ransomware Archives

BST & Co. CPAs, LLP fined $175K for Ransomware Breach

Suze Shaffer August 18, 2025November 8, 2025

OCR Issues 15th Ransomware Enforcement Action and 10th Enforcement Action in Risk Analysis Initiative

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with BST & Co. CPAs, LLP (“BST”), a New York-based public accounting, business advisory, and management consulting firm, for potential violations of the HIPAA Security Rule. As a business associate, BST received financial data containing protected health information (PHI) from a HIPAA covered entity.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules

This require covered entities (health plans, health care clearinghouses, and most providers) and business associates like BST to safeguard PHI. The HIPAA Security Rule establishes national standards that protect ePHI through administrative, physical, and technical safeguards. Its Risk Analysis provision requires regulated entities to conduct accurate and thorough assessments of risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

“OCR considers a HIPAA risk analysis essential for locating ePHI and determining what security measures are needed to protect it,”

As quoted by OCR Director Paula M. Stannard. “Conducting a thorough risk analysis that drives a risk management plan serves as a foundation for preventing or mitigating cyberattacks and breaches.”

OCR launched its investigation after BST filed a breach report on February 16, 2020. BST reported that on December 7, 2019, it discovered ransomware on part of its network that affected PHI belonging to a covered entity client. Investigators determined that BST had failed to conduct an accurate and thorough risk analysis of its ePHI environment.

Under the resolution agreement

BST agreed to pay $175,000, implement a corrective action plan monitored by OCR for two years, and strengthen its HIPAA Security Rule compliance. BST must:

Conduct a thorough risk analysis of its ePHI environment;
Develop and implement a risk management plan to address identified risks;
Maintain and revise written HIPAA Privacy and Security Rule policies and procedures; and
Expand HIPAA and security training, including annual training for workforce members with PHI access.

OCR urged all covered entities and business associates to reduce cyber threats by:

Identifying where ePHI resides and how it flows across systems;
Performing and updating risk analyses, and implementing risk management measures;
Maintaining audit controls and reviewing system activity;
Authenticating user access and encrypting ePHI in transit and at rest;
Incorporating lessons learned from incidents into security management; and
Delivering workforce training tailored to organizational roles and responsibilities.

This case is a clear warning: even trusted professional firms can face HIPAA penalties if they overlook basic security requirements. A thorough risk analysis and an active risk management plan are not just regulatory obligations, they’re essential safeguards for protecting patient data and maintaining client trust.

At Aris Medical Solutions, our HIPAA Keeper™ platform helps healthcare organizations perform a complete risk analysis, implement risk management strategies, and maintain ongoing compliance with the HIPAA Privacy and Security Rules – all within one secure, cloud-based system.

Don’t wait for an OCR complaint to expose your weaknesses, schedule your annual HIPAA Risk Analysis today.

Syracuse ASC fined $250K for Ransomware

Suze Shaffer July 23, 2025January 5, 2026

A Costly Reminder of HIPAA’s Ransomware Readiness Requirements. The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Syracuse ASC, LLC, doing business as Specialty Surgery Center of Central New York, for potential violations of the HIPAA Security and Breach Notification Rules. This case marks OCR’s 14th ransomware enforcement action, reinforcing the growing federal focus on cybersecurity preparedness across the healthcare sector.

History

Syracuse ASC is a single-facility ambulatory surgery center in Liverpool, New York, specializing in ophthalmic, ENT, and pain management procedures. In March 2021, the center experienced a ransomware attack involving the PYSA variant—a sophisticated cross-platform malware known for targeting healthcare organizations.

The incident compromised electronic protected health information (ePHI) for 24,891 individuals. OCR initiated an investigation in October 2021 after Syracuse ASC reported the breach to HHS. The investigation revealed that the center had never conducted an accurate and thorough HIPAA risk analysis, as required by the Security Rule. OCR also found that Syracuse ASC failed to provide timely breach notifications to both affected individuals and HHS.

Settlement Terms

Under the Resolution Agreement, Syracuse ASC agreed to:

Pay $250,000 to HHS OCR.
Implement a Corrective Action Plan (CAP) monitored for two years.

The CAP requires Syracuse ASC to:

Conduct a complete and thorough risk analysis of ePHI systems.
Develop and implement a risk management plan to address identified vulnerabilities.
Review and revise policies and procedures to ensure compliance with HIPAA.
Provide annual HIPAA training for all workforce members handling PHI.

OCR’s Message: Ransomware Risks Are Real

OCR Director Paula M. Stannard stressed the critical importance of proactive cybersecurity, stating:

“Conducting a thorough HIPAA-compliant risk analysis—and developing and implementing risk management measures to address identified risks and vulnerabilities—is even more necessary as sophisticated cyberattacks increase. HIPAA covered entities and business associates make themselves soft targets for cyberattacks if they fail to implement the HIPAA Security Rule requirements.”

This case underscores that failing to complete and document a proper risk analysis not only weakens an organization’s defenses but also constitutes a direct violation of the HIPAA Security Rule.

The Role of the Breach Notification Rule

In addition to security failures, OCR determined that Syracuse ASC violated the HIPAA Breach Notification Rule, which requires covered entities and their business associates to:

Notify affected individuals without unreasonable delay (no later than 60 days after discovery).
Report the breach to HHS within the same timeframe.
Document the scope, cause, and mitigation actions taken.

Delayed notification denies patients their right to act quickly to protect their personal and financial information and signals poor incident response readiness.

OCR’s Recommendations for Preventing Cyber Threats

To help prevent or mitigate ransomware and other cyber threats, OCR recommends that all healthcare entities and business associates:

Identify where ePHI is stored, transmitted, and processed across all systems.
Conduct and regularly update risk analyses.
Implement and maintain a risk management plan addressing identified threats.
Establish audit controls to monitor system activity.
Authenticate all users accessing ePHI.
Encrypt ePHI both at rest and in transit.
Incorporate lessons learned from past incidents into the security program.
Provide ongoing, role-specific HIPAA training for all staff.

Summary

Ransomware attacks are no longer rare events – they’re a daily threat to healthcare organizations of all sizes. OCR’s 14th ransomware enforcement action makes one thing clear: a missing or incomplete risk analysis is a direct pathway to vulnerability and liability.

Every covered entity and business associate must have a documented risk analysis and risk management plan. This is not just for compliance, but to protect patients, data, and the integrity of their operations.

At Aris Medical Solutions, our online HIPAA Keeper™ is an all in one secure, cloud-based system that helps healthcare providers and business associates simplify compliance by maintaining up-to-date policies, procedures, HIPAA training and documentation to meet every aspect of the HIPAA Privacy and Security Rules.

Protect your practice before an attack happens. Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.

Comstar, a Business Associate fined $75K for Ransomware Attack

Suze Shaffer May 30, 2025November 8, 2025

The Office for Civil Rights (OCR) has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities and business associates. Comstar, LLC (“Comstar”) meets the definition of “business associate” under 45 C.F.R. § 160.103 because it provides billing, collection, consulting, Electronic Patient Care Reporting (ePCR) hosting, and client/patient services for non-profit and municipal ambulance services.

History

On March 19, 2022, an unknown actor gained access to the electronic protected health information (“ePHI”) maintained on Comstar’s network servers. Comstar did not detect the intrusion until March 26, 2022, when its IT service vendor began receiving support tickets. It was determined ransomware was used to encrypt Comstar’s network servers and that the protected health information (“PHI”) of 585,621 individuals was affected.

HHS’ investigation indicated that the following conduct occurred:

Comstar failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information that it holds.

Resolution Agreement

Comstar has agreed to pay HHS $75,000 on the Effective Date of the Agreement.
Comstar agrees to comply with the Corrective Action Plan (“CAP”) and if they fail to cure the breach, then Comstar will be in breach of the Agreement and HHS will not be subject to the Release of the Agreement.
HHS does not release Comstar from, nor waive any rights, obligations, or causes of action other than those arising out of or related to the Covered Conduct. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
The Agreement is binding on Comstar and its successors, heirs, transferees, and assigns.

Summary

This clearly demonstrates the authority HHS has in assessing fines for business associates. Ransomware affects all types of businesses, and an annual risk analysis helps to uncover vulnerabilities to prevent data breaches.

Every medical practice and business associate must have a documented risk analysis and risk management plan. This is not just for compliance, but to protect patients’ information, and the integrity of their operations.

Protect your practice before an attack happens. Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.

Green Ridge Behavioral Health is Second Ransomware Settlement

Suze Shaffer October 30, 2023November 6, 2025

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Green Ridge Behavioral Health, LLC, a Maryland psychiatric practice. The case involved a ransomware attack that compromised the protected health information of more than 14,000 patients.

Ransomware locks users out of their data until a hacker receives payment. OCR enforces HIPAA’s Privacy, Security, and Breach Notification Rules to protect patient information. This marks OCR’s second ransomware-related settlement.

OCR Director Melanie Fontes Rainer said:
“Ransomware is now one of the most common cyber-attacks. Patients suffer when they cannot access their medical records. Providers must take steps to prevent these attacks and protect patient data.”

The Breach

In February 2019, Green Ridge reported to OCR that ransomware encrypted its servers, company files, and all patient electronic health records. OCR’s investigation found multiple HIPAA Security Rule failures, including:

No complete risk analysis of electronic PHI.
No effective security measures to reduce risks.
No sufficient monitoring of system activity.

Settlement Terms

Green Ridge agreed to pay $40,000 and implement a Corrective Action Plan (CAP) monitored by OCR for three years. The CAP requires Green Ridge to:

Conduct a full risk analysis.
Create a risk management plan.
Update policies and procedures.
Train its workforce on HIPAA.
Audit third-party vendors and ensure business associate agreements.
Report workforce HIPAA violations to OCR.

Recommendations

Ransomware and hacking are now the top cyber threats in healthcare. Large breaches have increased 256% in the last five years. Ransomware rose 264% during the same period. In 2023, hacking caused 79% of large breaches, affecting over 134 million people—a 141% increase from 2022.

OCR recommends medical providers and business associates:

Regularly perform risk analysis and risk management.
Monitor and audit system activity.
Use multi-factor authentication and encryption.
Ensure strong vendor agreements.
Provide frequent, role-specific workforce training.
Apply lessons from past incidents.

At Aris Medical Solutions, our HIPAA Keeper™ platform helps healthcare providers simplify compliance by maintaining up-to-date policies, procedures, and workforce training to meet every aspect of the HIPAA Privacy and Security Rules.

Don’t risk costly penalties. Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.