New York business associate BST & Co. CPAs, LLP decided to pay the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) a $175,000 financial penalty to settle an alleged Health Insurance Portability and Accountability Act (HIPAA) Security Rule violation.
BST & Co. CPAs, LLP, is a company offering services such as public accounting, business advisory, and management consultation to clients, even in the healthcare sector. Offering HIPAA-covered entities its services demands access to financial data, including data protected by HIPAA. Therefore, BST & Co. CPAs is categorized as a business associate and needs to be HIPAA compliant.
OCR investigated BST & Co. CPAs after receiving the PHI breach report related to a ransomware attack by the Maze ransomware group. Access to the BST & Co. CPAs system happened from December 4, 2019 to December 7, 2019. The group deployed ransomware for file encryption. BST & Co. CPAs discovered the attack on December 7, 2019, and started a forensic investigation, which confirmed that preliminary access was made possible because of responding to a phishing email.
The ransomware group got access to areas of the system where PHI was kept. Altogether, the PHI of around 170,000 people was possibly exposed in the attack, which includes names, birth dates, medical billing codes, medical record numbers, and insurance information associated with patients of Community Care Physicians P.C. in New York. On February 16, 2020, OCR received notification regarding the ransomware attack and data breach.
OCR investigates data breaches affecting 500 and up people to find out if the entity’s noncompliance with HIPAA contributed to the data breach. OCR did not find any proof that indicates the conduct of a HIPAA-compliant risk analysis had been conducted. Under the HIPAA Security Rule, risk analysis is required of regulated entities to determine risks and vulnerabilities to the integrity, confidentiality, and availability of electronic PHI. When the risk analysis is not done or is not finished, it is likely that risks are not resolved, and attackers may exploit the vulnerabilities to acquire access to secured systems and sensitive information.
OCR presently has a risk analysis enforcement initiative centered on this Security Rule condition. This is a vital HIPAA provision that is commonly not complied with. OCR has already resolved 10 cases related to this enforcement initiative with the issuance of a financial penalty. To date, this 2025, OCR has issued nineteen enforcement actions with financial penalties to resolve HIPAA noncompliance. Sixteen cases involved discovered failures in risk analysis.
Aside from paying the financial penalty, the business associate will follow a corrective action plan. OCR will monitor the business associate’s compliance for 2 years. The plan consists of conducting a complete and proper risk analysis and creating and enforcing a risk management plan to deal with all known risks and vulnerabilities. BST & Co. CPAs should likewise create, enforce, and maintain guidelines and procedures to ascertain HIPAA compliance, send those guidelines and procedures to the employees, and give HIPAA training to the employees to enhance security awareness.
It seems that OCR is most active in 2025 when it comes to HIPAA enforcement. The penalties serve as a reminder to all HIPAA-covered entities that HIPAA compliance is very important. OCR has already accumulated over $8 million in financial penalties from the 19 financial penalties issued.