The HHS’ Office for Civil Rights has reported its 8th financial penalty in 2025. The last financial penalty announced involved alleged violations of the HIPAA Security Rule’s risk analysis provision and the HIPAA Breach Notification Rule. Vision Upright MRI LLC, a magnetic resonance imaging (MRI) service company in California, agreed to pay a $5,000 financial penalty to resolve its alleged HIPAA violations.
OCR currently has enforced 9 penalties under the risk analysis enforcement initiative. OCR targets risk analysis compliance because it is a basic Security Rule requirement for risk management and enforces safety measures to protect the confidentiality, availability, and integrity of electronic protected health information (ePHI). The inability to perform a detailed and correct risk analysis is a common HIPAA violation.
OCR additionally seems to be focusing on Breach Notification Rule compliance. Under the HIPAA Breach Notification Rule, covered entities need to issue notifications to the HHS Secretary (through the OCR breach portal) and the impacted persons within 60 days of learning about a data breach. When 500 or more individuals are affected by a data breach, it is also required to issue a media notice. This is OCR’s second HIPAA compliance case in 2025 that included a penalty for a HIPAA Breach Notification Rule violation.
Vision Upright MRI offers its services in one place in San Jose, California. On December 1, 2020, OCR advised Vision Upright MRI that OCR had started investigating the healthcare provider’s HIPAA compliance. There is no mention in the settlement agreement about OCR’s discovery of the data breach since the data breach wasn’t reported to OCR, and no affected person received a breach notification. The California Attorney General likewise does not seem to know about the breach. The only breach report published on the OCR breach portal involving Vision Upright MRI was listed on March 10, 2025 with 23,031 impacted individuals.
According to OCR’s investigation, Vision Upright MRI had never performed a risk analysis to determine risks and vulnerabilities to ePHI, and likewise did not advise the impacted individuals within 60 days of discovering a data breach. OCR stated the ePHI of 21,778 people, which includes medical pictures and related ePHI, was kept on an unprotected Picture Archiving and Communication System (PACS) server. Vision Upright MRI used the server and PACS for saving, accessing, and managing radiology pictures. The investigation also revealed that an unauthorized third party, maybe a hacker or a security researcher, accessed the server.
The terms of settlement state that $5,000 will be paid by Vision Upright MRI as a financial penalty. The healthcare provider will also implement a corrective action plan (CAP) to be HIPAA compliant. OCR will monitor compliance with the CAP for 2 years. The CAP needs Vision Upright MRI to perform a risk analysis to determine risks and vulnerabilities to ePHI; create, implement, and keep a risk management plan to minimize any risks and vulnerabilities discovered through the risk analysis to a minimal and tolerable level; create, implement, and retain guidelines and procedures in compliance with the HIPAA Rules; circulate the guidelines and procedures to the employees and offer HIPAA training; and send breach notifications to the HHS, the media, and the impacted persons.
Cybersecurity threats impact both big and small healthcare organizations. Thus, small providers should also perform risk analyses to determine probable risks and vulnerabilities to PHI to protect them.
