Compliance 28 March 2026 / 0 Comments

15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: What the MMG Fusion Settlement Means for Your Vendor Relationships

On March 5, 2026, the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) announced a settlement with MMG Fusion, LLC, a Maryland-based software company that provided patient communication and marketing tools to dental practices across the country. The numbers in this case are striking: approximately 15 million individuals had their protected health information (PHI) exposed after an unauthorized actor infiltrated MMG's systems in December 2020. The settlement amount? $10,000.

If your first reaction is "that is absurdly low for 15 million records," you are not wrong. But the real story here is not the dollar figure. It is everything that happened - and failed to happen - between the breach and the settlement, and what it tells health care IT teams about the risks sitting in their own vendor ecosystems right now.

What Happened

MMG Fusion operated a SaaS platform for dental and orthodontic practices, handling automated marketing, patient engagement, appointment reminders, reputation management, and related functions. Because MMG received PHI from covered entities and used it to communicate directly with patients, MMG was a business associate under HIPAA.

In December 2020, an unauthorized actor gained access to MMG's information systems. The compromised data included names, phone numbers, mailing addresses, email addresses, dates of birth, and dates and times of medical appointments. That data was subsequently posted on the dark web.

Here is where the timeline gets ugly. MMG did not report the breach. MMG did not notify the affected covered entities - the dental practices whose patients' data had been stolen. OCR did not even learn about the incident until January 2023, when someone filed a complaint about an unreported security incident and the presence of PHI on the dark web. That is more than two years after the breach occurred.

OCR opened a formal investigation in March 2023. What they found was a trifecta of HIPAA failures.

The Three Violations

OCR's investigation identified potential violations across three separate HIPAA rules:

Impermissible Disclosure of PHI - Under 45 CFR 164.502(a), covered entities and business associates may only use or disclose PHI as permitted by the Privacy Rule. When an unauthorized actor exfiltrates PHI and posts it on the dark web, that constitutes an impermissible disclosure. In MMG's case, this affected approximately 15 million individuals.

Failure to Conduct a Risk Analysis - Under 45 CFR 164.308(a)(1)(ii)(A), covered entities and business associates are required to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information." This is not an addressable specification. It is a Required implementation specification under the Security Rule. OCR determined that MMG had not conducted a compliant risk analysis prior to the breach.

Failure to Notify Covered Entities of the Breach - Under 45 CFR 164.410, a business associate must notify affected covered entities of a breach of unsecured PHI "without unreasonable delay and in no case later than 60 calendar days after discovery." MMG did not provide this notification. At all. For over two years.

That last point deserves emphasis. The breach notification chain under HIPAA depends on business associates notifying their covered entity clients promptly so those covered entities can, in turn, notify affected individuals and HHS. When a business associate fails to report, the entire notification chain breaks. Every dental practice that relied on MMG was left unaware that their patients' data was on the dark web, and those patients had no idea either.

As OCR Director Paula M. Stannard stated in the announcement: "When a breach occurs, business associates must notify affected covered entities without unreasonable delay and within 60 calendar days of discovery. This timeliness is crucial for a covered entity to meet its own breach notification obligations, such as timely notification to HHS and to individuals."

Why Only $10,000?

The settlement amount is notable precisely because it is so small relative to the scale of the breach. OCR explicitly stated that it considered MMG's financial condition in reaching the settlement. The resolution agreement was signed by HIQOR Dental as successor-in-interest to MMG Fusion, LLC, indicating that MMG had effectively ceased independent operations.

This is not a case of OCR going easy on a business associate. It is a case of OCR extracting what it could from an entity that, for all practical purposes, no longer exists as a going concern. The $10,000 penalty is secondary to the real enforcement mechanism here: the three-year Corrective Action Plan (CAP) that now binds the successor entity, and the very public documentation of exactly what went wrong.

OCR's enforcement penalty tiers, adjusted for inflation as of January 2026, can reach up to $2,190,294 per violation category per year. A solvent company facing these same findings would be looking at a very different number.

The Corrective Action Plan

The CAP requires the successor entity to:

  • Conduct an accurate and thorough risk analysis covering all facilities, equipment, systems, and applications that create, store, transmit, or receive ePHI, starting with a complete asset inventory.
  • Develop and implement a risk management plan to address and mitigate identified risks and vulnerabilities.
  • Develop, maintain, and revise written policies and procedures in compliance with both the Privacy Rule and Security Rule.
  • Train all workforce members on updated policies and procedures.
  • Conduct a retroactive breach risk assessment of the December 2020 cyber-attack and, to the extent possible, provide affected covered entities with accurate breach notifications.
  • Submit regular reports to OCR for the duration of the three-year monitoring period.

The CAP requirements read like a checklist of things that should have been in place before the breach ever happened. For many health care IT teams reading this, that checklist might sound uncomfortably familiar - not because you have had a breach, but because you know your own organization has gaps in these same areas.

OCR's Risk Analysis Initiative: The Bigger Picture

This settlement is OCR's 12th enforcement action under its Risk Analysis Initiative, which launched in approximately October 2024. The initiative specifically targets failures to conduct accurate and thorough risk analyses under the HIPAA Security Rule, and OCR has made clear that it is not slowing down.

The pattern across these 12 actions is consistent. Regardless of how the breach occurred - ransomware, phishing, unauthorized access - the common thread is that the organization had not conducted a compliant risk analysis before the incident. The risk analysis is not just a regulatory checkbox. It is the foundation that everything else is built on. You cannot manage risks you have not identified, and you cannot demonstrate compliance with safeguard requirements if you have not first assessed what needs safeguarding.

OCR Director Stannard has confirmed that the initiative will continue in 2026 and will expand to include a focus on risk management failures - meaning it is no longer enough to simply have a risk analysis on file. OCR will also be examining whether organizations are actually acting on the risks they identify.

Adding to this enforcement momentum, OCR has confirmed that its long-awaited third phase of HIPAA compliance audits is underway, initially covering 50 covered entities and business associates, with risk analysis and risk management as primary focus areas.

What This Means for Health Care IT Teams

If you work in health care IT, this settlement should prompt some uncomfortable but necessary questions about your own vendor relationships.

Do you know which of your vendors are business associates? Every vendor that creates, receives, maintains, or transmits PHI on your behalf is a business associate under HIPAA. That includes your patient engagement platform, your appointment reminder service, your cloud-based fax provider, your IT support vendor, your shredding company, and potentially dozens of others. If you do not have a current, complete inventory of your business associates, that is your first action item.

Do you have signed Business Associate Agreements (BAAs) with all of them? Under 45 CFR 164.308(b)(1) and 45 CFR 164.504(e), a covered entity may only permit a business associate to handle ePHI if satisfactory assurances are obtained through a written contract. A BAA is a Required implementation specification. If you are missing BAAs, you have a compliance gap that OCR can and does cite in enforcement actions.

Do your BAAs include meaningful breach notification requirements? The HIPAA floor is 60 calendar days. Many organizations negotiate shorter notification windows in their BAAs - 30 days, 15 days, or even shorter. MMG sat on this breach for over two years. Your BAA should include clear notification timelines, specific notification procedures, and language about what happens when a business associate fails to comply.

Are you performing any due diligence on your business associates' security posture? The MMG case illustrates what happens when covered entities trust a vendor's security without verification. At minimum, you should be asking your business associates whether they have conducted a current risk analysis, what their top identified risks are, and what their incident response plan looks like. If a vendor cannot answer those questions, that should be a red flag.

Have you conducted your own risk analysis? If the answer is no, or if your last risk analysis is more than a year old, you are in the same position as 12 organizations that have already been on the wrong end of an OCR enforcement action. Under 45 CFR 164.308(a)(1)(ii)(A), conducting a risk analysis is a Required implementation specification. It is not addressable. It is not optional. It is the single most commonly cited violation in OCR enforcement actions, and it is the centerpiece of an active enforcement initiative.

A Note on the Proposed Security Rule Changes

It is worth mentioning that HHS published a Notice of Proposed Rulemaking (NPRM) for updates to the HIPAA Security Rule in January 2025. The comment period closed in March 2025 with nearly 5,000 comments submitted. As of this writing, the final rule remains on OCR's regulatory agenda with a target date of May 2026, though the final rule could differ substantially from the proposed version.

Among the proposed changes: eliminating the distinction between Required and Addressable implementation specifications entirely, making all specifications Required with limited exceptions. The proposal also includes requirements for annual technology asset inventories, network mapping, multi-factor authentication, encryption of ePHI at rest and in transit, vulnerability scanning, annual penetration testing, and 72-hour incident response and restoration timelines.

Whether or not the final rule looks exactly like the proposed version, the direction is clear. The bar for HIPAA Security Rule compliance is going up, not down. Organizations that are struggling to meet current requirements should not wait for the final rule to start closing gaps.

The Practical Takeaway

The MMG Fusion settlement is a case study in cascading failure. No risk analysis. No breach notification. A vendor that held PHI for millions of patients and apparently had no process in place for either identifying or reporting a compromise.

For the dental practices that trusted MMG with their patients' data, this was a disaster they had no control over and no visibility into. But that is exactly the point. Your business associates are an extension of your compliance posture. When they fail, the consequences land on your patients and, potentially, on you.

If this settlement motivates you to do one thing this quarter, make it this: pull out your business associate inventory and your BAAs. Identify any gaps. Ask your vendors the hard questions about their security posture. And if you do not have a current risk analysis of your own environment, start there.

The risk analysis is where compliance starts. OCR has now demonstrated 12 times that it is also where enforcement starts.

This article is for informational purposes only and does not constitute legal or compliance advice. Covered entities and business associates should consult qualified legal counsel or compliance professionals before making decisions pertaining to HIPAA or IT infrastructure.

Sources

HIPAA
OCR Enforcement
Risk Analysis
Business Associate
Breach Notification
HIPAA Security Rule
MMG Fusion
Corrective Action Plan
Vendor Management
PHI Breach

About the Author

Health Tech Authority Editorial Team

Health Tech Authority is an independent publication covering the technology side of health care organizations. We exist for the people in the mix - the systems administrators keeping servers online at 2 AM, the network engineers segmenting clinical VLANs on a shoestring budget, the security officers trying to hold the HIPAA line with half the resources a comparably sized non-health care organization would have, and the IT managers and administrators making technology decisions that directly affect patient care.

Content published under this account represents collaborative editorial work produced by the Health Tech Authority team. That includes original reporting, technical analysis, regulatory coverage, and practitioner-focused guidance across our core coverage areas: infrastructure and systems administration, networking, security and compliance, cloud and Microsoft 365 administration, clinical systems and health data, and the broader technology landscape serving health care organizations.

We cover what health care IT professionals actually need to know, written in a way that respects both their time and their intelligence. No fluff, no vendor press release rewrites, no thought leadership buzzword soup - just straightforward coverage of the systems, tools, and decisions that keep health care organizations running.

If you have a topic suggestion, a correction, or want to contribute, reach out through the Contact page.