What a Recent HHS Enforcement Action Means for Employer Plan Sponsors

By: HUB’s EB Compliance Team

Background

In October 2021, Star Group, L.P. Health Benefits Plan — the self-funded group health plan of Star Group, L.P. — experienced a ransomware attack that compromised the protected health information (PHI) of 9,316 plan participants. The plan properly filed a breach report with HHS as required under the HIPAA Breach Notification Rule.

Following an investigation, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) identified two significant violations: an impermissible disclosure of PHI affecting those 9,316 individuals and a failure to conduct an accurate (and thorough) risk assessment of threats to electronic PHI held by the plan. A Resolution Agreement and Corrective Action Plan (CAP) were agreed to by the parties in January 2026 — approximately four years after the breach occurred.

The Resolution Agreement

Under the terms of the Resolution Agreement, Star Group's health plan agreed to pay $245,000 in a single lump sum within seven days of the agreement's effective date. In exchange for the payment and Star Group's commitment to the accompanying CAP, HHS released the plan from further action related to the breach.

The Corrective Action Plan

In addition to the financial settlement, Star Group's health plan entered into a two-year CAP HHS. The CAP requires the plan to complete the following, with documentation submitted to HHS for review and approval at each stage:

• Conduct a comprehensive HIPAA Security Rule risk analysis covering all systems, devices and applications that store or transmit electronic PHI.
• Develop an enterprise-wide Risk Management Plan to address vulnerabilities identified in the risk analysis.
• Review and revise HIPAA Privacy, Security and Breach Notification policies and procedures.
• Provide HIPAA training to all workforce members with access to PHI, with written certification required from each participant, and repeated at least annually.
• Submit annual compliance reports to HHS throughout the two-year compliance term.
• Retain all compliance-related documentation for six years.

The CAP also specifically required Star Group's health plan to review whether adequate separation exists between the plan sponsor (the employer) and the group health plan itself — an area many employers overlook.

Key takeaways

• Self-funded group health plans implicate HIPAA — because the company sponsors a self-funded group health plan, that plan is a HIPAA covered entity and must comply with the Privacy, Security and Breach Notification rules.
• Ransomware is treated as a presumptive breach — under HHS guidance, when a ransomware attack involves systems containing PHI, it is treated as an impermissible disclosure unless the employer can affirmatively demonstrate otherwise. That requires documented evidence, and most employers are not positioned to meet that standard without adequate preparation.
• A thorough and comprehensive risk analysis is critical in the wake of a breach — HHS cited the absence of a proper risk analysis as a primary violation. The HIPAA Security Rule requires covered entities to conduct and document a thorough assessment of risks to electronic PHI. Without it, an organization cannot demonstrate a baseline of compliance, and this gap appears consistently in HHS enforcement actions.

Questions employers should be asking

• Do we have policies and procedure in place for HIPAA Privacy and HIPAA Security? What about Breach Notification protocols?
• Are employees with access to PHI completing HIPAA training annually?
• Do we have a written incident response procedure that addresses ransomware scenarios and HIPAA breach notification timelines?
• Are Business Associate Agreements current with all vendors that handle PHI on our behalf?

Conclusion

This case serves as a reminder of the importance of HIPAA compliance for employers. It also highlights that HIPAA compliance is an ongoing requirement that must continuously be monitored.

If you have any questions, please contact your HUB advisor. View more compliance articles in our Compliance Directory.

NOTICE OF DISCLAIMER

Neither Hub International Limited nor any of its affiliated companies is a law or accounting firm, and therefore they cannot provide legal or tax advice. The information herein is provided for general information only and is not intended to constitute legal or tax advice as to an organization’s or individual's specific circumstances. It is based on Hub International's understanding of the law as it exists on the date of this publication. Subsequent developments may result in this information becoming outdated or incorrect, and Hub International does not have an obligation to update this information. You should consult an attorney, accountant or other legal or tax professional regarding the application of the general information provided here to your organization’s specific situation in light of your or your organization’s particular needs.