On March 5, 2026, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a HIPAA settlement with MMG Fusion, LLC — a Maryland-based dental software company — following a breach that exposed the protected health information of approximately 15 million individuals. The financial penalty in the settlement: $10,000.
That figure is not an error. MMG Fusion is no longer an operating company. The $10,000 represents what OCR could realistically recover from a dissolved business associate, not what a functioning company would have paid for a breach of this scale. For comparison, OCR settled the Change Healthcare breach — which affected a larger number of individuals — for $10 million. The discrepancy is a function of corporate continuity, not regulatory intent.
The MMG Fusion settlement is worth examining not for the penalty amount but for what it reveals about a structural gap in healthcare vendor risk management: the assumption that a business associate agreement provides ongoing protection, when the protection it offers depends entirely on the business associate remaining solvent and operational.
The Breach and How It Happened
In December 2020, an unauthorized actor accessed MMG Fusion’s information systems and obtained protected health information belonging to approximately 15 million patients of dental practices that used MMG Fusion’s software. The compromised data included names, phone numbers, mailing addresses, email addresses, dates of birth, and records of medical appointment scheduling — the kind of demographic and contact information that enables phishing, social engineering, and identity fraud at scale.
MMG Fusion operated as a business associate to hundreds of dental practices across the country. The company provided practice management software and related services, processing appointment and patient records on behalf of its covered entity clients. The dental practices were the covered entities; MMG Fusion was the vendor processing their patients’ PHI.
OCR’s investigation found that MMG Fusion had committed multiple violations across the HIPAA Privacy, Security, and Breach Notification Rules:
Impermissible disclosure of PHI. The unauthorized actor’s access to 15 million patients’ records constituted an impermissible disclosure under HIPAA’s Privacy Rule. The company failed to implement safeguards sufficient to prevent this access.
Failure to conduct an adequate risk analysis. As in the vast majority of HIPAA enforcement cases, OCR found that MMG Fusion had not performed a thorough and accurate assessment of the risks and vulnerabilities to the ePHI it held. This is the foundational Security Rule requirement — it must precede and inform all other security controls — and its absence is consistently the predicate violation in OCR breach investigations.
Failure to notify covered entities of the breach. Under HIPAA’s Breach Notification Rule, business associates must notify covered entities of a breach within 60 days of discovery. OCR found that MMG Fusion failed to provide timely notification to the dental practices whose patients were affected, leaving those practices unable to begin their own notification obligations on schedule.
Why the Fine Is $10,000
The HIPAA civil penalty structure allows OCR to impose fines up to $1.9 million per violation category per calendar year. For a breach affecting 15 million individuals, with multiple violation categories and a multi-year pattern of compliance failure, the theoretical penalty exposure runs to tens of millions of dollars.
The $10,000 settlement figure reflects a practical enforcement constraint that HIPAA’s penalty structure does not address: companies go out of business. MMG Fusion, by the time OCR’s investigation was complete and a resolution agreement was reached, was no longer operating as a functioning enterprise. There is no revenue from which a large fine can be paid, no corporate infrastructure to implement a meaningful corrective action plan, and no ongoing business against which a consent order can be enforced.
OCR extracted what it could — a nominal penalty and a corrective action plan that the company agreed to implement, monitored by OCR for three years — but the enforcement outcome is a fraction of what it would have been against a going concern.
This outcome is not unique to MMG Fusion. Business associates across the healthcare ecosystem operate as small to mid-size technology and services companies. Many are acquired, restructured, or dissolved over the multi-year lifecycle of a HIPAA investigation. When that happens, the covered entities that relied on those vendors retain their own HIPAA obligations — and the patients whose data was exposed retain their right to notification — but the vendor’s accountability effectively dissolves with the company.
What Covered Entities Are Left With
When a business associate dissolves after a breach of its systems, the covered entity’s position is difficult in several respects simultaneously.
HIPAA notification obligations do not pause. Even if the business associate has failed to provide timely notification as required by the BAA, the covered entity’s own 60-day notification clock runs from when the covered entity discovered or should have discovered the breach. A covered entity that learns its former vendor had a breach — potentially months or years later, through an OCR investigation rather than direct vendor notification — may be facing its own breach notification violation for untimely response to an event it was never told about.
Indemnification is worth nothing from a defunct company. Standard BAA and vendor contract language includes indemnification provisions under which the business associate agrees to defend and hold harmless the covered entity for HIPAA violations arising from the business associate’s conduct. Against a defunct company with no assets, that provision is unenforceable. The covered entity absorbs the reputational and operational cost of the breach — patient notification, call center operations, credit monitoring services, regulatory inquiry response — without any contractual recovery.
OCR may investigate covered entities for inadequate vendor oversight. OCR’s enforcement posture treats the covered entity’s vendor management program as independently subject to scrutiny. A covered entity that cannot demonstrate it conducted due diligence on its business associate’s security posture — through initial assessments, periodic reviews, or contractual audit rights — may face its own investigation regardless of whether the breach originated with the vendor.
Patients in all 15 million cases remain entitled to notification. The downstream covered entities — the dental practices — were responsible for notifying their patients of the breach. In many cases, those practices may have been small single-location dental offices with no breach notification experience, no established relationship with OCR, and limited capacity to conduct the required risk assessment and issue individual notices. The MMG Fusion breach cascaded its notification obligation onto hundreds of small practices simultaneously.
The Corrective Action Plan No One Can Implement
The MMG Fusion resolution agreement includes, as most OCR settlements do, a corrective action plan subject to three years of OCR monitoring. For a defunct company, this provision is largely symbolic — there is no ongoing operation to which security controls can be applied, no risk analysis to conduct over systems that no longer exist, and no workforce to train.
OCR’s inclusion of corrective action terms even in settlements with defunct entities reflects the agency’s standard resolution structure, not an expectation of meaningful remediation. The practical enforcement value of those terms in this case is minimal.
This illustrates a broader limitation of the BAA framework as a risk management tool. BAAs establish obligations, but the ability to enforce those obligations against a business associate — or to recover from a business associate’s failure — depends on the business associate’s continued existence and financial capacity. Neither is guaranteed.
What Healthcare Organizations Must Change
The MMG Fusion settlement is a concrete argument for vendor risk management practices that go beyond BAA execution.
Conduct security assessments before and during vendor relationships. A signed BAA is not evidence that a business associate has adequate security controls. Pre-engagement security questionnaires, SOC 2 Type II review, and periodic reassessment during the relationship provide actual evidence of security posture. OCR expects covered entities to conduct this due diligence.
Monitor vendor financial health as a compliance indicator. A business associate that is financially distressed is less likely to maintain security investments, retain security staff, and respond appropriately to incidents. Include vendor financial stability in your vendor risk tiering — particularly for vendors that hold large volumes of PHI.
Establish independent breach detection capabilities. Do not rely solely on vendor-reported incidents. Log collection, security information and event management (SIEM) integration, and network traffic monitoring provide independent visibility into potential vendor-side incidents. A covered entity that discovers a vendor breach through its own monitoring is in a significantly better legal and operational position than one that learns about it from a news report or OCR inquiry.
Include contractual audit rights and termination triggers. BAAs should give covered entities the right to audit business associate security controls on reasonable notice, and should specify breach reporting timelines that are shorter than HIPAA’s 60-day maximum. Termination triggers for security control failures — not just actual breaches — provide leverage to exit a vendor relationship before a breach occurs.
Map data flows to understand breach exposure. For each business associate relationship, maintain a current record of what PHI the vendor holds, where it is stored, and how many individuals are potentially affected in a worst-case breach scenario. This mapping is required to conduct the HIPAA breach risk assessment and to scope notification obligations, but many covered entities discover they lack it when they need it most.
Plan for vendor dissolution scenarios. Your vendor risk management program should include a playbook for what to do when a business associate dissolves, is acquired, or ceases operations — including steps to obtain confirmation that PHI has been securely destroyed or transferred, documentation that BAA obligations have been transferred or terminated, and a process for conducting an independent breach risk assessment if the vendor’s security history is unclear.
The Scale of the Exposure
Fifteen million patients is not an abstraction. It is a number that, if distributed across the dental practices using MMG Fusion’s platform, likely represents millions of individual patients receiving notification letters about a breach of a vendor relationship they had no knowledge of and no ability to assess.
That notification cascade — coordinated across hundreds of small dental practices, each independently obligated under HIPAA — is itself a significant operational and reputational event. Many of those practices faced notification obligations with no existing incident response capability, no established OCR relationships, and limited awareness that a business associate breach had occurred at all.
OCR can collect $10,000 from the defunct vendor. It cannot collect the cost of patient notification, the erosion of patient trust, or the time and expense of breach response from the practices that were left to manage MMG Fusion’s compliance failure.
The lesson is not that OCR’s enforcement framework is inadequate. It is that enforcement after the fact is a poor substitute for vendor due diligence before and during the relationship. The $10,000 penalty is the price OCR could extract. The real cost of the MMG Fusion breach was paid by the practices and patients it left behind.
This article is provided for informational purposes only and does not constitute legal advice. Organizations should consult qualified legal counsel regarding their specific compliance obligations.
