WASHINGTON, D.C. — The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a settlement with BST & Co. CPAs, LLP, a New York-based accounting and business advisory firm, over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule following a ransomware incident.
OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set strict requirements for protecting patients’ protected health information (PHI). As a HIPAA business associate, BST handles financial data that includes PHI on behalf of a covered entity. OCR’s investigation found that BST failed to conduct the required comprehensive risk analysis necessary to identify and address vulnerabilities to its electronic protected health information (ePHI) systems.
Details of the Breach
The settlement stems from a breach report filed by BST on February 16, 2020. The firm disclosed that on December 7, 2019, it discovered ransomware had infiltrated part of its network, impacting PHI belonging to one of its covered entity clients. Following the report, OCR launched an investigation that revealed BST had not performed an “accurate and thorough” assessment of potential security risks to its ePHI, as mandated under HIPAA’s Security Rule.
“A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it,” OCR Director Paula M. Stannard said. “Completing an accurate and thorough risk analysis that informs a risk management plan is a foundational step to mitigate or prevent cyberattacks and breaches.”
Settlement Terms and Corrective Action Plan
Under the resolution agreement, BST agreed to pay $175,000 and implement a comprehensive corrective action plan that will remain under OCR monitoring for two years. The plan includes:
- Conducting a full risk analysis to evaluate threats and vulnerabilities to its ePHI.
- Developing and executing a risk management strategy to mitigate identified risks.
- Establishing and maintaining updated HIPAA-compliant security policies and procedures.
- Expanding its HIPAA and cybersecurity training programs, with mandatory annual training for all employees who handle PHI.
OCR’s Recommendations for Covered Entities and Business Associates
In announcing the settlement, OCR also urged all HIPAA-covered entities and business associates to adopt stronger cybersecurity practices to safeguard sensitive health data. Recommended measures include:
- Mapping where ePHI is stored, transmitted, and accessed within organizational systems.
- Conducting and updating periodic risk analyses, followed by actionable risk management steps.
- Implementing audit controls and routinely reviewing system activity.
- Using user authentication protocols and encryption to secure ePHI both in transit and at rest.
- Incorporating lessons learned from past breaches into broader security strategies.
- Providing workforce-specific, role-based HIPAA security training on an ongoing basis.
Broader Implications
The settlement underscores OCR’s continued focus on enforcing HIPAA Security Rule compliance, particularly amid rising cybersecurity threats across the health care sector. The ransomware attack affecting BST highlights growing risks to sensitive patient data and the consequences organizations face if they fail to conduct thorough security risk assessments.
For the latest news on everything happening in Chester County and the surrounding area, be sure to follow MyChesCo on Google News and MSN.