Data Privacy
,
Data Security
,
Healthcare
Settlement Includes Corrective Action Plan Focused on Improving Risk Analysis
An investigation into a ransomware breach reported in 2020 that affected the protected personal information of 170,000 people led to a $175,000 fine against a certified public accounting and consulting firm. Federal regulators also required the company to implement a corrective action plan to settle potential HIPAA violations.
See Also: Using the Netskope HIPAA Mapping Guide
The U.S. Department of Health and Human Services on Monday said its settlement with BST & Co. CPAs, LLP, a HIPAA business associate, also marks HHS’ Office for Civil Rights’ 15th ransomware enforcement action and 10th risk analysis enforcement action since the agency formally named those as HIPAA enforcement priorities respectively in 2023 and 2024.
The settlement resolves an investigation HHS OCR initiated after New York-based BST filed a breach report to the agency on Feb. 16, 2020. BST told HHS OCR the firm discovered on Dec. 7, 2019, that part of its network was infected with ransomware, affecting the protected health information of a covered entity client, Community Care Physicians.
Security threat analysts at the time reported that some of the data breached in the BST attack showed up on the publicly accessible website of ransomware gang Maze (see: Hacking of Accounting Firm Affects Medical Group).
HHS OCR said its investigation found the accounting firm had “failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by BST.”
Besides paying HHS OCR the financial penalty, the resolution agreement between the federal agency and BST calls for the accounting firm to implement a corrective action plan that spotlights risk analysis and improving the practice’s risk management.
Under the plan, BST agreed to conduct a thorough and comprehensive HIPAA security risk analysis annually for two years; develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis; and develop, maintain and revise, as needed, written policies and procedures to comply with HIPAA privacy and security rules.
BST also agreed to augment its existing HIPAA and security training program and provide annual training for all workers to whom the HIPAA policies and procedures apply.
“A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it,” said Paula Stannard, HHS OCR director in a statement. “Completing an accurate and thorough risk analysis that informs a risk management plan is a foundational step to mitigate or prevent cyberattacks and breaches.”
BST’s Statement
BST in a statement to Information Security Media Group said that the firm conducted a thorough investigation in 2020, and that OCR completed an investigation in 2025 into the incident. Both “confirmed that no sensitive client or patient information was accessed during the 2019 malware attack,” BST said.*
“Since the incident, BST has implemented enhanced cybersecurity measures, including consulting with industry experts, to strengthen protection against future threats,” the firm said.
In addition, BST recently partnered with a third-party cybersecurity firm to supplement BST’s internal safeguards “with industry recommended best practices as well as to assist other businesses and not-for-profit organizations from falling victim to nefarious online activity,” the statement said.
*Updated on Aug. 18 at UTC 23:26 to include BST’s statement.
