OCR Enforcement
A Behavioral Health Provider Put Discharge Summaries Online. It Cost $225,000: The Deer Oaks Settlement
TL;DR
Deer Oaks, a behavioral health provider serving residents of long-term care and assisted living facilities, settled with OCR for $225,000 and a two-year corrective action plan. OCR opened the investigation in May 2023 after a complaint that Deer Oaks had made patient discharge summaries publicly accessible online, impermissibly disclosing ePHI including patient names, dates of birth, patient identification numbers, facilities, and diagnoses. As in nearly every recent OCR action, the agency also found a risk analysis deficiency. The case is a warning on two fronts: accidental public exposure of PHI through misconfigured or publicly reachable systems is a fully enforceable violation, and behavioral health data carries heightened sensitivity that raises the stakes of any disclosure.
Deer Oaks, a behavioral health provider, made patient discharge summaries publicly accessible online, exposing names, dates of birth, and diagnoses. OCR's $225,000 settlement is a warning about accidental public exposure and the special sensitivity of behavioral health data.
Not every HIPAA violation involves a hacker. Some involve a document that was simply left where anyone could find it. The Deer Oaks settlement is the second kind, and it is a reminder that OCR enforces accidental exposure with the same seriousness it applies to ransomware, especially when the data involved is as sensitive as behavioral health records.
What happened
Deer Oaks, known as The Behavioral Health Solution, provides psychological and psychiatric services to residents of long-term care and assisted living facilities. As a healthcare provider that creates, receives, maintains, and transmits protected health information, it is a HIPAA covered entity subject to the full Privacy and Security Rules.
OCR opened its investigation in May 2023 after receiving a complaint. The allegation was specific: Deer Oaks had made patient discharge summaries publicly accessible online. Those summaries were not empty forms. They contained patient names, dates of birth, patient identification numbers, the facilities where patients received care, and their diagnoses.
For a behavioral health provider, a diagnosis is among the most sensitive pieces of information a patient has. Making that information publicly reachable, alongside the identifiers needed to tie it to a specific person, is precisely the kind of disclosure the Privacy Rule exists to prevent.
45 CFR §164.502(a)The two findings
OCR's resolution reflects two distinct problems, and both are instructive.
The impermissible disclosure. The core violation was the public exposure of the discharge summaries. This is worth dwelling on because it upends a common assumption. Many organizations think of HIPAA enforcement as something that follows a cyberattack, an external adversary breaking in. But there was no attacker here. The information was disclosed because it was placed, or left, somewhere the public could reach it. HIPAA does not require malice or intrusion for an impermissible disclosure to occur. The exposure itself is the violation.
The risk analysis deficiency. As in nearly every OCR action of the past two years, the agency also pointed to risk analysis. OCR has repeatedly described the same pattern in its investigations: entities that lack a risk analysis entirely, or that fail to update it when they add new technologies or expand operations. A proper, current risk analysis is designed to catch exactly this kind of exposure, by forcing an organization to map where its PHI lives and to ask whether any of it is reachable by people who should not see it.
The corrective action plan
Deer Oaks paid $225,000 and agreed to a corrective action plan that OCR will monitor for two years. The plan is a template of what OCR now expects from every organization it settles with:
Review and update the risk analysis annually to determine the risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Develop and implement a risk management plan to address the risks the analysis identifies. Maintain and revise written HIPAA policies and procedures as needed. And provide annual HIPAA training to every workforce member with access to PHI.
45 CFR §164.308(a)(1)There is a pattern in these corrective action plans worth internalizing: they are not punishments so much as descriptions of the compliance program the organization should have had all along. Every requirement in the plan is something the Security Rule already expected.
Why this case matters: two lessons
Accidental public exposure is fully enforceable. The most important takeaway is that you do not need to be breached to be penalized. A misconfigured server, an unsecured page, a document store reachable without a login, a patient portal that exposes more than it should, any of these can put PHI in public view, and any of them can produce an enforcement action. Organizations that pour all their attention into defending against external attackers while leaving their own systems publicly reachable are defending one door while leaving another wide open.
Behavioral health data raises the stakes. The sensitivity of the information amplifies everything. Behavioral health diagnoses carry real risks of stigma and discrimination, and their exposure can cause profound personal harm. Providers in this space should treat any potential exposure as high-severity, and should be aware that some of their data, particularly substance use disorder records, may carry additional protections under 42 CFR Part 2, which OCR began enforcing in 2026.
Warning
You do not have to be hacked to violate HIPAA. Making PHI publicly accessible online, through a misconfiguration or an unauthenticated page, is an impermissible disclosure and a fully enforceable violation. Check that no system holding PHI is reachable from the public internet without authentication, and treat behavioral health data as especially high-stakes given the harm its exposure can cause.
What to do now
Test your systems for unauthenticated public access. For every system that holds PHI, verify that none of it can be reached from the public internet without a login. This includes patient-facing portals, document stores, internal tools that may be inadvertently exposed, and any pages that serve documents like discharge summaries.
Store sensitive documents in access-controlled systems only. Discharge summaries, assessments, and similar documents should live in systems that require authentication and enforce access controls, never on public pages or unsecured file locations.
Put public-exposure scenarios in your risk analysis. A risk analysis that only considers external attackers is incomplete. It must also ask whether your own systems expose PHI to people who should not see it. Public reachability is a vulnerability like any other.
Give behavioral health data heightened protection. If you handle mental health or substance use information, apply your strongest controls, confirm whether Part 2 applies to any of your records, and treat any exposure as a high-severity incident.
The takeaway
Deer Oaks, a behavioral health provider, paid $225,000 after making patient discharge summaries, complete with names, dates of birth, and diagnoses, publicly accessible online. No attacker was involved. The case establishes two lessons: accidental public exposure of PHI is a fully enforceable HIPAA violation, so defending only against external attackers while leaving your own systems publicly reachable is a critical blind spot; and behavioral health data carries heightened sensitivity that raises the stakes of any disclosure. Test every system holding PHI for unauthenticated public access, store sensitive documents only in access-controlled systems, include public-exposure scenarios in your risk analysis, and give behavioral health data your strongest protection.
Sources & citations
- HHS OCR — Deer Oaks Settlement Press ReleaseOpen
- 45 CFR §164.502 — Uses and Disclosures of PHI: General RulesOpen
- 45 CFR §164.308(a)(1) — Security Management Process (Risk Analysis)Open
All content verified against official HHS guidance and the Code of Federal Regulations.
Frequently asked questions
What did Deer Oaks do to trigger the OCR settlement?▾
How much did Deer Oaks pay and what does the corrective action plan require?▾
Why is behavioral health data treated as especially sensitive?▾
Is accidental public exposure of PHI still a HIPAA violation?▾
What should providers do to prevent this kind of exposure?▾
Related intelligence
OCR Enforcement
OCR Settles Ransomware Investigation with Employer-Sponsored Health Plan for $450,000
7 min read
OCR Enforcement
Your 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement
7 min read
OCR Enforcement
An Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms
6 min read
Not legal advice. medcomply.ai provides compliance intelligence for educational and operational planning. Consult qualified counsel for legal interpretation.