15 Million Records Exposed — MMG Fusion Settlement Shows Business Associates Are Squarely in OCR's Crosshairs

When a software company's systems are breached and 15 million patients' data ends up on the dark web, OCR investigates. When that same company also fails to notify the healthcare providers it serves that the breach occurred — that is when a settlement becomes a landmark.

What happened at MMG Fusion

On March 5, 2026, OCR announced a settlement with MMG Fusion LLC, a Maryland software company, concerning potential violations of HIPAA. The settlement resolves an investigation that OCR initiated in March 2023 after receiving a complaint concerning an unreported security incident at MMG, and the posting of PHI on the dark web.

OCR's investigation determined that in December 2020, an unauthorized actor infiltrated MMG's information system and accessed PHI, including names, phone numbers, mailing addresses, email addresses, dates of birth, and dates and times of medical appointments.

The exposed data affected approximately 15 million individuals — making this one of the largest business associate breaches in OCR enforcement history.

Three violations — not one

OCR did not simply investigate the breach. It found three distinct HIPAA violations:

OCR found that MMG had potentially violated several provisions of the HIPAA Privacy, Security, and Breach Notification Rules, including: impermissibly disclosing the PHI of approximately 15 million individuals; failing to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI held by MMG; and failing to notify covered entities affected by the incident of the breach.

The third violation — failure to notify covered entities — is particularly significant. Many business associates understand they must secure PHI. Fewer understand that when a breach occurs, they have an independent legal obligation to notify every covered entity customer whose patients were affected, and they must do so within 60 days of discovery.

Why PHI ended up on the dark web

The investigation revealed the same gap that appears in nearly every major business associate breach investigation: no adequate risk analysis. Without a proper risk analysis, vulnerabilities go unidentified. Without identified vulnerabilities, they go unaddressed. The predictable result is exactly what happened at MMG — an unauthorized actor found an entry point that the organization did not know existed.

The corrective action plan

Under the corrective action plan, MMG has committed to: conduct an accurate and thorough risk analysis; develop and implement a risk management plan to address and mitigate identified security risks; develop and maintain written HIPAA policies and procedures; ensure workforce training on Privacy and Security Rule requirements; and conduct a breach risk assessment of the December 2020 cyberattack and, to the extent possible, provide affected covered entities with accurate notice of the breach incident.

OCR will monitor the corrective action plan. The settlement amount was reduced based on OCR's consideration of MMG's financial condition — a reminder that OCR does take financial circumstances into account, but does not eliminate penalties entirely.

What this means for SaaS companies and software vendors

The MMG Fusion settlement is the clearest OCR signal yet that software companies serving healthcare clients are not operating in a compliance gray area. They are Business Associates. They are fully subject to HIPAA. And when they fail — both in security and in breach notification — OCR will hold them accountable independently of whatever their covered entity customers did or did not do.

If your company provides software, IT services, billing services, or any other function that involves PHI belonging to healthcare providers' patients, the following are non-negotiable:

Execute BAAs with every covered entity customer before touching their PHI. The BAA is not a formality — it is the legal instrument that defines your obligations and theirs.

Conduct a HIPAA Security Rule risk analysis. The same requirement that applies to hospitals applies to your company. Document it. Update it when your systems or services change.

Build a breach notification process before you need it. Know which covered entity customers you serve, how to contact them, and what information you must provide when a breach occurs. The 60-day clock runs from discovery — not from when you finish investigating.

Train your workforce on HIPAA. Every engineer, product manager, and customer success employee who touches PHI systems needs HIPAA training. This is a Security Rule requirement, not a best practice suggestion.