News Summary
BST & Co. CPAs, LLP has agreed to pay a $175,000 penalty to the HHS Office for Civil Rights for a HIPAA Security Rule violation. The settlement follows a ransomware attack that exposed the personal health information of around 170,000 individuals. This incident highlights the importance of conducting thorough risk analyses and ensuring compliance with HIPAA regulations in the healthcare sector.
Albany, New York — BST & Co. CPAs, LLP has agreed to pay a $175,000 penalty as part of a settlement with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for violating the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This settlement follows a ransomware attack that compromised the protected health information of approximately 170,000 individuals.
The ransomware attack, attributed to the Maze ransomware group, occurred between December 4 and December 7, 2019. The breach was detected on December 7, after a phishing email facilitated unauthorized access to BST & Co. CPAs’ network. The data breach exposed sensitive information including names, dates of birth, medical record numbers, medical billing codes, and insurance descriptions of patients associated with Community Care Physicians P.C., a medical group based in New York.
Upon notification of the data breach on February 16, 2020, the OCR initiated its investigation, which is standard protocol for breaches impacting 500 or more individuals. The investigation uncovered that BST & Co. CPAs had failed to conduct a risk analysis compliant with HIPAA Security Rule requirements. Conducting a risk analysis is crucial for identifying potential risks and vulnerabilities of electronic protected health information, which regulators mandate of all entities that handle such sensitive data.
Details of the Settlement
In addition to the $175,000 financial penalty, BST & Co. CPAs has committed to a corrective action plan. This plan, which will be closely monitored for compliance over the next two years, requires the company to conduct a thorough and accurate risk analysis and to develop a risk management plan. Furthermore, the firm must establish, implement, and sustain policies and procedures to ensure ongoing compliance with HIPAA regulations while providing requisite training for its workforce.
Regulatory Context
The OCR has intensified its enforcement initiatives to ensure compliance with HIPAA through rigorous scrutiny of organizations that deal with protected health information. In 2025 alone, the OCR has reported 19 enforcement actions, a significant number of which involve failures in risk analyses, similar to BST & Co. CPAs. The accumulated financial penalties from OCR activities this year have exceeded $8 million, positioning it as a notably active year for HIPAA enforcement measures.
OCR Director Paula M. Stannard underscored the importance of thorough risk analyses as a means to prevent cyberattacks and data breaches, stressing that regulated entities must prioritize the security of electronic protected health information to safeguard against potential threats.
Conclusion
This settlement serves as a critical reminder for all business associates connected to the healthcare sector regarding the significance of adhering to HIPAA regulations and conducting appropriate risk assessments. The enforcement actions taken by the OCR emphasize the need for healthcare-related organizations to not only comply with laws but also to actively protect sensitive patient data against increasing cyber threats.
Deeper Dive: News & Info About This Topic
HERE Resources
New York Settles with Healthplex Over Data Breach
Additional Resources
- HIPAA Journal: BST & Co. CPAs HIPAA Penalty
- Wikipedia: Health Insurance Portability and Accountability Act
- HealthExec: New York Prosecutors Accused of Violating HIPAA
- Google Search: HIPAA breaches
- HIPAA Journal: New York Health Information Privacy Act
- Google Scholar: HIPAA enforcement
- Ogletree: New York Amends Data Breach Notification Law
- Encyclopedia Britannica: healthcare privacy
- CBS News: Luigi Mangione’s Attorneys Accuse Prosecutors of HIPAA Violations
- Google News: New York breach notification
Author: STAFF HERE NEW YORK WRITER
NEW YORK STAFF WRITER The NEW YORK STAFF WRITER represents the experienced team at HERENewYork.com, your go-to source for actionable local news and information in New York, the five boroughs, and beyond. Specializing in "news you can use," we cover essential topics like product reviews for personal and business needs, local business directories, politics, real estate trends, neighborhood insights, and state news affecting the area—with deep expertise drawn from years of dedicated reporting and strong community input, including local press releases and business updates. We deliver top reporting on high-value events such as New York Fashion Week, Macy's Thanksgiving Day Parade, and Tribeca Film Festival. Our coverage extends to key organizations like the Greater New York Chamber of Commerce and United Way of New York, plus leading businesses in finance and media that power the local economy such as JPMorgan Chase, Goldman Sachs, and Bloomberg. As part of the broader HERE network, including HEREBuffalo.com, we provide comprehensive, credible insights into New York's dynamic landscape.
