May 2026
Natashia Wright, Director, Benefits Compliance
In April 2026, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced a HIPAA enforcement action against an employer-sponsored group health plan, resulting in a $245,000 penalty and a two-year corrective action plan. Such direct actions against employer-sponsored plans are rare.
In 2021, the Star Group, L.P. Health Benefits Plan (“SG Health Plan”) in Connecticut suffered a ransomware incident that compromised the personal and health information of 9,316 individuals. The breach affected group health plan data governed by HIPAA regulations. According to OCR, the SG Health Plan did not conduct a thorough risk analysis, failed to identify the locations of electronic protected health information (“ePHI”), neglected to assess vulnerabilities to this data, and lacked documented risk analysis procedures.
This enforcement action against an employer-sponsored plan is unusual and underscores the intersection between HIPAA requirements and Department of Labor (“DOL”) cybersecurity guidance for Employee Retirement Income Security Act (“ERISA”) fiduciaries. The case signifies heightened regulatory scrutiny of employer-maintained plans subject to ERISA.
Employer action items
- Revisit HIPAA compliance.
- Review the last time a risk analysis was conducted and evaluate the current security measures and levels of risk to PHI associated with your network infrastructure, vulnerability scanning, logging and alerts, and patch management.
Additional information and resources
- HIPAA Security Rule NPRM | HHS.gov
- US Department of Labor updates cybersecurity guidance for plan sponsors, fiduciaries, recordkeepers, plan participants to protect info, assets | U.S. Department of Labor
For more information
We’re ready when you are. Get in touch and a friendly, knowledgeable Baldwin advisor is prepared to discuss your business or individual needs, ask a few questions to get the full picture, and make a plan to follow up.
This document is intended for general information purposes only and should not be construed as advice or opinions on any specific facts or circumstances. The content of this document is made available on an “as is” basis, without warranty of any kind. The Baldwin Insurance Group Holdings, LLC (“The Baldwin Group”), its affiliates, and subsidiaries do not guarantee that this information is, or can be relied on for, compliance with any law or regulation, assurance against preventable losses, or freedom from legal liability. This publication is not intended to be legal, underwriting, or any other type of professional advice. The Baldwin Group does not guarantee any particular outcome and makes no commitment to update any information herein or remove any items that are no longer accurate or complete. Furthermore, The Baldwin Group does not assume any liability to any person or organization for loss or damage caused by or resulting from any reliance placed on that content. Persons requiring advice should always consult an independent adviser.
The Baldwin Group offers insurance services through one or more of its insurance licensed entities. Each of the entities may be known by one or more of the logos displayed; all insurance commerce is only conducted through The Baldwin Group insurance licensed entities. This material is not an offer to sell insurance.
