Cyber attacks Archives

BST & Co. CPAs, LLP fined $175K for Ransomware Breach

Suze Shaffer August 18, 2025November 8, 2025

OCR Issues 15th Ransomware Enforcement Action and 10th Enforcement Action in Risk Analysis Initiative

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with BST & Co. CPAs, LLP (“BST”), a New York-based public accounting, business advisory, and management consulting firm, for potential violations of the HIPAA Security Rule. As a business associate, BST received financial data containing protected health information (PHI) from a HIPAA covered entity.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules

This require covered entities (health plans, health care clearinghouses, and most providers) and business associates like BST to safeguard PHI. The HIPAA Security Rule establishes national standards that protect ePHI through administrative, physical, and technical safeguards. Its Risk Analysis provision requires regulated entities to conduct accurate and thorough assessments of risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

“OCR considers a HIPAA risk analysis essential for locating ePHI and determining what security measures are needed to protect it,”

As quoted by OCR Director Paula M. Stannard. “Conducting a thorough risk analysis that drives a risk management plan serves as a foundation for preventing or mitigating cyberattacks and breaches.”

OCR launched its investigation after BST filed a breach report on February 16, 2020. BST reported that on December 7, 2019, it discovered ransomware on part of its network that affected PHI belonging to a covered entity client. Investigators determined that BST had failed to conduct an accurate and thorough risk analysis of its ePHI environment.

Under the resolution agreement

BST agreed to pay $175,000, implement a corrective action plan monitored by OCR for two years, and strengthen its HIPAA Security Rule compliance. BST must:

Conduct a thorough risk analysis of its ePHI environment;
Develop and implement a risk management plan to address identified risks;
Maintain and revise written HIPAA Privacy and Security Rule policies and procedures; and
Expand HIPAA and security training, including annual training for workforce members with PHI access.

OCR urged all covered entities and business associates to reduce cyber threats by:

Identifying where ePHI resides and how it flows across systems;
Performing and updating risk analyses, and implementing risk management measures;
Maintaining audit controls and reviewing system activity;
Authenticating user access and encrypting ePHI in transit and at rest;
Incorporating lessons learned from incidents into security management; and
Delivering workforce training tailored to organizational roles and responsibilities.

This case is a clear warning: even trusted professional firms can face HIPAA penalties if they overlook basic security requirements. A thorough risk analysis and an active risk management plan are not just regulatory obligations, they’re essential safeguards for protecting patient data and maintaining client trust.

At Aris Medical Solutions, our HIPAA Keeper™ platform helps healthcare organizations perform a complete risk analysis, implement risk management strategies, and maintain ongoing compliance with the HIPAA Privacy and Security Rules – all within one secure, cloud-based system.

Don’t wait for an OCR complaint to expose your weaknesses, schedule your annual HIPAA Risk Analysis today.

Deer Oaks – The Behavioral Health Solution fined $225K

Suze Shaffer July 7, 2025November 6, 2025

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has the authority to investigate complaints and conduct compliance reviews involving potential violations of the HIPAA Privacy, Security, and Breach Notification Rules by covered entities and business associates.

Deer Oaks – The Behavioral Health Solution, an Affiliated Covered Entity under 45 C.F.R. §§ 160.103 and 164.105, is subject to these HIPAA requirements.

Background

On December 6, 2021, HHS received a complaint alleging that Deer Oaks Geriatric Services PC, doing business as Deer Oaks Consultation Services (DOCS), impermissibly disclosed protected health information (PHI) by making patient discharge forms publicly accessible online. These forms contained sensitive data including patient names, dates of birth, identification numbers, facilities, and diagnoses. The exposed PHI was finally secured in May 2023.

Further, on August 29, 2023, Deer Oaks experienced a cybersecurity breach when a threat actor exploited a network vulnerability, exfiltrated patient data, and demanded ransom to prevent publication of the PHI on the dark web.

OCR Findings

Following its investigation, OCR determined that Deer Oaks engaged in the following conduct:

Impermissible disclosure of PHI not required or permitted under the HIPAA Privacy Rule (45 C.F.R. § 164.502(a)).
Failure to perform an accurate and thorough risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI, as required by the HIPAA Security Rule (45 C.F.R. § 164.308(a)(1)(ii)(A)).

Settlement Terms

To resolve these findings, Deer Oaks agreed to:

Pay $225,000 to HHS in a single lump-sum payment.
Enter into a Corrective Action Plan (CAP) monitored by OCR.

Under the CAP, Deer Oaks must implement a comprehensive HIPAA compliance program, including a full risk analysis, risk management plan, and updated policies, procedures, and workforce training to prevent future violations.

OCR clarified that this resolution does not release Deer Oaks from any future enforcement actions unrelated to the covered conduct or from potential criminal liability under 42 U.S.C. § 1320d-6.

Key Takeaway

This case is another reminder that HIPAA compliance goes far beyond securing data – it requires knowing where your data resides and who has access to it.
Without a system-wide risk analysis to map data flow and identify vulnerabilities, covered entities and business associates leave themselves open to both cyberattacks and regulatory penalties.

Don’t wait for an OCR complaint to expose your weaknesses, schedule your annual HIPAA Risk Analysis today.

Comstar, a Business Associate fined $75K for Ransomware Attack

Suze Shaffer May 30, 2025November 8, 2025

The Office for Civil Rights (OCR) has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates. Comstar, LLC (“Comstar”) meets the definition of “business associate” under 45 C.F.R. § 160.103 because it provides billing, collection, consulting, Electronic Patient Care Reporting (ePCR) hosting, and client/patient services for non-profit and municipal ambulance services.

History

On March 19, 2022, an unknown actor gained access to the electronic protected health information (“ePHI”) maintained on Comstar’s network servers. Comstar did not detect the intrusion until March 26, 2022, when its IT service vendor began receiving support tickets. It was determined ransomware was used to encrypt Comstar’s network servers and that the protected health information (“PHI”) of 585,621 individuals was affected.

HHS’ investigation indicated that the following conduct occurred:

Comstar failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information that it holds.

Resolution Agreement

Comstar has agreed to pay HHS $75,000 on the Effective Date of the Agreement.
Comstar agrees to comply with the Corrective Action Plan (“CAP”) and if they fail to cure the breach, then Comstar will be in breach of the Agreement and HHS will not be subject to the Release of the Agreement.
HHS does not release Comstar from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
The Agreement is binding on Comstar and its successors, heirs, transferees, and assigns.

Summary

This clearly demonstrates the authority HHS has in assessing fines for business associates. Ransomware affects all types of businesses, and an annual risk analysis helps to uncover vulnerabilities to prevent data breaches.

Every medical practice and business associate must have a documented risk analysis and risk management plan. This is not just for compliance, but to protect patients’ information, and the integrity of their operations.

At Aris Medical Solutions, our online HIPAA Keeper™ is an all in one secure, cloud-based system that helps healthcare providers and business associates simplify compliance by maintaining up-to-date policies, procedures, HIPAA training and documentation to meet every aspect of the HIPAA Privacy and Security Rules.

Protect your practice before an attack happens. Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.

Change Healthcare Cyberattack

Suze Shaffer March 13, 2024August 27, 2025

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued a “Dear Colleague” letter about the Change Healthcare cyberattack. OCR also opened an official investigation. The attack affects Change Healthcare, a unit of UnitedHealthcare Group (UHG), and many other healthcare organizations.

The cyberattack has disrupted health care and billing operations nationwide. It poses a direct threat to patient care and critical health system functions.

OCR enforces HIPAA Privacy, Security, and Breach Notification Rules. These rules require covered entities and business associates to protect patient data and to notify HHS and affected individuals after a breach.

Cyberattacks remain the top threat in healthcare. In the past five years, large breaches involving hacking increased 256%. Ransomware attacks rose 264%. In 2023, hacking caused 79% of all large breaches, affecting 134 million people, a 141% increase from 2022.

Given the unprecedented size of this cyberattack, OCR has launched an investigation to protect patients and healthcare providers. The investigation will examine whether a breach of protected health information occurred and whether Change Healthcare and UHG complied with HIPAA Rules.

OCR considers its review of other entities connected to Change Healthcare and UHG as secondary. While OCR is not prioritizing investigations of providers, health plans, or business associates impacted by the attack, it is reminding all partners of their obligations. Entities must maintain business associate agreements and provide timely breach notifications to HHS and affected individuals as HIPAA requires.

Safeguarding protected health information remains OCR’s top priority. To support this effort, OCR is sharing resources to help organizations protect record systems and patients from cyberattacks.

OCR HIPAA Security Rule Guidance Material – This webpage offers educational resources on the HIPAA Security Rule and standards for protecting electronic protected health information (ePHI). Resources include a Recognized Security Practices video, the Security Rule Education Paper Series, HIPAA Security Rule guidance documents, OCR Cybersecurity Newsletters, and more.

OCR Video on How the HIPAA Security Rule Protects Against Cyberattacks – This video explains how the HIPAA Security Rule helps covered entities and business associates defend against cyberattacks. It covers breach trends, common attack methods, and key findings from OCR investigations.

OCR Webinar on HIPAA Security Rule Risk Analysis Requirement – This webinar explains the HIPAA Security Rule requirements for performing a complete risk assessment of potential threats and vulnerabilities to electronic protected health information (ePHI). It also reviews common risk analysis deficiencies that OCR has found during its investigations.

HHS Security Risk Assessment Tool – This tool helps small- and medium-sized entities perform an internal security risk assessment to meet the HIPAA Security Rule’s risk analysis requirements. You must also create and implement the policies and forms required in this tool.

Factsheet: Ransomware and HIPAA – This resource explains what ransomware is, outlines steps covered entities and business associates must take if their systems are infected, and details HIPAA breach reporting requirements.

Green Ridge Behavioral Health is Second Ransomware Settlement

Suze Shaffer October 30, 2023November 6, 2025

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Green Ridge Behavioral Health, LLC, a Maryland psychiatric practice. The case involved a ransomware attack that compromised the protected health information of more than 14,000 patients.

Ransomware locks users out of their data until a hacker receives payment. OCR enforces HIPAA’s Privacy, Security, and Breach Notification Rules to protect patient information. This marks OCR’s second ransomware-related settlement.

OCR Director Melanie Fontes Rainer said:
“Ransomware is now one of the most common cyber-attacks. Patients suffer when they cannot access their medical records. Providers must take steps to prevent these attacks and protect patient data.”

The Breach

In February 2019, Green Ridge reported to OCR that ransomware encrypted its servers, company files, and all patient electronic health records. OCR’s investigation found multiple HIPAA Security Rule failures, including:

No complete risk analysis of electronic PHI.
No effective security measures to reduce risks.
No sufficient monitoring of system activity.

Settlement Terms

Green Ridge agreed to pay $40,000 and implement a Corrective Action Plan (CAP) monitored by OCR for three years. The CAP requires Green Ridge to:

Conduct a full risk analysis.
Create a risk management plan.
Update policies and procedures.
Train its workforce on HIPAA.
Audit third-party vendors and ensure business associate agreements.
Report workforce HIPAA violations to OCR.

Recommendations

Ransomware and hacking are now the top cyber threats in healthcare. Large breaches have increased 256% in the last five years. Ransomware rose 264% during the same period. In 2023, hacking caused 79% of large breaches, affecting over 134 million people—a 141% increase from 2022.

OCR recommends medical providers and business associates:

Regularly perform risk analysis and risk management.
Monitor and audit system activity.
Use multi-factor authentication and encryption.
Ensure strong vendor agreements.
Provide frequent, role-specific workforce training.
Apply lessons from past incidents.

At Aris Medical Solutions, our HIPAA Keeper™ platform helps healthcare providers simplify compliance by maintaining up-to-date policies, procedures, and workforce training to meet every aspect of the HIPAA Privacy and Security Rules.

Don’t risk costly penalties. Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.