Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com
Aris Home
Contact Us
Learn More

Tag: HIPAA fines

BST & Co. CPAs, LLP fined $175K for Ransomware Breach

Posted bySuze Shaffer

OCR Issues 15th Ransomware Enforcement Action and 10th Enforcement Action in Risk Analysis Initiative

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with BST & Co. CPAs, LLP (“BST”), a New York-based public accounting, business advisory, and management consulting firm, for potential violations of the HIPAA Security Rule. As a business associate, BST received financial data containing protected health information (PHI) from a HIPAA covered entity.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules

This require covered entities (health plans, health care clearinghouses, and most providers) and business associates like BST to safeguard PHI. The HIPAA Security Rule establishes national standards that protect ePHI through administrative, physical, and technical safeguards. Its Risk Analysis provision requires regulated entities to conduct accurate and thorough assessments of risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

OCR considers a HIPAA risk analysis essential for locating ePHI and determining what security measures are needed to protect it,”

As quoted by OCR Director Paula M. Stannard. “Conducting a thorough risk analysis that drives a risk management plan serves as a foundation for preventing or mitigating cyberattacks and breaches.”

OCR launched its investigation after BST filed a breach report on February 16, 2020. BST reported that on December 7, 2019, it discovered ransomware on part of its network that affected PHI belonging to a covered entity client. Investigators determined that BST had failed to conduct an accurate and thorough risk analysis of its ePHI environment.

Under the resolution agreement

BST agreed to pay $175,000, implement a corrective action plan monitored by OCR for two years, and strengthen its HIPAA Security Rule compliance. BST must:

  • Conduct a thorough risk analysis of its ePHI environment;
  • Develop and implement a risk management plan to address identified risks;
  • Maintain and revise written HIPAA Privacy and Security Rule policies and procedures; and
  • Expand HIPAA and security training, including annual training for workforce members with PHI access.

OCR urged all covered entities and business associates to reduce cyber threats by:

  • Identifying where ePHI resides and how it flows across systems;
  • Performing and updating risk analyses, and implementing risk management measures;
  • Maintaining audit controls and reviewing system activity;
  • Authenticating user access and encrypting ePHI in transit and at rest;
  • Incorporating lessons learned from incidents into security management; and
  • Delivering workforce training tailored to organizational roles and responsibilities.

This case is a clear warning: even trusted professional firms can face HIPAA penalties if they overlook basic security requirements. A thorough risk analysis and an active risk management plan are not just regulatory obligations, they’re essential safeguards for protecting patient data and maintaining client trust.

At Aris Medical Solutions, our HIPAA Keeper platform helps healthcare organizations perform a complete risk analysis, implement risk management strategies, and maintain ongoing compliance with the HIPAA Privacy and Security Rules – all within one secure, cloud-based system.

Don’t wait for an OCR complaint to expose your weaknesses, schedule your annual HIPAA Risk Analysis today.

Deer Oaks – The Behavioral Health Solution fined $225K

Posted bySuze Shaffer

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has the authority to investigate complaints and conduct compliance reviews involving potential violations of the HIPAA Privacy, Security, and Breach Notification Rules by covered entities and business associates.

Deer Oaks – The Behavioral Health Solution, an Affiliated Covered Entity under 45 C.F.R. §§ 160.103 and 164.105, is subject to these HIPAA requirements.

Background

On December 6, 2021, HHS received a complaint alleging that Deer Oaks Geriatric Services PC, doing business as Deer Oaks Consultation Services (DOCS), impermissibly disclosed protected health information (PHI) by making patient discharge forms publicly accessible online. These forms contained sensitive data including patient names, dates of birth, identification numbers, facilities, and diagnoses. The exposed PHI was finally secured in May 2023.

Further, on August 29, 2023, Deer Oaks experienced a cybersecurity breach when a threat actor exploited a network vulnerability, exfiltrated patient data, and demanded ransom to prevent publication of the PHI on the dark web.

OCR Findings

Following its investigation, OCR determined that Deer Oaks engaged in the following conduct:

  • Impermissible disclosure of PHI not required or permitted under the HIPAA Privacy Rule (45 C.F.R. § 164.502(a)).
  • Failure to perform an accurate and thorough risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI, as required by the HIPAA Security Rule (45 C.F.R. § 164.308(a)(1)(ii)(A)).

Settlement Terms

To resolve these findings, Deer Oaks agreed to:

  • Pay $225,000 to HHS in a single lump-sum payment.
  • Enter into a Corrective Action Plan (CAP) monitored by OCR.

Under the CAP, Deer Oaks must implement a comprehensive HIPAA compliance program, including a full risk analysis, risk management plan, and updated policies, procedures, and workforce training to prevent future violations.

OCR clarified that this resolution does not release Deer Oaks from any future enforcement actions unrelated to the covered conduct or from potential criminal liability under 42 U.S.C. § 1320d-6.

Key Takeaway

This case is another reminder that HIPAA compliance goes far beyond securing data – it requires knowing where your data resides and who has access to it.
Without a system-wide risk analysis to map data flow and identify vulnerabilities, covered entities and business associates leave themselves open to both cyberattacks and regulatory penalties.

At Aris Medical Solutions, our HIPAA Keeper platform helps healthcare organizations perform a complete risk analysis, implement risk management strategies, and maintain ongoing compliance with the HIPAA Privacy and Security Rules—all within one secure, cloud-based system.

Don’t wait for an OCR complaint to expose your weaknesses, schedule your annual HIPAA Risk Analysis today.

Baycare Health System fined $800K for Impermissible Access Exploited by a Malicious Insider

Posted bySuze Shaffer

This reinforces the Need for Strong Access Controls under HIPAA

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with BayCare Health System, a Florida-based healthcare provider, for potential violations of the HIPAA Security Rule. The case stemmed from a complaint alleging impermissible access to a patient’s electronic protected health information (ePHI), highlighting the ongoing need for covered entities to manage and monitor system access carefully.

BayCare agreed to pay $800,000 and implement a two-year Corrective Action Plan (CAP) to resolve OCR’s findings and strengthen its data security practices.

History

In October 2018, OCR received a complaint from a patient who reported being contacted by an unknown individual possessing photographs and a video of her printed medical records. The images appeared to show someone scrolling through her records on a computer screen after she received care at a BayCare facility.

OCR’s investigation revealed that the login credentials used to access the records belonged to a non-clinical former employee of a physician practice that had access to BayCare’s electronic medical record system for shared patient care. The improper access exposed weaknesses in BayCare’s user authorization and monitoring controls.

OCR’s Findings

OCR determined that BayCare potentially violated multiple provisions of the HIPAA Security Rule, including failure to:

  • Implement proper policies and procedures for authorizing access to ePHI consistent with the Privacy Rule.
  • Reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level.
  • Regularly review audit logs and system activity to detect unauthorized access.

These lapses allowed a former staff member to retain and misuse access credentials—an avoidable risk that underscores the importance of continuous access management and workforce oversight.

Settlement Terms

Under the Resolution Agreement, BayCare will:

  • Pay $800,000 to HHS OCR.
  • Undergo a two-year Corrective Action Plan monitored by OCR.
  • Conduct a complete risk analysis to identify potential threats and vulnerabilities to ePHI.
  • Develop and implement a risk management plan to mitigate identified security risks.
  • Revise its policies and procedures to ensure compliance with the HIPAA Security Rule.
  • Provide HIPAA training to all workforce members who have access to ePHI.

OCR’s Message to the Healthcare Industry

OCR Acting Director Anthony Archeval emphasized the importance of strict access controls, stating:

“In an era of hacking and ransomware attacks, HIPAA regulated entities still need to ensure that workforce members and other users with access to an electronic medical record only have access to the health information necessary for them to perform their jobs. Allowing unrestricted access to patient health information can create an attractive target for a malicious insider.”

This case serves as a warning that insider threats and credential misuse remain one of the most common—and preventable—sources of patient data breaches.

Best Practices Recommended by OCR

To help prevent similar incidents, OCR recommends that all HIPAA-regulated entities:

  • Identify where ePHI resides and how it moves throughout the organization.
  • Integrate risk analysis and risk management into everyday operations.
  • Maintain audit controls and regularly review system activity for anomalies.
  • Implement user authentication mechanisms and remove access promptly when workforce changes occur.
  • Encrypt ePHI in transit and at rest.
  • Apply lessons learned from prior incidents to strengthen security.
  • Provide role-specific HIPAA training on a regular basis.

Summary

The BayCare settlement underscores a critical lesson: HIPAA compliance isn’t only about external cyberattacks—it’s also about managing internal access.
Even trusted users can become a liability when access privileges aren’t properly controlled, monitored, or revoked.

A thorough, documented risk analysis, an active risk management plan, and strong access control policies are essential for preventing unauthorized disclosures and OCR enforcement actions.

At Aris Medical Solutions, our online HIPAA Keeper™ system helps healthcare providers and business associates maintain full compliance through guided risk assessments, policy updates, training, and audit tracking. All in one secure, cloud-based system.

Don’t leave patient data exposed. Schedule your HIPAA Risk Analysis and Access Control Review with Aris Medical Solutions today.

©2025 Aris Medical Solutions – HIPAA Keeper | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC