Cyber attacks Archives

BST & Co. CPAs, LLP fined $175K for Ransomware Breach

Suze Shaffer August 18, 2025November 8, 2025

OCR Issues 15th Ransomware Enforcement Action and 10th Enforcement Action in Risk Analysis Initiative

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with BST & Co. CPAs, LLP (“BST”), a New York-based public accounting, business advisory, and management consulting firm, for potential violations of the HIPAA Security Rule. As a business associate, BST received financial data containing protected health information (PHI) from a HIPAA covered entity.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules

This require covered entities (health plans, health care clearinghouses, and most providers) and business associates like BST to safeguard PHI. The HIPAA Security Rule establishes national standards that protect ePHI through administrative, physical, and technical safeguards. Its Risk Analysis provision requires regulated entities to conduct accurate and thorough assessments of risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

“OCR considers a HIPAA risk analysis essential for locating ePHI and determining what security measures are needed to protect it,”

As quoted by OCR Director Paula M. Stannard. “Conducting a thorough risk analysis that drives a risk management plan serves as a foundation for preventing or mitigating cyberattacks and breaches.”

OCR launched its investigation after BST filed a breach report on February 16, 2020. BST reported that on December 7, 2019, it discovered ransomware on part of its network that affected PHI belonging to a covered entity client. Investigators determined that BST had failed to conduct an accurate and thorough risk analysis of its ePHI environment.

Under the resolution agreement

BST agreed to pay $175,000, implement a corrective action plan monitored by OCR for two years, and strengthen its HIPAA Security Rule compliance. BST must:

Conduct a thorough risk analysis of its ePHI environment;
Develop and implement a risk management plan to address identified risks;
Maintain and revise written HIPAA Privacy and Security Rule policies and procedures; and
Expand HIPAA and security training, including annual training for workforce members with PHI access.

OCR urged all covered entities and business associates to reduce cyber threats by:

Identifying where ePHI resides and how it flows across systems;
Performing and updating risk analyses, and implementing risk management measures;
Maintaining audit controls and reviewing system activity;
Authenticating user access and encrypting ePHI in transit and at rest;
Incorporating lessons learned from incidents into security management; and
Delivering workforce training tailored to organizational roles and responsibilities.

This case is a clear warning: even trusted professional firms can face HIPAA penalties if they overlook basic security requirements. A thorough risk analysis and an active risk management plan are not just regulatory obligations, they’re essential safeguards for protecting patient data and maintaining client trust.

At Aris Medical Solutions, our HIPAA Keeper™ platform helps healthcare organizations perform a complete risk analysis, implement risk management strategies, and maintain ongoing compliance with the HIPAA Privacy and Security Rules – all within one secure, cloud-based system.

Don’t wait for an OCR complaint to expose your weaknesses, schedule your annual HIPAA Risk Analysis today.

Syracuse ASC fined $250K for Ransomware

Suze Shaffer July 23, 2025January 5, 2026

A Costly Reminder of HIPAA’s Ransomware Readiness Requirements. The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Syracuse ASC, LLC, doing business as Specialty Surgery Center of Central New York, for potential violations of the HIPAA Security and Breach Notification Rules. This case marks OCR’s 14th ransomware enforcement action, reinforcing the growing federal focus on cybersecurity preparedness across the healthcare sector.

History

Syracuse ASC is a single-facility ambulatory surgery center in Liverpool, New York, specializing in ophthalmic, ENT, and pain management procedures. In March 2021, the center experienced a ransomware attack involving the PYSA variant—a sophisticated cross-platform malware known for targeting healthcare organizations.

The incident compromised electronic protected health information (ePHI) for 24,891 individuals. OCR initiated an investigation in October 2021 after Syracuse ASC reported the breach to HHS. The investigation revealed that the center had never conducted an accurate and thorough HIPAA risk analysis, as required by the Security Rule. OCR also found that Syracuse ASC failed to provide timely breach notifications to both affected individuals and HHS.

Settlement Terms

Under the Resolution Agreement, Syracuse ASC agreed to:

Pay $250,000 to HHS OCR.
Implement a Corrective Action Plan (CAP) monitored for two years.

The CAP requires Syracuse ASC to:

Conduct a complete and thorough risk analysis of ePHI systems.
Develop and implement a risk management plan to address identified vulnerabilities.
Review and revise policies and procedures to ensure compliance with HIPAA.
Provide annual HIPAA training for all workforce members handling PHI.

OCR’s Message: Ransomware Risks Are Real

OCR Director Paula M. Stannard stressed the critical importance of proactive cybersecurity, stating:

“Conducting a thorough HIPAA-compliant risk analysis—and developing and implementing risk management measures to address identified risks and vulnerabilities—is even more necessary as sophisticated cyberattacks increase. HIPAA covered entities and business associates make themselves soft targets for cyberattacks if they fail to implement the HIPAA Security Rule requirements.”

This case underscores that failing to complete and document a proper risk analysis not only weakens an organization’s defenses but also constitutes a direct violation of the HIPAA Security Rule.

The Role of the Breach Notification Rule

In addition to security failures, OCR determined that Syracuse ASC violated the HIPAA Breach Notification Rule, which requires covered entities and their business associates to:

Notify affected individuals without unreasonable delay (no later than 60 days after discovery).
Report the breach to HHS within the same timeframe.
Document the scope, cause, and mitigation actions taken.

Delayed notification denies patients their right to act quickly to protect their personal and financial information and signals poor incident response readiness.

OCR’s Recommendations for Preventing Cyber Threats

To help prevent or mitigate ransomware and other cyber threats, OCR recommends that all healthcare entities and business associates:

Identify where ePHI is stored, transmitted, and processed across all systems.
Conduct and regularly update risk analyses.
Implement and maintain a risk management plan addressing identified threats.
Establish audit controls to monitor system activity.
Authenticate all users accessing ePHI.
Encrypt ePHI both at rest and in transit.
Incorporate lessons learned from past incidents into the security program.
Provide ongoing, role-specific HIPAA training for all staff.

Summary

Ransomware attacks are no longer rare events – they’re a daily threat to healthcare organizations of all sizes. OCR’s 14th ransomware enforcement action makes one thing clear: a missing or incomplete risk analysis is a direct pathway to vulnerability and liability.

Every covered entity and business associate must have a documented risk analysis and risk management plan. This is not just for compliance, but to protect patients, data, and the integrity of their operations.

At Aris Medical Solutions, our online HIPAA Keeper™ is an all in one secure, cloud-based system that helps healthcare providers and business associates simplify compliance by maintaining up-to-date policies, procedures, HIPAA training and documentation to meet every aspect of the HIPAA Privacy and Security Rules.

Protect your practice before an attack happens. Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.

Deer Oaks – The Behavioral Health Solution fined $225K

Suze Shaffer July 7, 2025November 6, 2025

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has the authority to investigate complaints and conduct compliance reviews involving potential violations of the HIPAA Privacy, Security, and Breach Notification Rules by covered entities and business associates.

Deer Oaks – The Behavioral Health Solution, an Affiliated Covered Entity under 45 C.F.R. §§ 160.103 and 164.105, is subject to these HIPAA requirements.

Background

On December 6, 2021, HHS received a complaint alleging that Deer Oaks Geriatric Services PC, doing business as Deer Oaks Consultation Services (DOCS), impermissibly disclosed protected health information (PHI) by making patient discharge forms publicly accessible online. These forms contained sensitive data including patient names, dates of birth, identification numbers, facilities, and diagnoses. The exposed PHI was finally secured in May 2023.

Further, on August 29, 2023, Deer Oaks experienced a cybersecurity breach when a threat actor exploited a network vulnerability, exfiltrated patient data, and demanded ransom to prevent publication of the PHI on the dark web.

OCR Findings

Following its investigation, OCR determined that Deer Oaks engaged in the following conduct:

Impermissible disclosure of PHI not required or permitted under the HIPAA Privacy Rule (45 C.F.R. § 164.502(a)).
Failure to perform an accurate and thorough risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI, as required by the HIPAA Security Rule (45 C.F.R. § 164.308(a)(1)(ii)(A)).

Settlement Terms

To resolve these findings, Deer Oaks agreed to:

Pay $225,000 to HHS in a single lump-sum payment.
Enter into a Corrective Action Plan (CAP) monitored by OCR.

Under the CAP, Deer Oaks must implement a comprehensive HIPAA compliance program, including a full risk analysis, risk management plan, and updated policies, procedures, and workforce training to prevent future violations.

OCR clarified that this resolution does not release Deer Oaks from any future enforcement actions unrelated to the covered conduct or from potential criminal liability under 42 U.S.C. § 1320d-6.

Key Takeaway

This case is another reminder that HIPAA compliance goes far beyond securing data – it requires knowing where your data resides and who has access to it.
Without a system-wide risk analysis to map data flow and identify vulnerabilities, covered entities and business associates leave themselves open to both cyberattacks and regulatory penalties.

Don’t wait for an OCR complaint to expose your weaknesses, schedule your annual HIPAA Risk Analysis today.

Comstar, a Business Associate fined $75K for Ransomware Attack

Suze Shaffer May 30, 2025November 8, 2025

The Office for Civil Rights (OCR) has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates. Comstar, LLC (“Comstar”) meets the definition of “business associate” under 45 C.F.R. § 160.103 because it provides billing, collection, consulting, Electronic Patient Care Reporting (ePCR) hosting, and client/patient services for non-profit and municipal ambulance services.

History

On March 19, 2022, an unknown actor gained access to the electronic protected health information (“ePHI”) maintained on Comstar’s network servers. Comstar did not detect the intrusion until March 26, 2022, when its IT service vendor began receiving support tickets. It was determined ransomware was used to encrypt Comstar’s network servers and that the protected health information (“PHI”) of 585,621 individuals was affected.

HHS’ investigation indicated that the following conduct occurred:

Comstar failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information that it holds.

Resolution Agreement

Comstar has agreed to pay HHS $75,000 on the Effective Date of the Agreement.
Comstar agrees to comply with the Corrective Action Plan (“CAP”) and if they fail to cure the breach, then Comstar will be in breach of the Agreement and HHS will not be subject to the Release of the Agreement.
HHS does not release Comstar from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
The Agreement is binding on Comstar and its successors, heirs, transferees, and assigns.

Summary

This clearly demonstrates the authority HHS has in assessing fines for business associates. Ransomware affects all types of businesses, and an annual risk analysis helps to uncover vulnerabilities to prevent data breaches.

Every medical practice and business associate must have a documented risk analysis and risk management plan. This is not just for compliance, but to protect patients’ information, and the integrity of their operations.

Protect your practice before an attack happens. Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.

Change Healthcare Cyberattack

Suze Shaffer March 13, 2024January 5, 2026

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued a “Dear Colleague” letter about the Change Healthcare cyberattack. OCR also opened an official investigation. The attack affects Change Healthcare, a unit of UnitedHealthcare Group (UHG), and many other healthcare organizations.

The cyberattack has disrupted health care and billing operations nationwide. It poses a direct threat to patient care and critical health system functions.

OCR enforces HIPAA Privacy, Security, and Breach Notification Rules. These rules require covered entities and business associates to protect patient data and to notify HHS and affected individuals after a breach.

Cyberattacks remain the top threat in healthcare. In the past five years, large breaches involving hacking increased 256%. Ransomware attacks rose 264%. In 2023, hacking caused 79% of all large breaches, affecting 134 million people, a 141% increase from 2022.

Given the unprecedented size of this cyberattack, OCR has launched an investigation to protect patients and healthcare providers. The investigation will examine whether a breach of protected health information occurred and whether Change Healthcare and UHG complied with HIPAA Rules.

OCR considers its review of other entities connected to Change Healthcare and UHG as secondary. While OCR is not prioritizing investigations of providers, health plans, or business associates impacted by the attack, it is reminding all partners of their obligations. Entities must maintain business associate agreements and provide timely breach notifications to HHS and affected individuals as HIPAA requires.

Safeguarding protected health information remains OCR’s top priority. To support this effort, OCR is sharing resources to help organizations protect record systems and patients from cyberattacks.

OCR HIPAA Security Rule Guidance Material – This webpage offers educational resources on the HIPAA Security Rule and standards for protecting electronic protected health information (ePHI). Resources include a Recognized Security Practices video, the Security Rule Education Paper Series, HIPAA Security Rule guidance documents, OCR Cybersecurity Newsletters, and more.

OCR Video on How the HIPAA Security Rule Protects Against Cyberattacks – This video explains how the HIPAA Security Rule helps covered entities and business associates defend against cyberattacks. It covers breach trends, common attack methods, and key findings from OCR investigations.

OCR Webinar on HIPAA Security Rule Risk Analysis Requirement – This webinar explains the HIPAA Security Rule requirements for performing a complete risk assessment of potential threats and vulnerabilities to electronic protected health information (ePHI). It also reviews common risk analysis deficiencies that OCR has found during its investigations.

HHS Security Risk Assessment Tool – This tool helps small- and medium-sized entities perform an internal security risk assessment to meet the HIPAA Security Rule’s risk analysis requirements. You must also create and implement the policies and forms required in this tool.

Factsheet: Ransomware and HIPAA – This resource explains what ransomware is, outlines steps covered entities and business associates must take if their systems are infected, and details HIPAA breach reporting requirements.

Green Ridge Behavioral Health is Second Ransomware Settlement

Suze Shaffer October 30, 2023November 6, 2025

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Green Ridge Behavioral Health, LLC, a Maryland psychiatric practice. The case involved a ransomware attack that compromised the protected health information of more than 14,000 patients.

Ransomware locks users out of their data until a hacker receives payment. OCR enforces HIPAA’s Privacy, Security, and Breach Notification Rules to protect patient information. This marks OCR’s second ransomware-related settlement.

OCR Director Melanie Fontes Rainer said:
“Ransomware is now one of the most common cyber-attacks. Patients suffer when they cannot access their medical records. Providers must take steps to prevent these attacks and protect patient data.”

The Breach

In February 2019, Green Ridge reported to OCR that ransomware encrypted its servers, company files, and all patient electronic health records. OCR’s investigation found multiple HIPAA Security Rule failures, including:

No complete risk analysis of electronic PHI.
No effective security measures to reduce risks.
No sufficient monitoring of system activity.

Settlement Terms

Green Ridge agreed to pay $40,000 and implement a Corrective Action Plan (CAP) monitored by OCR for three years. The CAP requires Green Ridge to:

Conduct a full risk analysis.
Create a risk management plan.
Update policies and procedures.
Train its workforce on HIPAA.
Audit third-party vendors and ensure business associate agreements.
Report workforce HIPAA violations to OCR.

Recommendations

Ransomware and hacking are now the top cyber threats in healthcare. Large breaches have increased 256% in the last five years. Ransomware rose 264% during the same period. In 2023, hacking caused 79% of large breaches, affecting over 134 million people—a 141% increase from 2022.

OCR recommends medical providers and business associates:

Regularly perform risk analysis and risk management.
Monitor and audit system activity.
Use multi-factor authentication and encryption.
Ensure strong vendor agreements.
Provide frequent, role-specific workforce training.
Apply lessons from past incidents.

At Aris Medical Solutions, our HIPAA Keeper™ platform helps healthcare providers simplify compliance by maintaining up-to-date policies, procedures, and workforce training to meet every aspect of the HIPAA Privacy and Security Rules.

Don’t risk costly penalties. Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.