News
Family Health Centers of Southern Indiana Discloses January 2026 Network Intrusion Exposing Patient PHI Including Social Security Numbers · Data BreachInterlock Ransomware Group Claims 540 GB from Texas Hearing Institute, Nearly 30,000 Pediatric Patients Notified · Data BreachWisconsin Department of Health Services Reports HIPAA Breach Affecting 8,157 Medicaid Recipients After Benefits Letters Mailed to Wrong Addresses · Data BreachAmazon's One Medical Seniors Hit by ShinyHunters Extortion Group: 8.8TB of Legacy Patient Data at Risk · Data BreachOpenLoop Health Telehealth Infrastructure Vendor Breach Exposes Patient Data Across Multiple Digital Health Clients · Data BreachHealthcare AI Vendor Xsolis Breach Exposes 1.4 Million Records Across Seven Hospital Systems Including Mayo Clinic · Data BreachHHS Breach Portal Backlog: OCR Still Adding March 2026 Breaches in Late June — What the Delay Means for Compliance Teams · AnalysisA Behavioral Health Provider Put Discharge Summaries Online. It Cost $225,000: The Deer Oaks Settlement · OCR EnforcementKettering Health Refused to Pay the Ransom. The Data Leaked Anyway: What 1.7 Million Exposed Records Teach About Ransomware and HIPAA · Data BreachOCR Settles Ransomware Investigation with Employer-Sponsored Health Plan for $450,000 · OCR EnforcementWhy a Third of Healthcare Breaches Now Trace Back to a Vendor: A Mid-Year 2026 Analysis · AnalysisFrom 4 Million to 60+ Million: The Conduent Breach Shows How Far Third-Party Risk Reaches · Data BreachFamily Health Centers of Southern Indiana Discloses January 2026 Network Intrusion Exposing Patient PHI Including Social Security Numbers · Data BreachInterlock Ransomware Group Claims 540 GB from Texas Hearing Institute, Nearly 30,000 Pediatric Patients Notified · Data BreachWisconsin Department of Health Services Reports HIPAA Breach Affecting 8,157 Medicaid Recipients After Benefits Letters Mailed to Wrong Addresses · Data BreachAmazon's One Medical Seniors Hit by ShinyHunters Extortion Group: 8.8TB of Legacy Patient Data at Risk · Data BreachOpenLoop Health Telehealth Infrastructure Vendor Breach Exposes Patient Data Across Multiple Digital Health Clients · Data BreachHealthcare AI Vendor Xsolis Breach Exposes 1.4 Million Records Across Seven Hospital Systems Including Mayo Clinic · Data BreachHHS Breach Portal Backlog: OCR Still Adding March 2026 Breaches in Late June — What the Delay Means for Compliance Teams · AnalysisA Behavioral Health Provider Put Discharge Summaries Online. It Cost $225,000: The Deer Oaks Settlement · OCR EnforcementKettering Health Refused to Pay the Ransom. The Data Leaked Anyway: What 1.7 Million Exposed Records Teach About Ransomware and HIPAA · Data BreachOCR Settles Ransomware Investigation with Employer-Sponsored Health Plan for $450,000 · OCR EnforcementWhy a Third of Healthcare Breaches Now Trace Back to a Vendor: A Mid-Year 2026 Analysis · AnalysisFrom 4 Million to 60+ Million: The Conduent Breach Shows How Far Third-Party Risk Reaches · Data Breach

OCR Enforcement

A Behavioral Health Provider Put Discharge Summaries Online. It Cost $225,000: The Deer Oaks Settlement

TL;DR

Deer Oaks, a behavioral health provider serving residents of long-term care and assisted living facilities, settled with OCR for $225,000 and a two-year corrective action plan. OCR opened the investigation in May 2023 after a complaint that Deer Oaks had made patient discharge summaries publicly accessible online, impermissibly disclosing ePHI including patient names, dates of birth, patient identification numbers, facilities, and diagnoses. As in nearly every recent OCR action, the agency also found a risk analysis deficiency. The case is a warning on two fronts: accidental public exposure of PHI through misconfigured or publicly reachable systems is a fully enforceable violation, and behavioral health data carries heightened sensitivity that raises the stakes of any disclosure.

Deer Oaks, a behavioral health provider serving residents of long-term care and assisted living facilities, settled with OCR for $225,000 and a two-year corrective action plan. OCR opened the investigation in May 2023 after a complaint that Deer Oaks had made patient discharge summaries publicly accessible online, impermissibly disclosing ePHI including patient names, dates of birth, patient identification numbers, facilities, and diagnoses. As in nearly every recent OCR action, the agency also found a risk analysis deficiency. The case is a warning on two fronts: accidental public exposure of PHI through misconfigured or publicly reachable systems is a fully enforceable violation, and behavioral health data carries heightened sensitivity that raises the stakes of any disclosure.

Deer Oaks, a behavioral health provider, made patient discharge summaries publicly accessible online, exposing names, dates of birth, and diagnoses. OCR's $225,000 settlement is a warning about accidental public exposure and the special sensitivity of behavioral health data.

medcomply.ai editorial teamPublished June 18, 2026Updated June 18, 20266 min read

Not every HIPAA violation involves a hacker. Some involve a document that was simply left where anyone could find it. The Deer Oaks settlement is the second kind, and it is a reminder that OCR enforces accidental exposure with the same seriousness it applies to ransomware, especially when the data involved is as sensitive as behavioral health records.

What happened

Deer Oaks, known as The Behavioral Health Solution, provides psychological and psychiatric services to residents of long-term care and assisted living facilities. As a healthcare provider that creates, receives, maintains, and transmits protected health information, it is a HIPAA covered entity subject to the full Privacy and Security Rules.

OCR opened its investigation in May 2023 after receiving a complaint. The allegation was specific: Deer Oaks had made patient discharge summaries publicly accessible online. Those summaries were not empty forms. They contained patient names, dates of birth, patient identification numbers, the facilities where patients received care, and their diagnoses.

For a behavioral health provider, a diagnosis is among the most sensitive pieces of information a patient has. Making that information publicly reachable, alongside the identifiers needed to tie it to a specific person, is precisely the kind of disclosure the Privacy Rule exists to prevent.

45 CFR §164.502(a)

The two findings

OCR's resolution reflects two distinct problems, and both are instructive.

The impermissible disclosure. The core violation was the public exposure of the discharge summaries. This is worth dwelling on because it upends a common assumption. Many organizations think of HIPAA enforcement as something that follows a cyberattack, an external adversary breaking in. But there was no attacker here. The information was disclosed because it was placed, or left, somewhere the public could reach it. HIPAA does not require malice or intrusion for an impermissible disclosure to occur. The exposure itself is the violation.

The risk analysis deficiency. As in nearly every OCR action of the past two years, the agency also pointed to risk analysis. OCR has repeatedly described the same pattern in its investigations: entities that lack a risk analysis entirely, or that fail to update it when they add new technologies or expand operations. A proper, current risk analysis is designed to catch exactly this kind of exposure, by forcing an organization to map where its PHI lives and to ask whether any of it is reachable by people who should not see it.

The corrective action plan

Deer Oaks paid $225,000 and agreed to a corrective action plan that OCR will monitor for two years. The plan is a template of what OCR now expects from every organization it settles with:

Review and update the risk analysis annually to determine the risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Develop and implement a risk management plan to address the risks the analysis identifies. Maintain and revise written HIPAA policies and procedures as needed. And provide annual HIPAA training to every workforce member with access to PHI.

45 CFR §164.308(a)(1)

There is a pattern in these corrective action plans worth internalizing: they are not punishments so much as descriptions of the compliance program the organization should have had all along. Every requirement in the plan is something the Security Rule already expected.

Why this case matters: two lessons

Accidental public exposure is fully enforceable. The most important takeaway is that you do not need to be breached to be penalized. A misconfigured server, an unsecured page, a document store reachable without a login, a patient portal that exposes more than it should, any of these can put PHI in public view, and any of them can produce an enforcement action. Organizations that pour all their attention into defending against external attackers while leaving their own systems publicly reachable are defending one door while leaving another wide open.

Behavioral health data raises the stakes. The sensitivity of the information amplifies everything. Behavioral health diagnoses carry real risks of stigma and discrimination, and their exposure can cause profound personal harm. Providers in this space should treat any potential exposure as high-severity, and should be aware that some of their data, particularly substance use disorder records, may carry additional protections under 42 CFR Part 2, which OCR began enforcing in 2026.

Warning

You do not have to be hacked to violate HIPAA. Making PHI publicly accessible online, through a misconfiguration or an unauthenticated page, is an impermissible disclosure and a fully enforceable violation. Check that no system holding PHI is reachable from the public internet without authentication, and treat behavioral health data as especially high-stakes given the harm its exposure can cause.

What to do now

Test your systems for unauthenticated public access. For every system that holds PHI, verify that none of it can be reached from the public internet without a login. This includes patient-facing portals, document stores, internal tools that may be inadvertently exposed, and any pages that serve documents like discharge summaries.

Store sensitive documents in access-controlled systems only. Discharge summaries, assessments, and similar documents should live in systems that require authentication and enforce access controls, never on public pages or unsecured file locations.

Put public-exposure scenarios in your risk analysis. A risk analysis that only considers external attackers is incomplete. It must also ask whether your own systems expose PHI to people who should not see it. Public reachability is a vulnerability like any other.

Give behavioral health data heightened protection. If you handle mental health or substance use information, apply your strongest controls, confirm whether Part 2 applies to any of your records, and treat any exposure as a high-severity incident.

The takeaway

Deer Oaks, a behavioral health provider, paid $225,000 after making patient discharge summaries, complete with names, dates of birth, and diagnoses, publicly accessible online. No attacker was involved. The case establishes two lessons: accidental public exposure of PHI is a fully enforceable HIPAA violation, so defending only against external attackers while leaving your own systems publicly reachable is a critical blind spot; and behavioral health data carries heightened sensitivity that raises the stakes of any disclosure. Test every system holding PHI for unauthenticated public access, store sensitive documents only in access-controlled systems, include public-exposure scenarios in your risk analysis, and give behavioral health data your strongest protection.

Sources & citations

  • HHS OCR — Deer Oaks Settlement Press ReleaseOpen
  • 45 CFR §164.502 — Uses and Disclosures of PHI: General RulesOpen
  • 45 CFR §164.308(a)(1) — Security Management Process (Risk Analysis)Open

All content verified against official HHS guidance and the Code of Federal Regulations.

Frequently asked questions

What did Deer Oaks do to trigger the OCR settlement?
OCR initiated its investigation in May 2023 after receiving a complaint that Deer Oaks had made patient discharge summaries publicly accessible online. Those summaries contained protected health information including patient names, dates of birth, patient identification numbers, the facilities involved, and diagnoses. Making that information publicly reachable was an impermissible disclosure of PHI under the HIPAA Privacy Rule.
How much did Deer Oaks pay and what does the corrective action plan require?
Deer Oaks paid $225,000 to OCR and agreed to a corrective action plan that OCR will monitor for two years. The plan requires Deer Oaks to review and update its risk analysis annually, develop and implement a risk management plan to address identified risks, maintain and revise HIPAA policies and procedures, and provide annual HIPAA training to every workforce member with access to PHI.
Why is behavioral health data treated as especially sensitive?
Behavioral health information, including mental health and substance use diagnoses, carries a heightened risk of stigma, discrimination, and personal harm if disclosed. While standard HIPAA rules apply to it, the real-world consequences of exposure are often more severe than for other health data, and additional protections such as 42 CFR Part 2 can apply to substance use disorder records. Providers handling behavioral health data should treat any exposure as high-stakes.
Is accidental public exposure of PHI still a HIPAA violation?
Yes. HIPAA does not require malicious intent for an impermissible disclosure to occur. Making PHI publicly accessible online, whether through a misconfiguration, an unsecured page, or a system reachable without authentication, is a disclosure not permitted by the Privacy Rule. OCR enforces these accidental exposures the same way it enforces disclosures caused by attacks.
What should providers do to prevent this kind of exposure?
Inventory every system that stores or transmits PHI and verify that none of it is reachable from the public internet without authentication. Test patient-facing and internal systems for unauthenticated access to documents. Include public-exposure scenarios in your risk analysis. And ensure documents like discharge summaries are stored in access-controlled systems, never on publicly reachable pages or unsecured file locations.

Not legal advice. medcomply.ai provides compliance intelligence for educational and operational planning. Consult qualified counsel for legal interpretation.