HHS reaches settlement with BST after major HIPAA ransomware breach

On August 18, 2025, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with BST & Co. CPAs, LLP (BST), a New York-based public accounting, business advisory, and management consulting firm.

What happened

The investigation began after BST reported a ransomware attack on February 16, 2020, revealing that part of its network had been infected with ransomware on December 7, 2019. The breach impacted the protected health information (PHI) of a covered entity client that had entrusted BST, a HIPAA business associate, with sensitive data. 

OCR’s investigation found that BST failed to conduct an accurate and thorough risk analysis, a key requirement of the HIPAA Security Rule, which mandates safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). To resolve the case, BST agreed to pay $175,000 and implement a corrective action plan monitored by OCR for two years.

The backstory 

The BST & Co. CPAs, LLP data breach dates back to December 7, 2019, when BST discovered that part of its network had been infected with ransomware. As a HIPAA business associate, BST regularly handled financial information containing PHI from a covered entity client. Following the discovery, BST filed a breach report with the HHS OCR on February 16, 2020.

What was said 

According to OCR Director Paula M. Stannard, “A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it. Completing an accurate and thorough risk analysis that informs a risk management plan is a foundational step to mitigate or prevent cyberattacks and breaches.”

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

What is a data breach?

A data breach happens when unauthorized individuals gain access to sensitive information. 

How do organizations report a data breach?

Organizations covered by regulations like HIPAA must report breaches to the HHS OCR if protected health information is involved. Reports must include details such as the date of the breach, the type of data involved, and the number of affected individuals.

What is a risk analysis?

A risk analysis is a thorough assessment of where sensitive data is stored, how it is transmitted, and what security vulnerabilities exist.