The U.S. Department of Health and Human Services has reached a $175,000 settlement with New York accounting firm BST & Co. CPAs after a ransomware attack exposed sensitive patient information. The firm failed to conduct a proper HIPAA risk analysis, a key requirement to protect electronic health records, leaving patient data vulnerable and prompting federal enforcement action.
On August 18, 2025, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), announced a settlement with BST & Co. CPAs, LLP, a New York-based accounting, business advisory, and management consulting firm, to resolve potential violations of the HIPAA Security Rule.
The action stems from a ransomware attack discovered by BST on December 7, 2019, which compromised systems containing sensitive health data. The attack resulted in unauthorized access to the protected health information (PHI) of one of BST’s covered entity clients, which impacted BST internally and also jeopardized patient data entrusted to the firm by a healthcare organization. Following the breach, the Office for Civil Rights (OCR) at HHS launched an investigation and found a key compliance failure: BST had not conducted an accurate and thorough risk analysis prior to the incident.
OCR’s investigation began after BST self-reported the security breach on February 16, 2020. Beyond the ransomware attack itself, OCR found that BST had not properly assessed or mitigated the risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI). Though the settlement amount is moderate, this case is part of a broader enforcement pattern. The Risk Analysis Initiative targets one of the most frequently violated aspects of HIPAA compliance: conducting robust, organization-wide risk assessments. In fact, this is OCR’s 10th enforcement action under that initiative.
BST agreed to a corrective action plan (CAP) that will be monitored for two years and includes:
Performing a comprehensive risk analysis of its ePHI systems.
Developing and implementing a risk management plan to address identified vulnerabilities.
Formulating and maintaining written HIPAA privacy and security policies and procedures.
Enhancing its HIPAA and security training, with annual instruction for all relevant staff.
BST also agreed to pay $175,000 as a settlement and complete these corrective steps
A risk analysis involves identifying where electronic protected health information (ePHI) is stored, transmitted, and accessed, then assessing the potential vulnerabilities and threats to that data. By understanding these risks, organizations can put safeguards in place to prevent breaches, cyberattacks, or unauthorized access. Without a proper risk analysis, healthcare providers and their business associates are essentially leaving patient information exposed to avoidable security threats.
As OCR Director Paula M. Stannard stated in a press release, “A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it. Completing an accurate and thorough risk analysis that informs a risk management plan is a foundational step to mitigate or prevent cyberattacks and breaches.”
The firm failed to anticipate or address the weaknesses that allowed ransomware to infiltrate its systems. By neglecting this HIPAA requirement, BST violated federal regulations and also increased the risk of cybercriminals gaining access to sensitive patient records. This indicates how compliance gaps can endanger data security.
A ransomware attack is a type of cyberattack in which malicious software (malware) infects a computer or network and encrypts files, making them inaccessible to the user or organization. The attacker then demands a ransom payment, often in cryptocurrency, in exchange for a decryption key to restore access to the data.
The HIPAA Security Rule is a federal regulation that sets standards for protecting ePHI. It requires covered entities and their business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.
HIPAA applies to accounting firms when they handle PHI on behalf of healthcare providers, health plans, or other covered entities. In these cases, the accounting firm is considered a business associate under HIPAA, meaning it has direct legal obligations to safeguard patient data.