• Helping you with HIPAA Security Solutions.
  • Call Us (631) 403-6687
  • Office HrsMon - Fri: 9.00am to 5:00pm
Log InSign Up

Organization Fined for failing to Report a Breach

  • March 15, 2026
  • By mbrody
  • 0 Comments

Organization Fined for failing to Report a Breach

by Michael L Brody, DPM

On March 5, 2026, the Office for Civil Rights (OCR) announced a settlement with MMG Fusion LLC, a software company that helps healthcare organizations communicate with patients.

The settlement addresses a data breach that exposed the protected health information (PHI) of about 15 million people.

OCR began investigating MMG in March 2023 after receiving a complaint about a security incident that was not reported and about patient information appearing on the dark web.

The investigation found that a hacker gained unauthorized access to MMG’s system and obtained sensitive patient information, including:

  • Names

  • Phone numbers

  • Mailing addresses

  • Email addresses

  • Dates of birth

  • Dates and times of medical appointments

To resolve the case, MMG agreed to pay $10,000 to the U.S. Department of Health and Human Services (HHS).

OCR also reminded healthcare organizations that must follow Health Insurance Portability and Accountability Act to take steps to prevent cyberattacks and protect electronic health information (ePHI). These steps include:

  • Knowing where electronic patient data is stored and how it moves through systems

  • Regularly checking for security risks and creating plans to fix them

  • Using audit controls to track system activity

  • Regularly reviewing system activity

  • Making sure only authorized users can access patient data

  • Encrypting patient data when stored or transmitted

  • Learning from security incidents to improve protection

  • Providing regular HIPAA training for staff based on their job roles

Each of the security measures recommended by OCR in the MMG settlement are included in the tools provided by TLD Systems for its clients.

If a breach occurs, it is critical that it is reported. Stolen data can appear on the dark web, where it may be discovered by others. Many patients now have credit monitoring services through their banks or credit card companies that scan the dark web for their personal information. Because of this, patients may learn about a breach involving their data even if the organization does not report it.

Tags: HIPAA BreachHIPAA Fines
mbrody

Read Comments

Add Your Comment