are worth keeping on hand for board briefings and compliance committee presentations:
"Covered entities and business associates cannot protect electronic protected health information if they haven't identified potential risks and vulnerabilities to that health information." -- OCR Director Paula M. Stannard, announcing the TWRTC settlement, February 2026
"A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it. Completing an accurate and thorough risk analysis that informs a risk management plan is a foundational step to mitigate or prevent cyberattacks and breaches." -- OCR Director Paula M. Stannard, announcing the BST & Co. CPAs settlement, August 2025
The second quote is notable because it explicitly links risk analysis to risk management -- the 2026 expansion target -- and uses the word 'informs' to signal that a risk analysis is the input to a risk management plan, not the end of the compliance obligation.
III. The Comstar Case Study: $590,000 From One 2022 Breach
What Comstar Does and Why It Matters to CAH and Rural Hospital Leaders
Comstar LLC is an ambulance billing and collections company based in Rowley, Massachusetts. It provides revenue cycle management services to emergency medical services (EMS) providers and ambulance services -- including, critically, the hospital-based and contract EMS operations that serve Critical Access Hospitals and rural healthcare facilities throughout New England. Under HIPAA, Comstar is a business associate: it receives, processes, and transmits protected health information on behalf of its healthcare clients as a standard part of its billing operations.
Ambulance billing vendors are a commonly overlooked risk category in rural healthcare. EMS providers generate PHI every time they transport a patient: names, dates of birth, Social Security numbers, insurance information, medical assessment details, and treatment codes. That data flows to billing vendors for claims processing. When the billing vendor has no adequate security program, the exposure cascades across every healthcare organization that used that vendor.
The Breach and Its Financial Consequences
In March 2022, an outside actor accessed, exfiltrated, and encrypted files on Comstar's servers in a ransomware attack. The compromised data included names, Social Security numbers, driver's license numbers, financial account information, and medical assessment details. The federal OCR filing listed 585,621 individuals affected across 70 of Comstar's clients. The state AG filings confirmed approximately 326,426 Massachusetts residents and 22,829 Connecticut residents were affected.
Comstar paid twice. The table below documents the full penalty history.
| Enforcer | Date / Penalty | Authority | Core Violation & Requirements |
| HHS Office for Civil Rights | May 30, 2025 / $75,000 | HIPAA Security Rule (federal) | Failure to conduct timely, thorough HIPAA security risk analysis. CAP requires: physical/virtual asset inventory, risk analysis and risk management plan, policy revisions. Breach: 585,621 individuals; 70 clients affected. |
| MA AG (Campbell) + CT AG (Tong) | Jan 28, 2026 / $515,000 ($415K MA + $100K CT) | Massachusetts Data Security Regs + HIPAA (state HITECH authority) | Failure to maintain adequate WISP. Required: anti-phishing software, MFA, asset inventory, IDS/IPS, SIEM, endpoint protection, encryption, penetration testing, annual security assessments for 3 years with results submitted to both AGs. |
| TOTAL COMSTAR EXPOSURE: $590,000 across federal OCR and two state AGs from a single 2022 ransomware attack. This is the documented cost of operating a healthcare business associate without an adequate Written Information Security Program. | |||
The distinction between the two actions is instructive. The OCR CAP is focused on foundational HIPAA compliance: conduct a risk analysis, develop a risk management plan, update policies. The state AG CAP is more prescriptive and operational: implement specific technologies (MFA, SIEM, IDS/IPS, endpoint protection, anti-phishing software), maintain a comprehensive IT asset inventory, conduct penetration testing, and submit annual assessment results to the AGs for three years. The state-level requirements effectively impose a minimum technology stack on Comstar's security program.
The WISP Failure: What 'No Adequate Security Program' Actually Means
Both the OCR action and the state AG action centered on the same core finding: Comstar did not have an adequate Written Information Security Program. A WISP is a documented, organization-specific security plan that identifies the administrative, technical, and physical safeguards the organization uses to protect sensitive information. Under Massachusetts Data Security Regulations (201 CMR 17.00), a WISP is specifically required for any entity handling personal information of Massachusetts residents. Under HIPAA, the risk analysis and risk management requirements functionally require the same documentation in all but name.
The absence of an adequate WISP is not a finding that a specific technical control was missing. It is a finding that the organization had not gone through the fundamental exercise of identifying what it had, what it needed to protect, and what it was doing to protect it. That is the exact same finding that OCR's Risk Analysis Initiative targets -- just under a different regulatory label.
| THE DUAL ENFORCEMENT RISK: State AGs have independent HIPAA enforcement authority under the HITECH Act -- they do not need OCR's involvement or permission to investigate and penalize a covered entity or business associate for HIPAA violations. The Comstar case was pursued simultaneously and independently by the Massachusetts and Connecticut AGs. Your organization could face a federal OCR investigation, a Massachusetts AG investigation, and a Connecticut AG investigation from a single breach event -- all with separate penalty proceedings and corrective action requirements. |
IV. HIPAA Compliance Matrix: Both Cases
The following table maps the specific HIPAA Security Rule provisions implicated by both the OCR Risk Analysis Initiative enforcement actions and the Comstar state AG settlement. Use it as a gap analysis framework.
| HIPAA Provision | OCR Initiative Lesson | Comstar Lesson | Action Required |
| Sec. 164.308(a)(1)(ii)(A) -- Risk Analysis | 12 enforcement actions specifically cite this provision; inadequate risk analysis found in 90% of all OCR Security Rule enforcement actions historically | OCR found Comstar failed to conduct a timely, thorough risk analysis -- the foundational finding that triggered both the federal and state enforcement actions | Conduct or update your enterprise-wide risk analysis this quarter; document all ePHI locations, threats, and vulnerabilities; include cloud accounts, email, vendor portals, and remote access |
| Sec. 164.308(a)(1)(ii)(B) -- Risk Management (2026 EXPANSION) | OCR Director Stannard confirmed in January 2026 that the initiative is expanding to require documentation that identified risks have been actively mitigated -- not just identified | Comstar's state AG CAP requires specific mitigations with evidence: MFA, SIEM, IDS/IPS, endpoint protection, annual assessments submitted to regulators -- exactly the kind of documentation OCR will now require | Map every identified risk to a specific mitigation control with implementation date and evidence; maintain a risk register that shows the lifecycle from identification to remediation |
| Sec. 164.308(b) -- Business Associate Agreements | TWRTC (Action 11) and MMG Fusion (Action 12) both involve failure to report breaches promptly; OCR emphasized BA notification obligations in the MMG settlement announcement | Comstar served 70 clients; a single vendor failure cascaded to 585,621 federal and ~349,000 state-level affected individuals; no single client could have prevented it without strong BAA requirements | Add to all BAA renewals: 48-72 hour notification, annual security attestation, audit rights, WISP confirmation, and explicit risk management documentation requirements |
| Sec. 164.404 -- Breach Notification | MMG Fusion failed to notify affected covered entities 'without unreasonable delay'; OCR Director Stannard's settlement announcement specifically emphasized the 60-day window | Comstar notified in May 2022 -- two months after the March 2022 attack; notification to 70 clients cascaded individual notification obligations across all of them | Ensure your incident response plan specifies notification triggers; define 'discovery' explicitly; confirm your BA contracts require BA-to-CE notification within 72 hours of suspected compromise |
| Sec. 164.530(b) -- Workforce Training | TWRTC (Action 11) breach originated from a successful phishing attack -- a training failure; corrective action plan requires annual HIPAA training including cybersecurity awareness | CT AG Tong's announcement specifically cited the absence of 'basic, necessary security measures' including employee training; the Comstar CAP requires training as a remediation element | Annual training must specifically cover: phishing identification, credential hygiene, vendor/clearinghouse portal security, and the employee's role in the risk management program -- not generic HIPAA-only content |
V. Cross-Cutting Risks and Trends
The Risk Analysis Is Not Enough Anymore
The most important compliance shift documented in this article is the transition from risk analysis enforcement to risk management enforcement. Every organization in the healthcare sector has, by now, encountered the requirement to perform a risk analysis. Many have performed one -- even if the quality varies enormously. What the 2026 OCR expansion means is that the existence of a risk analysis document is no longer the question. The question is: what did you do with it?
A risk analysis that identifies email phishing as a high-risk vector, then fails to document any mitigation -- no MFA implementation, no phishing simulation training, no email security configuration review -- is now a documented liability. It is evidence that the organization identified the risk and did nothing. That is arguably worse, from an enforcement perspective, than not having performed a risk analysis at all.
State AG Enforcement Is a Parallel Track, Not a Backup
The conventional compliance framework treats state AG enforcement as secondary to OCR -- a fallback when federal enforcement has not acted. The Comstar case inverts that assumption. The state AG action resulted in a penalty more than six times larger than the federal OCR settlement ($515,000 vs. $75,000), required more prescriptive technology implementations, and imposed a three-year reporting obligation to the AGs directly. The state actions moved faster and hit harder.
The practical implication for healthcare organizations operating in Massachusetts, Connecticut, California, New York, or any state with an active AG healthcare enforcement program: your compliance exposure does not end at OCR. State AG investigations can run in parallel, investigate independently, and impose requirements that go beyond what OCR requires. Multi-state health systems face compounded exposure when a single breach triggers multiple state AG investigations.
Vendor Risk Is Organizational Risk
Comstar's clients had no direct involvement in the security failures that led to the breach. They had BAA relationships with Comstar. They trusted that Comstar was handling their patient data appropriately. Seventy of them ended up in OCR's breach data and faced their own notification obligations to patients, media, and regulators. The organizations whose patients' data was in Comstar's systems were downstream victims of a vendor's compliance failure -- and their compliance obligations were triggered regardless.
The only contractual protection available in that situation is a BAA with teeth: one that requires the vendor to maintain an adequate security program, to notify the covered entity promptly when an incident occurs, and that gives the covered entity the right to audit the vendor's security posture before a breach reveals its absence.
VI. 2026 Compliance Roadmap
The following checklist integrates both enforcement tracks into a single prioritized action plan. Red rows address risk analysis and risk management -- the OCR expansion target. Teal rows address BAA strengthening and vendor oversight. Amber rows address training and audit preparation. Green rows address the dual enforcement planning that the Comstar case makes necessary.
| Priority | Category | Action | How to Execute | Timeline |
| IMMEDIATE | Risk Analysis | Conduct or refresh your enterprise-wide HIPAA risk analysis if it has not been updated in the past 12 months or since your last significant system change | Engage an independent third party if internal resources are limited; ensure the analysis covers all ePHI locations including cloud platforms, vendor portals, email systems, and remote access endpoints; document every identified risk and vulnerability with severity ratings | THIS QUARTER |
| IMMEDIATE | Risk Management | Build or update your risk register: map every risk identified in your analysis to a specific control, responsible owner, implementation date, and current status | This is the 2026 expansion target. OCR will now require documentation that identified risks were actively mitigated -- not just listed. A risk register with open items older than 12 months is an audit liability. | THIS QUARTER |
| HIGH | BAA Strengthening | Add four specific clauses to all BAA renewals: 48-72 hour notification window; annual security attestation; explicit audit rights; WISP confirmation from vendor | The Comstar case documents exactly what a BAA without these clauses costs -- 585,621 affected individuals across 70 clients, $590,000 in total penalties, plus corrective action requirements. Pull your top five vendor BAAs this week and flag renewal dates. | 30 DAYS |
| HIGH | Vendor Audit | Audit your highest-risk business associates -- ambulance billing, clearinghouses, revenue cycle -- for WISP adequacy and security program documentation | Ambulance billing vendors are a common CAH/rural hospital BA category and are specifically documented as a regulatory target. Request current WISP documentation and most recent security assessment results from any vendor handling PHI. | 30 DAYS |
| HIGH | Workforce Training | Update annual workforce training to explicitly cover phishing identification, credential hygiene, and the employee's role in the risk management program | TWRTC (Action 11) was a phishing attack on an email account -- exactly the training gap that workforce education is designed to close. Generic HIPAA privacy training does not satisfy this requirement. Training must address the specific threat vectors in your risk analysis. | 60 DAYS |
| HIGH | Audit Preparation | Compile a compliance evidence package: current risk analysis, risk register with remediation dates, BAA inventory, workforce training logs, incident response plan | OCR and state AGs routinely request risk analysis documents within days of a breach report. Organizations that cannot produce these quickly face additional scrutiny. Maintain this package as a living document, not a one-time audit preparation exercise. | 60 DAYS |
| MEDIUM | Dual Enforcement Planning | Brief leadership and legal counsel on state AG HIPAA enforcement authority and multi-state risk; confirm cyber insurance explicitly covers state AG penalties and multi-state compliance costs | The Comstar case was pursued by two state AGs under HITECH-granted HIPAA enforcement authority. Your organization could face simultaneous federal OCR and multi-state AG investigation from a single breach. Most healthcare cyber policies do not automatically cover state AG civil penalties -- verify explicitly. | 60 DAYS |
| FOR CAHs AND RURAL HOSPITALS: The two highest-priority items are the risk analysis refresh and the BAA audit. Both are directly tied to the enforcement patterns documented in this article. If your organization has a relationship with an ambulance billing vendor, clearinghouse, or revenue cycle company, request their WISP documentation this week -- before the next breach creates a cascading notification obligation. | ||||
VII. Looking Ahead
The HIPAA Security Rule Update and What It Formalizes
The proposed HIPAA Security Rule updates, with a May 2026 finalization target, will formally codify several of the requirements that OCR is already enforcing through its initiative. The proposed rule includes explicit provisions for risk management documentation, vendor and supply-chain oversight, and specific technology requirements for covered entities and business associates. Organizations that address the gaps documented in this article now are building compliance infrastructure ahead of formal mandate -- rather than scrambling to retrofit their programs after the rule takes effect.
More AG Actions Are Coming
The Comstar settlement is not an isolated example of state AG healthcare enforcement. California AG Rob Bonta has been active in healthcare data breach investigations. New York AG Letitia James pursued healthcare-related data breach actions throughout 2024 and 2025. The HITECH-granted AG enforcement authority that Massachusetts and Connecticut exercised against Comstar is available to every state AG in the country. As OCR's enforcement backlog persists and state-level consumer protection frameworks continue to expand, the state AG track will increasingly run in parallel with -- rather than secondary to -- federal HIPAA enforcement.
The Right of Access Initiative Continues
OCR's Right of Access Initiative -- which has produced more than 50 enforcement actions -- continues in 2026. Organizations focused on the Risk Analysis Initiative expansion should not treat this as a distraction from the right of access requirement. The two initiatives can both generate enforcement exposure simultaneously. Patients continue to file right of access complaints when requests for records are delayed or denied, and OCR continues to respond. The compliance program that addresses both is the one that manages the full scope of current enforcement risk.
VIII. Conclusion
The two enforcement stories in this article describe the same problem at different scales. OCR's Risk Analysis Initiative documents a pattern of organizations that performed risk analyses -- or should have -- and either did not or failed to act on the results. Comstar documents what happens when a business associate skips the foundational exercise entirely: cascading notification obligations for 70 clients, $590,000 in federal and state penalties, two corrective action plans, and three years of annual security reports submitted to regulators.
The 2026 enforcement expansion from risk analysis to risk management closes the remaining gap. It is no longer sufficient to have a document that identifies your risks. You must have a program that addresses them -- with evidence that the program was implemented, maintained, and updated when the risk environment changed.
For compliance officers, the practical takeaway from both stories is the same: pull your current risk analysis, pull your risk register, and ask two questions. First: is every significant risk on this list paired with a documented mitigation and an implementation date? Second: does every business associate BAA require the vendor to answer those same questions? If either answer is no, you have work to do before the next breach report triggers an OCR investigation or a state AG inquiry.
The enforcement infrastructure is in place. The initiative is expanding. The cost of inaction is documented.
| RESOURCES: OCR Risk Analysis Initiative enforcement actions: hhs.gov/hipaa/for-professionals/security/guidance | OCR Q1 2026 Cybersecurity Newsletter: hhs.gov/ocr | Massachusetts AG Comstar consent judgment: mass.gov/ago | Connecticut AG announcement: portal.ct.gov/ag | OCR Breach Portal: hhs.gov/hipaa | NIST HIPAA Security Rule Toolkit (risk analysis support): healthit.gov | FBI IC3 incident reporting: ic3.gov |
Published: March 23, 2026 | Audience: HIPAA Compliance Officers, Healthcare IT Directors, CAH and Rural Hospital Executives, Legal Counsel, Risk Management Teams
This article is for informational purposes only and does not constitute legal advice. Settlement amounts and corrective action plan terms are based on publicly available OCR announcements, Massachusetts AG and Connecticut AG press releases, and court filings as of March 23, 2026. The Comstar consent judgment is pending court approval. Consult qualified legal counsel regarding your organization's specific HIPAA obligations and enforcement risk.
