Rules Navigator

Register

HHS secures $175,000 HIPAA settlement over phishing ransomware breach

Closeup of two persons analysing data in a lab

Alexander Barzacanos

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

The case underscores HHS’s growing focus on business associates and the Risk Analysis Enforcement Initiative.

The HHS Office for Civil Rights (HHS OCR) announced a settlement with BST & Co CPAs, LLP, a New York-based public accounting, business advisory, and management consulting firm.

The settlement resolves a HIPAA Security Rule violation related to a ransomware incident that affected the electronic personal health information (ePHI) of 170,000 individuals that belonged to a covered entity client, Community Care Physicians.

According to the resolution agreement, the malware was introduced to BST’s network through a phishing email on December 4, 2019, and lingered there until December 7, when it was remediated and reported as part of a Breach Notification Report.

HHS OCR determined BST failed to perform an accurate and thorough risk analysis of its electronic ePHI environment, which is a core requirement under the HIPAA Security Rule. As a business associate of a covered entity, BST was required to adhere to the same standards as covered entities.

To settle those charges, HHS OCR required BST to pay a $175,000 penalty and submit to a two-year corrective action plan (CAP).

The CAP requires the firm to:

  • conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
  • develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
  • develop, maintain, and revise, as necessary, written policies and procedures to comply with the HIPAA Privacy and Security Rules; and
  • augment its existing HIPAA and security training program and provide annual training for all workforce members to whom the HIPAA policies and procedures apply, including workforce members with access to PHI.

Risk Analysis Enforcement Initiative

The enforcement is part of HHS OCR’s broader Risk Analysis Enforcement Initiative, launched in late 2024 to target organizations that have neglected this key requirement. The program has produced a steady stream of settlements with both healthcare providers and business associates.

Under this initiative, even smaller organizations and non-clinical business associates are being scrutinized. Every settlement so far has come with a multi-year corrective action plan requiring comprehensive risk analysis, formal risk management strategies, updated policies, and workforce training.

The BST case marks HHS OCR’s 15th ransomware-related enforcement action and the 10th settlement tied specifically to the Risk Analysis Enforcement Initiative, underscoring the agency’s determination to make risk analysis a non-negotiable part of HIPAA compliance.

The enforcement action marks HHS OCR’s 15th ransomware-related action and the 10th under its Risk Analysis Enforcement Initiative.

Total settlements so far under the initiative have now exceeded $900,000.

, , , , , , ,
You may also like