On August 18, 2025, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with BST & Co. CPAs, LLP (BST), a New York-based public accounting, business advisory, and management consulting firm.
The investigation began after BST reported a ransomware attack on February 16, 2020, revealing that part of its network had been infected with ransomware on December 7, 2019. The breach impacted the protected health information (PHI) of a covered entity client that had entrusted BST, a HIPAA business associate, with sensitive data.
OCR’s investigation found that BST failed to conduct an accurate and thorough risk analysis, a key requirement of the HIPAA Security Rule, which mandates safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). To resolve the case, BST agreed to pay $175,000 and implement a corrective action plan monitored by OCR for two years.
The BST & Co. CPAs, LLP data breach dates back to December 7, 2019, when BST discovered that part of its network had been infected with ransomware. As a HIPAA business associate, BST regularly handled financial information containing PHI from a covered entity client. Following the discovery, BST filed a breach report with the HHS OCR on February 16, 2020.
According to OCR Director Paula M. Stannard, “A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it. Completing an accurate and thorough risk analysis that informs a risk management plan is a foundational step to mitigate or prevent cyberattacks and breaches.”
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
A data breach happens when unauthorized individuals gain access to sensitive information.
Organizations covered by regulations like HIPAA must report breaches to the HHS OCR if protected health information is involved. Reports must include details such as the date of the breach, the type of data involved, and the number of affected individuals.
A risk analysis is a thorough assessment of where sensitive data is stored, how it is transmitted, and what security vulnerabilities exist.