Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com
Aris Home
Contact Us
Learn More

Tag: ransomware

BST & Co. CPAs, LLP fined $175K for Ransomware Breach

Posted bySuze Shaffer

OCR Issues 15th Ransomware Enforcement Action and 10th Enforcement Action in Risk Analysis Initiative

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with BST & Co. CPAs, LLP (“BST”), a New York-based public accounting, business advisory, and management consulting firm, for potential violations of the HIPAA Security Rule. As a business associate, BST received financial data containing protected health information (PHI) from a HIPAA covered entity.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules

This require covered entities (health plans, health care clearinghouses, and most providers) and business associates like BST to safeguard PHI. The HIPAA Security Rule establishes national standards that protect ePHI through administrative, physical, and technical safeguards. Its Risk Analysis provision requires regulated entities to conduct accurate and thorough assessments of risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

OCR considers a HIPAA risk analysis essential for locating ePHI and determining what security measures are needed to protect it,”

As quoted by OCR Director Paula M. Stannard. “Conducting a thorough risk analysis that drives a risk management plan serves as a foundation for preventing or mitigating cyberattacks and breaches.”

OCR launched its investigation after BST filed a breach report on February 16, 2020. BST reported that on December 7, 2019, it discovered ransomware on part of its network that affected PHI belonging to a covered entity client. Investigators determined that BST had failed to conduct an accurate and thorough risk analysis of its ePHI environment.

Under the resolution agreement

BST agreed to pay $175,000, implement a corrective action plan monitored by OCR for two years, and strengthen its HIPAA Security Rule compliance. BST must:

  • Conduct a thorough risk analysis of its ePHI environment;
  • Develop and implement a risk management plan to address identified risks;
  • Maintain and revise written HIPAA Privacy and Security Rule policies and procedures; and
  • Expand HIPAA and security training, including annual training for workforce members with PHI access.

OCR urged all covered entities and business associates to reduce cyber threats by:

  • Identifying where ePHI resides and how it flows across systems;
  • Performing and updating risk analyses, and implementing risk management measures;
  • Maintaining audit controls and reviewing system activity;
  • Authenticating user access and encrypting ePHI in transit and at rest;
  • Incorporating lessons learned from incidents into security management; and
  • Delivering workforce training tailored to organizational roles and responsibilities.

This case is a clear warning: even trusted professional firms can face HIPAA penalties if they overlook basic security requirements. A thorough risk analysis and an active risk management plan are not just regulatory obligations, they’re essential safeguards for protecting patient data and maintaining client trust.

At Aris Medical Solutions, our HIPAA Keeper platform helps healthcare organizations perform a complete risk analysis, implement risk management strategies, and maintain ongoing compliance with the HIPAA Privacy and Security Rules – all within one secure, cloud-based system.

Don’t wait for an OCR complaint to expose your weaknesses, schedule your annual HIPAA Risk Analysis today.

Comstar, a Business Associate fined $75K for Ransomware Attack

Posted bySuze Shaffer

The Office for Civil Rights (OCR) has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates. Comstar, LLC (“Comstar”) meets the definition of “business associate” under 45 C.F.R. § 160.103 because it provides billing, collection, consulting, Electronic Patient Care Reporting (ePCR) hosting, and client/patient services for non-profit and municipal ambulance services.

History

On March 19, 2022, an unknown actor gained access to the electronic protected health information (“ePHI”) maintained on Comstar’s network servers. Comstar did not detect the intrusion until March 26, 2022, when its IT service vendor began receiving support tickets. It was determined ransomware was used to encrypt Comstar’s network servers and that the protected health information (“PHI”) of 585,621 individuals was affected.

HHS’ investigation indicated that the following conduct occurred:

  • Comstar failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information that it holds.

Resolution Agreement

  • Comstar has agreed to pay HHS $75,000 on the Effective Date of the Agreement.
  • Comstar agrees to comply with the Corrective Action Plan (“CAP”) and if they fail to cure the breach, then Comstar will be in breach of the Agreement and HHS will not be subject to the Release of the Agreement.
  • HHS does not release Comstar from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
  • The Agreement is binding on Comstar and its successors, heirs, transferees, and assigns.

Summary

This clearly demonstrates the authority HHS has in assessing fines for business associates. Ransomware affects all types of businesses, and an annual risk analysis helps to uncover vulnerabilities to prevent data breaches.

Every medical practice and business associate must have a documented risk analysis and risk management plan. This is not just for compliance, but to protect patients’ information, and the integrity of their operations.

At Aris Medical Solutions, our online HIPAA Keeper™ is an all in one secure, cloud-based system that helps healthcare providers and business associates simplify compliance by maintaining up-to-date policies, procedures, HIPAA training and documentation to meet every aspect of the HIPAA Privacy and Security Rules.

Protect your practice before an attack happens. Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.

Green Ridge Behavioral Health is Second Ransomware Settlement

Posted bySuze Shaffer

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Green Ridge Behavioral Health, LLC, a Maryland psychiatric practice. The case involved a ransomware attack that compromised the protected health information of more than 14,000 patients.

Ransomware locks users out of their data until a hacker receives payment. OCR enforces HIPAA’s Privacy, Security, and Breach Notification Rules to protect patient information. This marks OCR’s second ransomware-related settlement.

OCR Director Melanie Fontes Rainer said:
“Ransomware is now one of the most common cyber-attacks. Patients suffer when they cannot access their medical records. Providers must take steps to prevent these attacks and protect patient data.”

The Breach

In February 2019, Green Ridge reported to OCR that ransomware encrypted its servers, company files, and all patient electronic health records. OCR’s investigation found multiple HIPAA Security Rule failures, including:

  • No complete risk analysis of electronic PHI.
  • No effective security measures to reduce risks.
  • No sufficient monitoring of system activity.

Settlement Terms

Green Ridge agreed to pay $40,000 and implement a Corrective Action Plan (CAP) monitored by OCR for three years. The CAP requires Green Ridge to:

  • Conduct a full risk analysis.
  • Create a risk management plan.
  • Update policies and procedures.
  • Train its workforce on HIPAA.
  • Audit third-party vendors and ensure business associate agreements.
  • Report workforce HIPAA violations to OCR.

Recommendations

Ransomware and hacking are now the top cyber threats in healthcare. Large breaches have increased 256% in the last five years. Ransomware rose 264% during the same period. In 2023, hacking caused 79% of large breaches, affecting over 134 million people—a 141% increase from 2022.

OCR recommends medical providers and business associates:

  • Regularly perform risk analysis and risk management.
  • Monitor and audit system activity.
  • Use multi-factor authentication and encryption.
  • Ensure strong vendor agreements.
  • Provide frequent, role-specific workforce training.
  • Apply lessons from past incidents.

At Aris Medical Solutions, our HIPAA Keeper™ platform helps healthcare providers simplify compliance by maintaining up-to-date policies, procedures, and workforce training to meet every aspect of the HIPAA Privacy and Security Rules.

Don’t risk costly penalties. Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.

©2025 Aris Medical Solutions – HIPAA Keeper | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC