Skip to main content

Nixon Peabody LLP

Article

Accounting firm settles OCR ransomware investigation

Aug 20, 2025

By Valerie Montague, Meredith LaMaster and Grace Connelly

OCR’s recent enforcement action against a New York accounting firm reinforces the importance of maintaining robust HIPAA compliance for all HIPAA-regulated entities, including business associates.

On August 18, 2025, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $175,000 financial settlement and two-year corrective action plan (CAP) against BST & Co. CPAs, LLP (BST) for an alleged violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

Ransomware attack impacts PHI

BST is a New York public accounting, business advisory, and management consulting firm. It serves as a HIPAA business associate based on its representation of a covered entity client and corresponding receipt of financial information containing protected health information (PHI). In February 2020, BST filed a breach notification report with OCR upon discovering a December 2019 ransomware attack on its network. BST reported that the ransomware impacted the PHI of its covered entity client, a New York-based physician group, and was externally introduced via a phishing email. The breach reportedly affected the PHI of 170,000 individuals.

Risk analysis and training are keys to compliance

While this marks the 15th ransomware enforcement action, the almost five-year period between the BST breach notification and the settlement with OCR reminds entities who have reported breaches that the review, investigation, and settlement process can take time.

This action also marks the 10th enforcement action in OCR’s Risk Analysis Initiative. OCR’s investigation revealed that BST failed to conduct an accurate and thorough risk analysis to determine potential risks and vulnerabilities to the confidentiality of electronic PHI.

In a press release regarding the BST enforcement action, OCR also emphasizes the need for HIPAA-regulated entities to ensure that their HIPAA training is specific to their organization, as well as to the job duties of their workforce members.

Considerations for HIPAA-regulated entities

This enforcement action underscores the need for business associates to have appropriate safeguards in place to protect PHI, even if the organization only has one covered entity client (or a small number of its total client base). HIPAA imposes direct legal obligations on business associates to safeguard PHI and comply with specific requirements, such as implementing adequate policies and procedures and conducting risk analyses. It also reminds covered entities to carefully consider arrangements with business associates who access or receive PHI, ensuring that the vendor has robust safeguards and a comprehensive business associate agreement (BAA) in place.

OCR Action

Insights And Happenings

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe