New York Company Settles With HHS for $175K After Ransomware Probe
A New York public accounting firm settled with the Department of Health and Human Services for $175,000 over claims it violated the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, the Office for Civil Rights announced Monday following a ransomware attack investigation.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Privacy Daily reported in July that the Trump administration was expected to continue focusing on the HIPAA Security Rule and risk analysis violations (see 2507140046).
OCR on Monday claimed that New York-based ST & Co. CPAs ”failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability" of electronic protected health information (ePHI). "BST agreed to establish a corrective action plan that will be monitored for two years. BST will conduct an “accurate and thorough risk analysis,” said OCR.
“A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it,” said OCR Director Paula Stannard. “Completing an accurate and thorough risk analysis that informs a risk management plan is a foundational step to mitigate or prevent cyberattacks and breaches.”
BST said in a statement Tuesday that the company’s 2020 investigation and OCR’s 2025 investigation “confirmed that no sensitive client or patient information was accessed during the 2019 malware attack.”
Since the attack, the company has “implemented enhanced cybersecurity measures, including consulting with industry experts, to strengthen protection against future threats,” said BST. “Moreover, BST has recently partnered with West Point Security, a locally-based and nationally-renowned cybersecurity firm, to supplement its internal safeguards with industry recommended best practices as well as to assist other businesses and not-for-profit organizations from falling victim to nefarious online activity.”