On May 15, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced a settlement with Vision Upright MRI, a small California-based radiology provider, over alleged violations of the HIPAA Security and Breach Notification Rules. The enforcement action stems from a breach involving unauthorized access to a medical imaging server that exposed the protected health information (“PHI”) of over 21,000 individuals.
OCR initiated its investigation after receiving notification that Vision Upright MRI had experienced a breach involving its Picture Archiving and Communication System (“PACS”) server. The server, which stored and managed radiology images, had been accessed by an unauthorized third party.
OCR’s investigation revealed several key compliance failures:
- Vision Upright MRI had had not conducted a HIPAA risk analysis, as required by the Security Rule.
- Vision Upright MRI also failed to provide timely breach notifications to affected individuals, HHS, and the media, violating the Breach Notification Rule.
To resolve the investigation, Vision Upright MRI agreed to:
- Pay a $5,000 monetary settlement to OCR.
- Implement a corrective action plan that includes two years of OCR monitoring.
- Take remedial steps to improve its HIPAA compliance posture.
Under the corrective action plan, Vision Upright MRI must:
- Provide the required breach notifications to affected individuals, HHS, and the media.
- Submit a comprehensive risk analysis covering all systems and locations containing ePHI.
- Develop and implement a risk management plan to mitigate identified security vulnerabilities.
- Create and maintain updated written HIPAA policies and procedures.
- Provide HIPAA training to all workforce members with access to ePHI.
OCR Acting Director Anthony Archeval emphasized that HIPAA compliance obligations extend to entities of all sizes, and noted that small providers must conduct “accurate and thorough risk analyses to identify potential risks and vulnerabilities to protected health information and secure them.”
This latest settlement reinforces OCR’s continued focus on cybersecurity risks in healthcare and the need for all regulated entities, regardless of size, to maintain robust privacy and security programs.