OCR Continues Aggressive HIPAA Enforcement with Latest $175,000 Ransomware Settlement

The BST Settlement: A Costly Lesson in Risk Analysis Failures

BST & Co. CPAs, a New York-based accounting and business consulting firm serving as a HIPAA business associate, agreed to pay $175,000 to settle allegations of Security Rule violations following a December 2019 ransomware attack. The settlement underscores a fundamental compliance failure that continues to plague healthcare organizations: the failure to conduct adequate risk analysis.

The ransomware incident, discovered on December 7, 2019, infected part of BST’s network and compromised protected health information (PHI) belonging to the firm’s covered entity clients. OCR’s investigation revealed that BST had failed to perform the accurate and thorough risk analysis required under HIPAA’s Security Rule—a foundational requirement designed to identify vulnerabilities before they can be exploited by cybercriminals.

OCR’s Expanding Enforcement Focus

This latest action represents part of OCR’s broader Risk Analysis Initiative, which has already resulted in 10 enforcement actions targeting organizations that failed to properly assess their cybersecurity vulnerabilities. The initiative reflects OCR’s intensified focus on this fundamental Security Rule requirement, with enforcement actions continuing throughout 2024 and into 2025.

In 2024, OCR closed 22 HIPAA investigations with financial penalties, demonstrating the agency’s sustained commitment to enforcement. The pattern is clear: organizations that fail to conduct proper risk analyses face significant financial consequences and mandatory corrective action plans.

“A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it,” said OCR Director Paula M. Stannard. “Completing an accurate and thorough risk analysis that informs a risk management plan is a foundational step to mitigate or prevent cyberattacks and breaches.”

Understanding Risk Analysis Requirements

The HIPAA Security Rule’s risk analysis provision requires covered entities and business associates to conduct comprehensive assessments of potential risks and vulnerabilities to electronic protected health information (ePHI). OCR has specified that the risk analysis must be specific to the organization’s unique operations, warning that generic templates and tools may fail to account for organizational-specific network risks.

The process must include at least a risk analysis, an actionable remediation plan, a sanctions policy, and procedures for regular information system activity reviews, with all documentation stored for at least six years.

Essential Components of BST’s Corrective Action Plan

Under the two-year corrective action plan, BST must implement several key measures:

Risk Management Foundation

• Conduct comprehensive risk analysis to identify all ePHI vulnerabilities
• Develop and implement risk management plans addressing identified threats
• Create and maintain written policies and procedures for HIPAA compliance

Workforce Education and Monitoring

• Enhance existing HIPAA and security training programs
• Provide annual training for all workforce members handling PHI
• Establish ongoing compliance monitoring and review processes

OCR’s Cybersecurity Recommendations

Based on current enforcement patterns and emerging threats, OCR recommends that all HIPAA-regulated entities implement these critical safeguards:

Information Mapping and Flow Analysis

• Identify all locations where ePHI is stored, processed, or transmitted
• Map how ePHI enters, flows through, and exits organizational systems
• Document all data pathways and access points

Continuous Security Management

• Conduct periodic risk analyses and update as organizational changes occur
• Implement audit controls to record and examine system activity
• Establish regular review processes for information system activity

Access Controls and Authentication

• Deploy strong user authentication mechanisms for ePHI access
• Implement role-based access controls limiting PHI exposure
• Monitor and log all access to sensitive health information

Data Protection Measures

• Encrypt ePHI both in transit and at rest when appropriate
• Implement secure backup and recovery procedures
• Establish incident response plans incorporating lessons learned from security events

Workforce Training and Awareness

• Provide regular, role-specific HIPAA training for all staff
• Update training materials to reflect current threat landscapes
• Ensure training addresses organizational-specific risks and procedures

The Growing Ransomware Threat

Healthcare data breaches continue to be dominated by hacking incidents, with 81.3% of reported large breaches in 2024 attributed to hacking and IT incidents. This statistic underscores why OCR has made ransomware enforcement a priority, with settlements ranging from $90,000 to nearly $1 million in recent actions.

The healthcare sector’s reliance on interconnected systems, combined with the sensitive nature of health information, makes it an attractive target for cybercriminals. Organizations that fail to implement proper safeguards face not only regulatory penalties but also operational disruptions, reputation damage, and potential patient harm.

Looking Ahead: Strengthened Enforcement in 2025

OCR has begun 2025 with intensified focus on risk analysis compliance, launching new enforcement actions as part of its ongoing Risk Analysis Initiative. Additionally, HHS has proposed significant modifications to the Security Rule to strengthen cybersecurity requirements for electronic protected health information, signaling that compliance requirements may become even more stringent.

Key Takeaways for Healthcare Organizations

The BST settlement serves as a reminder that HIPAA compliance cannot be an afterthought. Organizations must:

• Prioritize comprehensive, organization-specific risk analyses over generic templates
• Implement proactive risk management strategies rather than reactive responses
• Maintain current documentation and regular review processes
• Invest in workforce training and cybersecurity infrastructure
• Develop robust incident response and recovery capabilities

With OCR’s continued emphasis on enforcement and the evolving threat landscape, healthcare organizations and their business associates must view HIPAA Security Rule compliance as an ongoing operational imperative rather than a one-time exercise. The $175,000 BST settlement represents just the latest reminder that the cost of non-compliance far exceeds the investment required for proper cybersecurity measures.