Data Privacy,
Data Security,
Healthcare
<span class="article-sub-title">Settlement Includes Corrective Action Plan Aimed at Enhancing Risk Analysis</span>
<span class="article-byline">
<a class="author-link" href="https://www.databreachtoday.com/authors/marianne-kolbasuk-mcgee-i-626">Marianne Kolbasuk McGee</a>
(<a href="https://www.twitter.com/HealthInfoSec"><i class="fa fa-twitter"/>HealthInfoSec</a>)
• <span class="text-nowrap">August 18, 2025</span>
<a href="https://www.bankinfosecurity.com/accounting-firm-pays-feds-175k-for-hipaa-ransomware-breach-a-29248#disqus_thread"/>
</span>
<figure>
<img src="https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/accounting-firm-pays-feds-175k-for-hipaa-ransomware-breach-image_large-9-a-29248.jpg" alt="Accounting Firm Pays Feds $175K for HIPAA Ransomware Breach" class="img-responsive"/>
<figcaption>Image: BST</figcaption>
</figure>
An investigation into a ransomware incident reported in 2020, which compromised the protected personal information of approximately 170,000 individuals, has culminated in a $175,000 fine for a New York-based certified public accounting firm, BST & Co. CPAs, LLP. In conjunction with the financial penalty, federal regulators mandated the implementation of a corrective action plan to address potential HIPAA violations.On August 18, 2025, the U.S. Department of Health and Human Services (HHS) revealed that this settlement marks the Office for Civil Rights’ 15th enforcement action related to ransomware and the 10th regarding risk analysis since these areas were designated as HIPAA enforcement priorities in 2023 and 2024.
The settlement follows an investigation initiated by HHS OCR after BST submitted a breach report on February 16, 2020. According to the report, the firm uncovered a ransomware infection in part of its network on December 7, 2019, which impacted the protected health information of a client, Community Care Physicians.
Security analysts had noted that some of the data exfiltrated during the attack appeared on the public-facing website of the ransomware group Maze, highlighting the security vulnerabilities exploited in the breach. HHS OCR’s investigation concluded that the accounting firm had not conducted adequate risk analysis to assess the possible vulnerabilities affecting the confidentiality, integrity, and availability of electronic protected health information.
Apart from the financial penalty, the resolution agreement demands that BST develop and implement a robust corrective action plan focused on risk management and enhancing risk analysis practices. Specifically, the agreement requires BST to perform a comprehensive HIPAA security risk analysis annually for the next two years and to create a risk management plan addressing identified vulnerabilities.
Additionally, BST will need to revise and maintain written policies and procedures that comply with HIPAA privacy and security regulations, while also enhancing its training programs. All employees affected by these policies are to receive annual training to bolster understanding of compliance protocols.
Paula Stannard, director of HHS OCR, emphasized the criticality of undertaking a thorough HIPAA risk analysis to pinpoint where electronic protected health information is stored and to establish the necessary security measures for its protection. An informative risk management plan is pivotal for mitigating or preventing potential cyberattacks and breaches.
In a statement to Information Security Media Group, BST affirmed that its internal investigation, along with the OCR’s examination, verified that no sensitive client or patient data was accessed during the 2019 attack. The firm has since intensified its cybersecurity measures and engaged with industry experts to bolster its defenses against future threats. Furthermore, BST has partnered with a third-party cybersecurity specialist to enhance its internal safeguards and assist other organizations in avoiding similar security incidents.
Updated on August 18 to include BST’s statement.
