HIPAA Violation Settlement: Maryland Firm Fined for Unreported Breach Impacting 15 Million
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has resolved its second HIPAA enforcement action of 2024, securing a settlement with MMG Fusion LLC, a Maryland-based software provider for oral healthcare practices. The company agreed to pay a $10,000 penalty and implement a corrective action plan following an unreported data breach that exposed the protected health information (PHI) of 15 million individuals.
The breach occurred on December 21, 2020, when an unauthorized actor infiltrated MMG’s network, accessing and exfiltrating sensitive data including names, contact details, dates of birth, and medical appointment records. The stolen information was later posted on the dark web. Despite the scale of the incident, MMG failed to report the breach to OCR or notify affected healthcare providers, allowing it to go undetected until a complaint prompted an investigation in January 2023.
OCR’s probe revealed multiple HIPAA violations, including:
- Failure to conduct a required risk assessment to identify vulnerabilities in electronic PHI (ePHI) security.
- Non-compliance with the HIPAA Privacy Rule, which restricts unauthorized use or disclosure of PHI.
- Violation of the Breach Notification Rule, as MMG did not alert affected covered entities or individuals.
Under the settlement, MMG must:
- Perform a comprehensive risk analysis and develop an enterprise-wide risk management plan.
- Establish and distribute HIPAA-compliant policies and procedures.
- Provide workforce training and submit materials to OCR for review.
- Compile a list of all affected clients and, once OCR approves the risk assessment, notify impacted covered entities and individuals.
OCR Director Paula M. Stannard emphasized the importance of timely breach reporting, noting that business associates must notify covered entities within 60 days of discovery to ensure compliance with notification requirements. The case highlights OCR’s focus on risk analysis failures and breach notification lapses, which remain leading causes of HIPAA penalties.
Source: https://www.hipaajournal.com/mmg-fusion-hipaa-settlement/
MMG Fusion cybersecurity rating report: https://www.rankiteo.com/company/mmg-fusion
"id": "MMG1772735450",
"linkid": "mmg-fusion",
"type": "Breach",
"date": "12/2020",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '15 million individuals',
'industry': 'Healthcare (Oral healthcare practices)',
'location': 'Maryland, USA',
'name': 'MMG Fusion LLC',
'type': 'Software provider'}],
'attack_vector': 'Unauthorized network infiltration',
'data_breach': {'data_exfiltration': 'Yes (posted on the dark web)',
'number_of_records_exposed': '15 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (names, contact details, dates '
'of birth, medical appointment '
'records)',
'type_of_data_compromised': 'Protected health information '
'(PHI)'},
'date_detected': '2023-01-01',
'description': 'The U.S. Department of Health and Human Services (HHS) Office '
'for Civil Rights (OCR) resolved a HIPAA enforcement action '
'with MMG Fusion LLC, a Maryland-based software provider for '
'oral healthcare practices. The company agreed to pay a '
'$10,000 penalty and implement a corrective action plan '
'following an unreported data breach that exposed the '
'protected health information (PHI) of 15 million individuals.',
'impact': {'data_compromised': 'Protected health information (PHI) including '
'names, contact details, dates of birth, and '
'medical appointment records',
'financial_loss': '$10,000 (penalty)',
'identity_theft_risk': 'High',
'legal_liabilities': 'HIPAA violations',
'systems_affected': 'MMG Fusion LLC network'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes'},
'investigation_status': 'Resolved (settlement reached)',
'lessons_learned': 'Importance of timely breach reporting and compliance with '
'HIPAA risk assessment requirements.',
'post_incident_analysis': {'corrective_actions': ['Comprehensive risk '
'analysis',
'Enterprise-wide risk '
'management plan',
'HIPAA-compliant policies '
'and procedures',
'Workforce training',
'Notification of affected '
'entities'],
'root_causes': ['Failure to conduct a risk '
'assessment',
'Non-compliance with HIPAA Privacy '
'Rule',
'Violation of Breach Notification '
'Rule']},
'recommendations': 'Conduct regular risk assessments, implement '
'HIPAA-compliant policies, ensure breach notifications are '
'timely, and provide workforce training.',
'references': [{'source': 'U.S. Department of Health and Human Services (HHS) '
'Office for Civil Rights (OCR)'}],
'regulatory_compliance': {'fines_imposed': '$10,000',
'legal_actions': 'Corrective action plan mandated '
'by OCR',
'regulations_violated': ['HIPAA Privacy Rule',
'HIPAA Breach Notification '
'Rule'],
'regulatory_notifications': 'Failure to report '
'breach to OCR or '
'notify affected '
'healthcare providers'},
'response': {'recovery_measures': 'Notification of affected covered entities '
'and individuals post-OCR approval',
'remediation_measures': 'Comprehensive risk analysis, '
'enterprise-wide risk management plan, '
'HIPAA-compliant policies and '
'procedures, workforce training'},
'threat_actor': 'Unauthorized actor',
'title': 'HIPAA Violation Settlement: Maryland Firm Fined for Unreported '
'Breach Impacting 15 Million',
'type': 'Data Breach'}