The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $3 million settlement with Solara Medical Supplies, a California-based supplier of insulin pumps and continuous glucose monitors, resolving potential violations of the HIPAA Security Rule and Breach Notification Rule.
The case stemmed from a 2019 phishing attack that compromised the protected health information (PHI) of approximately 114,000 individuals. OCR’s investigation found that Solara failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to ePHI, failed to implement a risk management plan, and did not provide timely breach notification to affected individuals and HHS.
Key violations identified:
- No compliant risk analysis prior to the breach
- Failure to implement adequate risk management policies
- Delayed breach notification to affected patients
- Insufficient workforce training on phishing and security threats
In addition to the $3 million payment — the largest HIPAA settlement of 2025 — Solara agreed to a corrective action plan requiring comprehensive updates to its security policies and procedures.
The takeaway for healthcare businesses: OCR's continued focus on risk analysis failures underscores that a documented, current risk assessment is not optional — it is the foundation of HIPAA Security Rule compliance. Organizations that cannot demonstrate they have identified their risks before a breach are significantly exposed to civil monetary penalties. Secure, encrypted file sharing and storage solutions like AXIS CloudSync help reduce your attack surface and support a defensible security posture.
