Cloud Risk Insights from a HIPAA Perspective 

Healthcare Organizations Are Increasingly Exposed to Cloud Risk

If you’re a covered entity or business associate, you already understand the importance of protecting electronic protected health information (ePHI). But as healthcare organizations continue to expand their use of cloud technologies, managing HIPAA risk has become significantly more complex. 

HIPAA requires organizations to protect the confidentiality, integrity, and availability of the ePHI they create, receive, maintain, or transmit. In practice, that means ensuring sensitive information is only accessible to authorized individuals, remains accurate and unaltered, and is available when needed to support patient care and operations. 

For many healthcare organizations, meeting these expectations is challenging — especially as cloud environments grow, cyber threats evolve, and internal teams are asked to do more with limited resources. We often see organizations struggling not because they lack commitment, but because maintaining visibility, conducting ongoing risk analysis, and managing cloud-related risk across vendors and systems can quickly become overwhelming. 

OCR enforcement actions reinforce just how important these efforts have become. Multiple cloud-based healthcare service providers faced settlements tied to ransomware incidents and inadequate HIPAA Security Rule risk analysis practices. These cases highlight OCR’s continued focus on cloud-related risk and the expectation that organizations implement comprehensive safeguards to protect ePHI. 

OCR Enforcement Actions Involving Cloud Services 

Elgon, Inc.
OCR found the cloud-based EHR/billing provider failed to conduct
an accurate and thorough risk analysis, contributing to a ransomware
breach affecting 31,248 individuals.
Settlement: $80,000, announced Jan 7, 2025
Source: https://www.hipaajournal.com/80k-hipaa-settlement-elgoninformation-
systems/ 

Virtual Private Network Solutions, LLC
OCR reference indicates a ransomware incident within the cloud
service provider’s infrastructure, resulting in 6,400 ePHI
records being exposed. Deficient risk analysis was cited in
the settlement announcement.
Settlement: $90,000, announced January 8, 2025
Source: https://www.hipaajournal.com/ocr-settlement-ransomware-riskanalysis-
virtual-private-network-solutions/ 

Comstar, LLC 
A cloud-based ambulance billing and hosting service reported a
ransomware breach affecting 585,621 individuals. OCR cited
deficient risk analysis in the settlement.
Settlement: $75,000, issued May 30, 2025 

These enforcement actions reinforce the message that all cloud-based vendors
handling ePHI—regardless of size—must implement and maintain a robust, HIPAA-compliant risk management program.  

OCR Enforcement Is Sending a Clear Message 

These OCR enforcement actions involving cloud-based healthcare service providers reinforce an important reality: organizations are expected to conduct accurate, ongoing, and comprehensive HIPAA risk analysis programs. 

Several settlements involved ransomware attacks tied to insufficient risk analysis and inadequate safeguards for ePHI. These enforcement actions demonstrate that OCR continues to focus heavily on organizations that fail to properly assess, monitor, and manage cloud-related risk. 

The message is clear: using cloud services does not negate your HIPAA responsibilities. 

nd the risk—but need help operationalizing solutions at scale. Vulnerability management must evolve from a reactive, resource-draining process into a proactive, continuously improving risk management program.

Where Cloud-Aware Risk Analysis Breaks Down 

Many healthcare organizations understand the fundamentals of HIPAA compliance, but cloud environments have introduced a new level of complexity. One of the most common misunderstandings we see is the belief that using a “HIPAA-compliant” product or vendor automatically makes the organization compliant. 

It does not. 

HIPAA compliance is not determined by a single platform, tool, or security feature. It is measured by how effectively your organization protects the confidentiality, integrity, and availability of ePHI across people, processes, technologies, and third-party relationships. 

Healthcare organizations should be asking: 

Does this security capability meaningfully support our organization’s ability to protect ePHI and meet HIPAA requirements? 

HIPAA requires organizations to: 

• • Anticipate and address reasonably foreseeable threats to ePHI 
  • Protect against unauthorized access, use, or disclosure 
  • Ensure workforce members and business associates appropriately safeguard ePHI 

That responsibility extends across cloud providers, software vendors, business associates, and every third party that creates, receives, maintains, or transmits ePHI. 

While cloud vendors may provide strong security controls, healthcare organizations still retain responsibility for understanding shared security obligations, validating vendor safeguards, maintaining business associate agreements, and continuously assessing risk exposure across their environments. 

At Clearwater, we often see organizations assume that because a vendor is “HIPAA compliant,” their risk is fully managed. Unfortunately, that can create dangerous blind spots — especially as cloud environments, software-defined assets, integrations, and third-party dependencies continue to grow. 

Healthcare cybersecurity is now deeply interconnected. Shared responsibility models, evolving threats, and increasing operational complexity require more than periodic assessments. Organizations need risk analysis and continuous risk remediation.  

Cloud Misconfigurations Remain One of the Biggest Risks 

Misconfigurations remain among the leading causes of HIPAA violations and breaches in the cloud. 

Common issues include: 

• • Improper storage permissions 
  • Weak identity and access controls 
  • Inadequate encryption 
  • Unsecured APIs 
  • Excessive user privileges 
  • Poor visibility into third-party integrations 

These vulnerabilities create opportunities for ransomware attacks, unauthorized access, operational disruption, and regulatory exposure. 

As healthcare environments continue to expand, organizations need continuous visibility into both their cloud infrastructure and the evolving threat landscape. 

Third-Party Risk Requires Greater Attention 

Cloud environments are inherently interconnected. Healthcare organizations increasingly rely on vendors, platforms, software libraries, managed services, and external integrations to support operations and patient care. 

Every third party that touches ePHI introduces potential risk. 

Organizations should evaluate: 

• • Vendor access to ePHI 
  • Cloud marketplace applications and services 
  • Code dependencies and integrations 
  • DevOps environments 
  • Business associate agreements 
  • Security attestations and ongoing monitoring practices 

Strong third-party risk management is no longer optional. It is a critical part of HIPAA compliance and operational resilience. 

Healthcare Cloud – Finding Compliance and Security Assistance 

As healthcare organizations continue expanding their use of cloud technologies, managing HIPAA risk is becoming more complex — and more critical to patient care, operational resilience, and regulatory readiness. 

At Clearwater, we understand many healthcare organizations are balancing growing cyber threats, evolving compliance expectations, limited resources, and increasingly interconnected environments. Building resilience is not about eliminating every risk. It is about creating an ongoing, risk-informed approach that strengthens visibility, supports continuous risk remediation, and helps organizations make more confident security and compliance decisions. 

We help organizations identify where ePHI exists across cloud and hybrid environments, understand how data moves between systems and vendors, and uncover vulnerabilities that could impact confidentiality, integrity, availability, and patient care operations. 

More importantly, we work alongside healthcare teams, recognizing that cybersecurity is not just a technology issue — it is an operational and patient-care issue. Our goal is to help organizations build sustainable, risk-informed security and compliance programs that strengthen resilience without overwhelming internal teams.