New York Business Associate Pays $175,000 to Resolve HIPAA Risk Analysis Violation
A New York business associate has chosen to settle an alleged violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and will pay a $175,000 financial penalty.
BST & Co. CPAs, LLP, is a public accounting, business advisory, and management consulting firm that has clients in the healthcare industry. The provision of services to HIPAA-covered entities requires access to financial information, which includes information protected under HIPAA. As such, BST & Co. CPAs is classed as a business associate and is required to comply with the HIPAA Rules.
OCR launched an investigation following a report of a breach of protected health information in a ransomware attack. The Maze ransomware group had access to the BST & Co. CPAs network between December 4, 2019, and December 7, 2019, and installed ransomware that was used to encrypt files. The attack was detected on December 7, 2019, and the forensic investigation revealed that initial access was achieved following a response to a phishing email.
The ransomware group had access to parts of the network where protected health information was stored. In total, the protected health information of up to 170,000 individuals was potentially compromised in the attack, including names, dates of birth, medical record numbers, medical billing codes, and insurance descriptions relating to patients of the New York medical group, Community Care Physicians P.C. OCR was notified about the attack and data breach on February 16, 2020.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
OCR investigates all data breaches impacting 500 or more individuals to determine if noncompliance with the HIPAA Rules was a factor in the data breach. OCR found no evidence to suggest that a HIPAA-compliant risk analysis had been conducted. The risk analysis is a foundational provision of the HIPAA Security Rule and requires regulated entities to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. If the risk analysis is not conducted or is incomplete, risks are likely to remain unaddressed and can be exploited to gain access to protected networks and sensitive data.
OCR currently has a risk analysis enforcement initiative focused on this important Security Rule provision, as while it is one of the most important HIPAA provisions, it is also one of the most common areas of noncompliance. Under this specific enforcement initiative, OCR has resolved ten cases with a financial penalty. So far this year, OCR has announced nineteen enforcement actions that included a financial penalty to resolve HIPAA noncompliance. Sixteen of those investigations uncovered risk analysis failures.
“A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it,” said OCR Director Paula M. Stannard. “Completing an accurate and thorough risk analysis that informs a risk management plan is a foundational step to mitigate or prevent cyberattacks and breaches.”
In addition to the financial penalty, BST & Co. CPAs has agreed to adopt a corrective action plan and will be monitored for compliance with that plan for 2 years. The plan includes the requirement to conduct a comprehensive and accurate risk analysis and develop and implement a risk management plan to address all identified risks and vulnerabilities. BST & Co. CPAs must also develop, implement, and maintain policies and procedures to ensure HIPAA compliance, distribute those policies and procedures to the workforce, provide HIPAA training to the workforce, and augment its security awareness training program.
With nineteen HIPAA enforcement actions announced by OCR so far this year, 2025 looks set to become the most active year for OCR in terms of HIPAA enforcement. These penalties send a message to all HIPAA-regulated entities about the importance of HIPAA compliance. Across those nineteen enforcement actions, OCR has collected more than $8 million in financial penalties.
