Assured Imaging Fined for Never Conducting a Risk Analysis — 244,813 Patients Affected

Of the four ransomware settlements OCR announced on April 23, 2026, the Assured Imaging case is the most instructive. It is not just a story about a ransomware attack. It is a story about what happens when an organization operates as a HIPAA covered entity for years without ever fulfilling its most fundamental Security Rule obligation — and then compounds that failure with a delayed response when the inevitable breach occurs.

What happened

The largest financial penalty announced this month resolved potential HIPAA violations identified by OCR during an investigation of a ransomware-related data breach at Assured Imaging Affiliated Covered Entities, a medical imaging and screening service provider with corporate headquarters in Arizona and California. The ransomware attack was discovered on May 19, 2020, and involved the theft of ePHI such as names, contact information, dates of birth, diagnosis and conditions, lab results, medications, and treatment information of 244,813 individuals.

The nature of the exposed data matters here. Medical imaging records contain among the most sensitive PHI a healthcare organization can hold — diagnoses, lab results, and treatment information that patients share in contexts of significant vulnerability. A breach of this data carries real potential for harm through discrimination, stigma, and identity fraud.

The two violations — and why they compound

OCR identified two distinct violations at Assured Imaging. Understanding each is essential.

Violation 1 — No risk analysis, ever.

Assured Imaging was unable to provide evidence that a risk analysis had ever been completed.

This is the most serious finding OCR makes in a breach investigation. It is not a finding that the risk analysis was outdated, or incomplete, or not updated after a system change. It is a finding that the organization — which had been handling the PHI of hundreds of thousands of patients — had never once conducted the foundational assessment required by the HIPAA Security Rule.

Without a risk analysis, every other Security Rule safeguard becomes a guess. Access controls, encryption decisions, incident response planning — all of these depend on knowing what ePHI you hold, where it lives, and what threatens it. Assured Imaging did not know those things because it had never looked.

Violation 2 — Late breach notification.

OCR determined that Assured Imaging failed to notify the affected individuals within 60 days, as required by the HIPAA Breach Notification Rule.

The breach was discovered May 19, 2020. The 60-day individual notification deadline was July 18, 2020. Missing that deadline is an independent HIPAA violation — separate from the breach itself and separate from the risk analysis failure.

The stackable violation problem

Breach notification timeliness remains a separate, stackable violation, as illustrated by OCR's settlement with Assured Imaging.

This is a critical concept for every covered entity to understand. HIPAA violations do not merge — they stack. An organization that experiences a ransomware attack and had no risk analysis faces one set of penalties. The same organization that also misses its 60-day notification deadline faces an additional set of penalties for the notification failure. Each violation category carries its own annual penalty cap.

For Assured Imaging, two violation categories — risk analysis failure and breach notification failure — meant two separate penalty tracks running simultaneously.

What the corrective action plan requires

As part of the settlement, Assured Imaging agreed to a corrective action plan that OCR will monitor. Based on OCR's standard CAP requirements for similar cases, this includes:

Conducting and documenting a comprehensive, enterprise-wide risk analysis covering all systems containing ePHI. Developing a risk management plan that addresses every identified vulnerability with assigned responsibility and timelines. Implementing written HIPAA policies and procedures. Providing workforce training. Establishing and testing breach detection and response procedures — including clear ownership of the 60-day notification deadline.

Three things every medical imaging organization must do now

The Assured Imaging case has specific implications for medical imaging providers — a category of covered entity that handles particularly sensitive PHI across multiple locations and systems.

Audit your ePHI inventory immediately. Medical imaging organizations typically operate across multiple facilities with complex technology infrastructure — PACS systems, diagnostic workstations, cloud archives, and referring physician portals all potentially containing ePHI. Your risk analysis must cover every one of these systems. An asset inventory is the foundation.

Establish a 60-day notification tracking system. From the moment any potential breach is discovered, a documented countdown must begin. Every person involved in breach response — IT, legal, compliance, leadership — must know the deadline and their role in meeting it. Missing the deadline because the investigation was still ongoing is not a defense OCR accepts.

Do not let investigation timelines override notification obligations. Organizations often delay notification while investigating the scope of a breach. This is understandable operationally but legally dangerous. HIPAA permits notification with incomplete information, supplemented later. It does not permit notification delays while you gather complete information.