15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story

There is a number that has been circulating in the HIPAA compliance community since March 2026 that stops compliance officers cold: $10,000.

That is what OCR collected from MMG Fusion LLC for exposing the protected health information of 15 million patients. Not $10 million. Not $1 million. Ten thousand dollars — less than many small practices pay for a single piece of medical equipment.

The settlement is officially OCR's 12th enforcement action under its Risk Analysis Initiative. Unofficially it is a case study in what happens at the intersection of cybersecurity failure, business associate accountability, and corporate dissolution.

What MMG Fusion was and what happened

MMG Fusion LLC helped oral healthcare professionals market, manage, and grow their practices and provided software that communicated with patients. As a company that created, received, maintained, and transmitted protected health information on behalf of dental practices, MMG was a HIPAA business associate — subject to the full Security Rule, directly liable for its own violations, and required to have signed BAAs with every dental practice it served.

In December 2020, a malicious actor infiltrated MMG's systems. Over 15 million patients' protected health information was exposed in the cybercrime and leaked to the dark web.

The exposed data included patient names, contact information, dates of birth, and appointment scheduling information — the kind of data that enables identity theft and targeted phishing attacks against healthcare patients.

OCR determined that MMG committed three distinct violations: impermissible disclosure of PHI, failure to conduct an accurate risk analysis, and — critically — failure to notify the affected covered entities of the breach within the required 60-day window.

The $10,000 fine — why so small

MMG agreed to a $10,000 settlement and a 3-year Corrective Action Plan.

For context: OCR's standard penalty for a single willful neglect violation starts at $73,011. A breach affecting 15 million individuals, involving three separate HIPAA violations, would ordinarily support a penalty in the millions of dollars.

The $10,000 figure almost certainly reflects MMG's financial condition. HIPAA requires OCR to consider the financial resources of the entity when calculating penalties. An entity on the verge of dissolution — or one with limited assets — cannot realistically pay a multi-million dollar penalty. OCR's practical choice is to accept a reduced amount that the entity can actually pay, paired with a corrective action plan that requires ongoing compliance investment.

The corrective action plan spans three years and requires MMG to implement all the compliance measures it neglected before the breach. For a company that has since dissolved, the practical enforceability of a three-year CAP raises its own questions.

The company that no longer exists

The company no longer exists.

This single fact transforms the MMG Fusion settlement from an unusual enforcement story into an important lesson about business associate risk that every covered entity needs to internalize.

When a business associate dissolves, the following happen simultaneously:

The BAA becomes effectively unenforceable. The legal obligations remain in theory, but there is no operating entity to hold accountable, no assets to attach, and no management to compel compliance.

The corrective action plan becomes a document with no one to execute it. A three-year CAP requiring ongoing risk analyses, policy updates, and OCR reporting requires a functioning organization. A dissolved company cannot fulfill these obligations.

The patient data question becomes urgent. Where is the PHI now? Who controls it? What security protections, if any, remain in place for data held by a company that no longer exists? These questions may have no satisfactory answer.

The covered entities that trusted MMG with patient data — the dental practices that executed BAAs, integrated MMG's software into their operations, and sent patient information to MMG's systems — had no meaningful recourse against a dissolved entity.

What this means for your vendor relationships

This settlement is OCR's 12th enforcement action under its Risk Analysis Initiative, which launched in approximately October 2024. The pattern across these 12 actions is consistent. Regardless of how the breach occurred — ransomware, phishing, unauthorized access — the common thread is that the organization had not conducted a compliant risk analysis before the incident.

For covered entities, the MMG Fusion case adds a dimension to vendor risk that goes beyond the standard BAA checklist. The question is not just whether your business associate has signed a BAA and conducted a risk analysis. It is whether your business associate will still exist next year — and what happens to your patients' data if it doesn't.

Three things every covered entity should do in response:

Audit your current business associates. For each vendor that holds or accesses patient PHI, ask: what is their financial condition? Are they a stable, ongoing business? Do they carry cyber liability insurance? What happens to patient data in a wind-down scenario?

Review your BAA provisions. Standard BAA templates address data security obligations but rarely address business continuity scenarios. Consider adding provisions requiring notice of material financial distress, requirements to maintain cyber insurance, and data return or destruction obligations in the event of business closure.

Know what data each vendor holds. You cannot manage the risk of a vendor failure if you do not know what patient data that vendor has. Maintain a current inventory of what PHI each business associate holds, in what systems, and how it is protected.