In a continued push to hold healthcare providers accountable for cybersecurity preparedness, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced a settlement with Comprehensive Neurology, PC, a small neurology practice based in New York. The settlement resolves an OCR investigation following a ransomware attack that compromised sensitive patient data—and underscores the vital role of HIPAA Security Rule compliance in the fight against cyberthreats.
What Happened?
In December 2020, Comprehensive Neurology reported a data breach to HHS after ransomware encrypted its entire IT network, rendering all electronic protected health information (ePHI) inaccessible. The breach affected approximately 6,800 individuals, including patient names, clinical information, insurance details, demographic data, Social Security numbers, and driver’s license/state ID numbers.
OCR’s investigation revealed that the practice failed to conduct an accurate and thorough risk analysis, a key requirement under the HIPAA Security Rule. As a result, Comprehensive Neurology agreed to a $25,000 settlement and committed to a Corrective Action Plan (CAP) monitored by OCR for the next two years.
Why This Matters
This is the 12th ransomware-related HIPAA enforcement action by OCR and the 8th under its Risk Analysis Initiative, which focuses on increasing compliance with the Security Rule’s foundational risk analysis requirement. According to Acting OCR Director Anthony Archeval, “Effective cybersecurity requires proactively implementing the HIPAA Security Rule requirements before a breach or cybersecurity incident occurs.”
The risk analysis provision is not just a checkbox—it’s the bedrock of cybersecurity readiness in healthcare. It helps organizations identify potential vulnerabilities before attackers do.
What Comprehensive Neurology Must Now Do
As part of the settlement, Comprehensive Neurology will take several specific steps to improve its cybersecurity posture:
- Conduct a thorough and accurate risk analysis of its ePHI systems
- Develop a risk management plan to address identified vulnerabilities
- Review and revise HIPAA policies and procedures
- Provide targeted HIPAA training for staff
Key Takeaways for All Healthcare Organizations
This case serves as a stark reminder that no healthcare organization—large or small—is immune to ransomware. OCR recommends that covered entities and business associates take the following proactive steps:
- Map your ePHI: Know how electronic protected health information flows into, through, and out of your systems.
- Integrate cybersecurity into daily operations: Make risk analysis and risk management a routine part of your business processes.
- Enable audit controls: Regularly monitor system activity for unauthorized access or anomalies.
- Train your workforce: Tailor HIPAA training to your organization’s systems and each employee’s job role.
- Encrypt data: Use encryption both in transit and at rest to protect against unauthorized access.
- Use authentication controls: Limit ePHI access to authorized users only.
- Learn from incidents: Use breaches or close calls as teachable moments to strengthen security protocols.
Final Thoughts
OCR’s settlement with Comprehensive Neurology is a clear signal to the healthcare industry: HIPAA compliance is not optional, and cybersecurity lapses will be enforced. Organizations must proactively address vulnerabilities before a breach occurs—because the consequences of waiting are far more costly.
For more details, you can view the full resolution agreement and corrective action plan here: OCR Resolution Agreement (PDF).
