Medcurity Compliance Digest — Week of June 15, 2026
Each week we read the OCR enforcement feed and the HHS breach portal so you don’t have to — and translate what’s there into what it means for the kind of practice you actually run. Here’s the week of June 15.
The short version: a quiet week on the enforcement side, a slow week on new portal postings, and a regulatory calendar that keeps slipping. That’s worth saying plainly rather than manufacturing drama — but the patterns underneath the quiet are exactly the ones that catch small and mid-sized providers off guard.
Section 1 — OCR enforcement actions (past 7 days)
No new OCR resolution agreements, civil monetary penalties, or settlements were announced in the June 12–19 window. We checked the HHS press room directly; the most recent press releases (June 8–18) cover nutrition, FDA labeling, mental-health funding, and elder-justice items — nothing from the Office for Civil Rights.
For context, the most recent HIPAA enforcement activity remains OCR’s four ransomware settlements announced April 23, 2026 — roughly $1.165M in penalties across four regulated entities, tied to ransomware incidents affecting about 427,000 individuals, with each case citing a failure to conduct an accurate and thorough risk analysis (45 CFR §164.308(a)(1)(ii)(A)). That action sits within OCR’s ongoing Risk Analysis Initiative, the through-line of nearly every Security Rule settlement over the past 18 months.
What a quiet enforcement week does not mean: it doesn’t mean enforcement has paused. OCR’s posted settlements lag the underlying investigations by months to years. The risk-analysis theme — and OCR’s newer emphasis on risk management (what you did with what your analysis found), not just the analysis document — is the standard you should assume you’ll be measured against.
Healthcare-vertical takeaway: Use the quiet week to do the unglamorous thing OCR keeps penalizing the absence of — confirm your risk analysis is current (dated within the last 12 months), covers every system that touches ePHI, and is paired with a written risk-management plan showing remediation of what you found. The settlements aren’t about having a breach; they’re about not being able to show the analysis-and-remediation paper trail afterward.
Section 2 — HHS Breach Portal: new additions
⚠️ Recency note: The HHS breach portal does not expose a public “date posted” field — only Breach Submission Date. As of this run (2026-06-19), the most recent submission date on the portal’s “Under Investigation” list is 06/02/2026; no 500+ breaches carry submission dates inside the June 12–19 window yet. Portal intake lags reporting (entities have up to 60 days to report, and OCR posts after review), so this section summarizes the freshest cluster of postings — submission dates roughly May 18 – June 2, 2026 — as the current picture rather than implying these all posted this week.
The freshest entries, newest first:
| Entity | State | Type | Individuals | Submitted | Vector |
|---|---|---|---|---|---|
| Jason R. Egbert OD PC (optometry) | WA | Provider | 1,225 | 06/02 | Hacking/IT — Network Server |
| United Medical Doctors | CA | Provider | 501 | 05/29 | Hacking/IT — Network Server |
| Virta Medical PC | CO | Provider | 14,636 | 05/23 | Hacking/IT — Network Server |
| Southern Illinois Ob-Gyn Associates | IL | Provider | 38,700 | 05/22 | Hacking/IT — Network Server |
| Acadia Healthcare Company (BA) | TN | Business Associate | 1,807 | 05/22 | Hacking/IT — Email |
| Radiology Associates of Richmond | VA | Provider | 266,183 | 05/21 | Hacking/IT — Network Server |
| Defense Health Agency (TriWest) | VA | Health Plan | 11,848 | 05/21 | Hacking/IT — Network Server |
| Southwest Behavioral Health Services | AZ | Provider | 2,316 | 05/20 | Hacking/IT — Email |
| Singing River Health System | MS | Provider | 53,888 | 05/19 | Hacking/IT — Network Server |
| Community Connections (behavioral health) | DC | Provider | 18,943 | 05/18 | Hacking/IT — Network Server |
| Greenbaum Rowe Smith & Davis LLP (law-firm BA) | NJ | Business Associate | 12,801 | 05/18 | Hacking/IT — Network Server |
Pattern callouts:
- Hacking/IT incident is the near-universal vector. Across the ~100 most recent portal entries, the overwhelming majority are “Hacking/IT Incident” landing on a Network Server or Email — the same dominant 2025–2026 pattern. Theft, loss, and improper disposal have become rounding errors by comparison.
- The vendor / BA-chain breach keeps recurring. This cluster alone includes a behavioral-health vendor (Acadia), and two law firms acting as business associates (Greenbaum Rowe this week; GrayRobinson, P.A. in the late-April postings). When your attorney, billing vendor, or imaging partner gets hit, your patients show up in the count. This is the breach pattern most likely to surprise a small practice — because it didn’t happen on your network.
- Specialty and behavioral-health practices are well represented — OB-GYN, radiology, optometry, and two behavioral-health providers (Southwest Behavioral, Community Connections) in a single cluster.
Healthcare-vertical takeaway: The provider profile most exposed this week is the small-to-mid specialty or behavioral-health practice relying on outside vendors (billing, imaging, legal, EHR). One-line action: pull your Business Associate Agreement list and confirm each BA has a current BAA and that you’ve actually asked them — in writing — when they last completed a security risk assessment. The BA chain is where the count comes from.
Section 3 — Regulatory / enforcement signals
No new OCR guidance documents, FAQs, NPRM updates, or RFI responses were published in the past 7 days.
2026 Security Rule finalization watch: The proposed Security Rule overhaul (NPRM published in the Federal Register Jan 6, 2025; comment period closed March 7, 2025) remains proposed, not final, as of this run. OCR’s regulatory agenda had targeted a final rule for spring 2026 — that window has now passed with nothing published. ⚠️ Reporting indicates OCR is still working through roughly 4,700 public comments (figure widely cited but not officially confirmed by OCR); treat the count as approximate. There is no confirmed date for if or when a final rule will issue, and the proposed requirements could still be revised, delayed, or withdrawn.
The proposed rule’s headline shifts worth tracking now (so they’re not a surprise if finalized): mandatory rather than “addressable” safeguards, required asset inventories and network maps, mandatory encryption of ePHI at rest and in transit, MFA, and annual compliance audits. None are law yet — but each maps cleanly onto what OCR is already penalizing under the current rule’s risk-analysis standard.
Healthcare-vertical takeaway: You don’t need to wait for finalization to act on the parts that are already enforcement reality. An accurate asset inventory and a current risk analysis are the foundation of both the proposed rule and every recent settlement. Building those now is not premature — it’s the lowest-regret move on the board.
Section 4 — What this means for your practice
The differentiator, stated plainly — here’s what to do this week by provider profile:
Small practices (1–10 providers): Your highest-probability breach this week doesn’t start on your network — it starts at a vendor. Spend 30 minutes confirming you have a signed, current BAA for every outside party that touches ePHI (billing, IT, EHR, answering service, shredding, legal). If you can’t produce the BAA, that’s the first gap OCR would find.
FQHCs / CHCs / rural hospitals: The portal keeps surfacing regional and community health systems (Singing River this cluster; rural hospitals in recent weeks). With lean IT staff, your exposure is unpatched internet-facing systems and email compromise. This week: confirm MFA is enforced on email and remote access, and that someone owns patch status for network servers. These two controls sit at the center of the recent Hacking/IT-on-Network-Server pattern.
Mental health / behavioral health providers: Two behavioral-health entities appear in this single cluster (Southwest Behavioral, Community Connections), and 42 CFR Part 2 records carry their own breach-reporting track. This week: verify that your incident-response plan accounts for both HIPAA and Part 2 reporting obligations, and that any SUD-related data is inventoried separately. Behavioral-health PHI is high-sensitivity and increasingly targeted.
Multi-site provider groups: Specialty groups (OB-GYN, radiology, ortho) dominate the recent postings. Distributed sites multiply your attack surface and make a single current, organization-wide risk analysis harder to maintain — which is precisely the gap OCR cites. This week: confirm your risk analysis covers every site and every shared system, not just the flagship location.
Section 5 — The Medcurity perspective
A quiet enforcement week doesn’t change the math: the settlements OCR does publish almost always come back to a missing or stale risk analysis and a missing risk-management trail — and the breaches filling the portal keep arriving through vendors and unpatched servers. Mapping your environment to the actual OCR-cited Security Rule sections, keeping the risk register current, and documenting workforce training are the through-line that turns “we had a breach” into “we can show what we did about the risk.” That’s the work that holds up whether or not the 2026 final rule ever lands.
Get ahead of the next digest
The fastest way to be ready for whatever next week’s portal surfaces is to have a current risk analysis and a vendor inventory you can actually produce on request. If you’d like a second set of eyes on either, explore Medcurity’s HIPAA compliance solutions — risk assessments, BAA tracking, and risk-management documentation built around exactly the Security Rule sections OCR keeps citing.
Frequently Asked Questions
Were there any new OCR HIPAA enforcement actions the week of June 15, 2026?
No new OCR resolution agreements, settlements, or civil monetary penalties were announced in the June 12–19, 2026 window. The most recent financial penalties remain the April 23, 2026 announcement of four ransomware-related Security Rule settlements totaling roughly $1,165,000. A quiet enforcement week is still a planning week, because the entities now appearing on the breach portal were typically breached months earlier. The recurring citation behind nearly every action is the HIPAA risk analysis requirement under 45 CFR §164.308(a)(1)(ii)(A).
Has the 2026 HIPAA Security Rule been finalized?
No. The January 2025 Notice of Proposed Rulemaking remains proposed and unfinalized as of June 2026. OCR’s spring 2026 target passed without a published final rule, and no revised timeline has been confirmed. Because OCR is already enforcing the spirit of the proposal through the Risk Analysis Initiative, practices should prepare now as if mandatory encryption, multi-factor authentication, and the removal of the “addressable versus required” distinction are coming. See our 2026 HIPAA Security Rule update for the full breakdown.
What was the most common healthcare data breach vector this week?
Hacking/IT incidents landing on a network server or email account dominate the most recent portal postings — the same pattern that has held across 2025–2026. The recurring twist this cluster is the vendor or business-associate chain: when a billing vendor, imaging partner, or law firm acting as a business associate is breached, that organization’s patients appear in the count. Confirming a current BAA inventory for every vendor with system access is the most direct defense.
Which healthcare organizations are most at risk right now?
The most exposed profile is the small-to-mid specialty or behavioral-health practice that relies on outside vendors for billing, imaging, EHR, or legal work. Distributed multi-site groups follow close behind, because a single organization-wide risk analysis is harder to keep current across sites — which is precisely the gap OCR cites. Understanding what a HIPAA risk assessment must enumerate, including every business associate with system access, is the first line of defense.
Sources: HHS Office for Civil Rights press room and HIPAA Breach Reporting portal (ocrportal.hhs.gov), accessed 2026-06-19; OCR HIPAA Security Rule NPRM (Federal Register, Jan 6, 2025). This digest summarizes publicly posted HHS/OCR information and does not characterize any organization’s conduct beyond what HHS publicly states.