Makeup
OCR Settles HIPAA Case with BST Over Ransomware, Risk Gaps
When ransomware knocks, regulators usually ask one very practical question: “Did you know where your protected health information lived, and did you understand the risks before the attackers arrived?” In the HIPAA settlement involving BST & Co. CPAs, LLP, the U.S. Department of Health and Human Services’ Office for Civil Rights sent a message that was hard to miss: cybersecurity compliance is not just a hospital problem, not just an IT problem, and absolutely not a “we’ll get to it after budget season” problem.
OCR announced the settlement with BST on August 18, 2025, resolving a HIPAA Security Rule investigation tied to a ransomware incident discovered in December 2019. BST, a New York public accounting, business advisory, and management consulting firm, served as a HIPAA business associate because it received financial information that also included protected health information from a covered entity client. That detail matters. HIPAA does not stop at the clinic door. It follows electronic protected health information, or ePHI, into billing firms, cloud vendors, accounting firms, consultants, and other partners that handle sensitive health data.
The case ended with a $175,000 resolution amount and a two-year corrective action plan monitored by OCR. The headline may look like another ransomware enforcement story, but the real plot is simpler and more important: OCR found that BST had not conducted an accurate and thorough risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. In plain English, the organization allegedly had sensitive data in its environment without a sufficiently documented map of the hazards around it. That is a little like storing fireworks in a pantry and then acting surprised when dinner gets dramatic.
What Happened in the BST HIPAA Ransomware Case?
According to the public resolution materials, BST discovered on December 7, 2019, that part of its network had been infected with ransomware. The malware was reportedly present from December 4 through December 7, 2019, and was introduced by an unknown outside actor through a phishing email. BST filed a breach notification report with OCR on February 16, 2020. The incident affected the protected health information of approximately 170,000 individuals connected to Community Care Physicians, BST’s covered entity client.
That timeline is worth slowing down for. The technical entry point was phishing, one of the oldest tricks in the cybercriminal cookbook. But OCR’s enforcement focus was not limited to the phishing email itself. Regulators looked at the bigger compliance program around the incident. Did BST know what systems contained ePHI? Had it assessed threats and vulnerabilities? Had it translated that analysis into a risk management plan? Had it created policies, procedures, training, and monitoring practices that actually fit the environment?
OCR’s answer was that BST failed to assess the potential risks and vulnerabilities to ePHI held by the firm as a business associate. The settlement does not mean BST admitted liability, and HHS did not concede that BST avoided liability. That legal nuance is common in resolution agreements. Still, for healthcare organizations and vendors, the practical lesson is bright red, blinking, and possibly making siren noises: a ransomware attack can quickly become a HIPAA risk analysis case.
Why the HIPAA Security Rule Matters Here
The HIPAA Security Rule requires covered entities and business associates to protect ePHI through administrative, physical, and technical safeguards. These safeguards are designed to preserve confidentiality, integrity, and availability. Confidentiality means the information is not available to unauthorized people or processes. Integrity means the data has not been improperly altered or destroyed. Availability means authorized users can access the information when needed.
That last point is especially important in ransomware cases. Ransomware threatens confidentiality when attackers steal data, integrity when systems or files are altered, and availability when organizations cannot access records, billing platforms, scheduling systems, or other essential tools. For a medical provider, downtime can affect patient care. For a business associate, downtime and data exposure can ripple across clients like a very expensive game of digital dominoes.
The Security Rule is intentionally scalable. A small medical practice, a regional hospital, a billing company, and an accounting firm do not need identical controls. But scalable does not mean optional. It means each regulated entity must understand its own environment, risks, systems, workforce, vendors, and data flows. A copy-and-paste risk analysis that could describe any company on Earth is not the point. OCR expects an accurate and thorough assessment rooted in the organization’s actual operations.
Risk Analysis Was the Star of the Enforcement Show
The BST settlement marked OCR’s 15th ransomware enforcement action and the 10th enforcement action under OCR’s Risk Analysis Initiative. That context is important because OCR has been using recent settlements to emphasize a consistent theme: ransomware may be the fire, but inadequate risk analysis is often the dry wood.
A HIPAA risk analysis should identify where ePHI is created, received, maintained, or transmitted. It should examine reasonably anticipated threats, potential vulnerabilities, existing safeguards, likelihood, impact, and risk levels. It should also lead to practical risk management steps. A risk analysis that sits in a forgotten folder, aging like cheese but smelling less pleasant, is not enough. OCR wants organizations to use the analysis to drive action.
In the BST corrective action plan, OCR required an enterprise-wide analysis that incorporates electronic equipment, data systems, programs, applications, off-site storage facilities, and systems that contain, store, transmit, or receive ePHI. That is a crucial detail. Risk analysis is not just a questionnaire. It is an inventory-driven, evidence-backed process. You cannot protect what you cannot find, and you cannot fix what you refuse to document.
What BST Agreed to Do Under the Corrective Action Plan
BST agreed to implement a corrective action plan that OCR will monitor for two years. The required measures read like a practical checklist for any business associate handling health information. First, BST must conduct an accurate and thorough risk analysis. Second, it must develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities. Third, it must develop, maintain, and revise written HIPAA policies and procedures. Fourth, it must strengthen HIPAA and security training and provide annual training to workforce members whose roles involve PHI.
The plan goes deeper than broad promises. BST must submit the scope and methodology of its risk analysis to HHS, incorporate a complete inventory of electronic equipment and systems containing ePHI, review the risk analysis annually, and update it when environmental or operational changes affect ePHI security. In other words, “We did a risk assessment once during the Obama administration” is not a compliance strategy.
The corrective action plan also requires policies addressing information system activity review and access control. That means organizations need processes for reviewing audit logs, access reports, security incident tracking reports, and other activity records. They also need technical policies that restrict access to authorized people or software programs. Logging without review is like installing a security camera and never looking at the footage. It may make everyone feel sophisticated, but it will not impress investigators after a breach.
Why Business Associates Should Pay Close Attention
One of the most important parts of this case is that BST was not a hospital, physician group, or health plan. It was an accounting and consulting firm. That makes the settlement especially relevant to vendors and professional service providers that may not think of themselves as “healthcare companies.” If they receive, maintain, or transmit PHI on behalf of a covered entity, they may be business associates under HIPAA. The label comes with direct Security Rule obligations.
Business associates often sit in a dangerous middle zone. They may hold valuable health and financial data, but they may not have the same compliance culture as healthcare providers. Attackers know this. A vendor with weaker controls can become a side door into sensitive information. OCR knows it too. The BST case reinforces that business associates must build real security programs, not merely sign business associate agreements and hope the paperwork works like a magic shield.
For accounting firms, billing vendors, revenue cycle companies, cloud service providers, consultants, analytics platforms, and managed service providers, the message is direct: if ePHI enters your environment, HIPAA risk analysis should be part of your normal governance process. The data may arrive through tax records, claims files, spreadsheets, portals, email attachments, exports, or shared drives. The format does not erase the obligation.
Ransomware Turns Small Gaps Into Big Problems
Ransomware is particularly brutal because it punishes small gaps at scale. One phishing email can lead to credential theft. One missing access review can leave old accounts active. One unpatched server can become an entry point. One poorly segmented network can allow malware to move freely. One untested backup can transform a bad morning into a weeklong operational disaster. Cybersecurity people call this “attack chaining.” Everyone else calls it “a terrible Monday.”
Healthcare data is attractive because it is rich, persistent, and difficult to replace. A credit card can be canceled. A medical history cannot. PHI may include diagnoses, medications, insurance information, Social Security numbers, billing details, addresses, dates of birth, and other personal identifiers. When that information is exposed, patients may face identity theft, insurance fraud, embarrassment, financial harm, or loss of trust in the healthcare system.
Modern ransomware also is not only about encryption. Many attackers steal data before locking systems and then threaten public disclosure if the victim refuses to pay. That means backups alone are not enough. Backups help restore availability, but they do not undo exfiltration. HIPAA-regulated organizations need layered defenses, including phishing resistance, multifactor authentication, endpoint protection, network segmentation, encryption, logging, access controls, tested incident response plans, and data minimization.
The Practical Anatomy of a Strong HIPAA Risk Analysis
A useful HIPAA risk analysis starts with data discovery. Where does ePHI live? Which systems create it? Which vendors receive it? Which employees can access it? Does it sit in email, spreadsheets, cloud storage, databases, backups, laptops, mobile devices, paper scans, or forgotten archive folders named something mysterious like “old stuff final FINAL 2”?
Next comes threat and vulnerability identification. Threats can include phishing, ransomware, malicious insiders, stolen devices, weak passwords, vendor compromise, misconfigured cloud storage, unpatched systems, physical theft, and natural disasters. Vulnerabilities are the weaknesses that make those threats more likely or more damaging. Examples include no multifactor authentication, excessive user privileges, unsupported software, poor logging, shared accounts, weak vendor oversight, and incomplete backup testing.
Then the organization estimates likelihood and impact. A high-likelihood, high-impact risk should not be treated like a decorative footnote. It should trigger a risk management plan with owners, deadlines, budgets, and measurable remediation steps. The plan should also be reviewed over time because environments change. New software, mergers, remote work, cloud migrations, vendor changes, staffing shifts, and newly discovered threats can all change the risk picture.
Specific Examples of Risk Gaps That Can Trigger Trouble
Consider a billing vendor that stores patient claim exports in a cloud folder but never includes that folder in its asset inventory. The vendor may have endpoint protection and annual training, but if no one knows the folder exists, no one reviews access permissions, retention rules, encryption settings, or sharing controls. That is a risk analysis gap waiting for a spotlight.
Or imagine a professional services firm that receives health-related financial records from a medical group. Staff members download files to local workstations for convenience. The firm has a general cybersecurity policy, but it has never mapped the flow of ePHI from intake to storage to deletion. After a ransomware incident, investigators ask where ePHI was located and who had access. If the answer involves shoulder shrugs and emergency spreadsheets, the organization has a documentation problem as well as a security problem.
Another common gap is training that sounds good but does not match job duties. A generic annual HIPAA slideshow may explain privacy basics, yet fail to teach accounting staff how to identify phishing attempts involving tax documents, secure client file transfers, report suspicious emails, or handle PHI in shared workspaces. OCR’s corrective action language in the BST matter emphasizes training for workforce members to whom HIPAA policies apply, including those with access to PHI. Specific training beats sleepy training every time.
How OCR’s Broader Enforcement Trend Affects Healthcare Organizations
The BST settlement fits into a larger enforcement pattern. OCR has repeatedly highlighted risk analysis failures in ransomware and cybersecurity investigations. Recent enforcement activity shows that regulators are not treating risk analysis as a dusty compliance ritual. They are treating it as the foundation for security decisions.
This trend also aligns with federal cybersecurity priorities across healthcare. HHS has proposed modifications to strengthen the HIPAA Security Rule, including more specific expectations around asset inventories, network maps, written documentation, contingency planning, incident response, audits, encryption, and technical controls. Even while proposed rules move through the regulatory process, the current Security Rule remains in effect. Organizations should not wait for a final rule to do obvious things like identify systems holding ePHI, review access, test backups, and document remediation.
For executives, the lesson is financial as well as legal. The cost of a ransomware incident includes response vendors, legal fees, notifications, downtime, lost revenue, patient or client trust, cyber insurance complications, and potential regulatory scrutiny. The settlement payment is only one line item. The real bill often arrives with several attachments and an unpleasant tone.
Best Practices After the BST Settlement
1. Build and Maintain a Real ePHI Inventory
Start by identifying all systems, devices, applications, databases, cloud platforms, file shares, email workflows, and vendors that create, receive, maintain, or transmit ePHI. Include off-site storage and backups. Inventory is not glamorous, but neither is explaining to OCR that your organization lost track of patient data because “the spreadsheet had too many tabs.”
2. Update the Risk Analysis Regularly
Annual review is a strong baseline, but organizations should also update the analysis when major changes occur. New systems, acquisitions, vendor transitions, remote work changes, security incidents, and emerging threats should trigger review. Risk analysis should be a living process, not a compliance fossil.
3. Turn Findings Into a Risk Management Plan
A risk analysis without remediation is just a beautifully formatted confession. Assign owners, priorities, deadlines, and resources. Track progress. Escalate overdue items. Document decisions, including why certain safeguards are reasonable and appropriate based on the organization’s size, complexity, capabilities, and risk profile.
4. Strengthen Access Controls
Limit ePHI access based on role. Remove unnecessary privileges. Disable inactive accounts. Use multifactor authentication, especially for remote access and administrative accounts. Review access regularly. Attackers love overprivileged accounts because they turn one stolen password into a skeleton key.
5. Review Logs Before They Become Evidence
Audit controls matter, but only if someone reviews the activity. Organizations should monitor access logs, security alerts, failed login attempts, privilege changes, file access patterns, and suspicious data movement. The goal is to catch problems early, not admire the logs after the incident response team arrives.
6. Train People for the Attacks They Actually Face
Phishing remains a major ransomware entry point. Training should be practical and role-specific. Employees should know how to verify unusual requests, report suspicious messages, use secure file transfer tools, avoid unsafe downloads, and handle PHI appropriately. Short, frequent, relevant training usually works better than one giant annual presentation that feels like a hostage situation with quiz questions.
7. Test Incident Response and Backups
Incident response plans should be written, practiced, and updated. Backup restoration should be tested. Tabletop exercises should include legal, compliance, IT, operations, communications, and leadership. In a real ransomware event, the organization should not be meeting its incident response plan for the first time.
Experience-Based Lessons from the BST Ransomware Settlement
In real-world HIPAA compliance work, the hardest part is often not understanding the rule. Most leaders understand that health data should be protected. The harder part is proving, with current documentation, that the organization knows where ePHI is located, who can access it, which threats matter most, and what is being done about those threats. That is where many teams stumble. They have good intentions, hardworking IT staff, and maybe even solid tools, but their risk analysis does not match the real environment.
One experience that comes up again and again is the gap between “we have security” and “we have a documented, HIPAA-aligned security management process.” A company may have antivirus software, a firewall, cloud backups, and annual training. Those are useful. But OCR investigations often ask deeper questions. Where is the inventory? When was the risk analysis updated? How were risks ranked? Which risks were accepted, mitigated, transferred, or deferred? Who approved those decisions? What changed after the last incident? Without documentation, the organization may struggle to show that its decisions were reasonable.
Another practical lesson is that business associates sometimes underestimate their role. A vendor may think, “We only handle billing files,” or “We only process financial records.” But if those files include patient names, treatment details, insurance information, or other health identifiers, the data may be PHI. In the BST case, the firm received financial information that also contained PHI for tax advice and tax return preparation. That is a perfect example of how PHI can travel into professional services workflows that do not look clinical on the surface.
From an operational perspective, the best organizations treat HIPAA risk analysis like a business discipline rather than a yearly paperwork sprint. They involve compliance, IT, legal, operations, HR, finance, and vendor management. They ask uncomfortable questions before attackers do. Can former employees still access systems? Are backups isolated? Is ePHI being emailed when a secure portal should be used? Are vendors reviewed before onboarding and periodically afterward? Are critical systems patched on time? Are users trained to report suspicious emails quickly? These questions are not glamorous, but they are much cheaper than ransomware chaos.
There is also a cultural lesson. Employees should not feel punished for reporting suspicious activity. If a staff member clicks a phishing email and hides it out of embarrassment, the delay can make everything worse. A mature security culture encourages fast reporting. The message should be: “Tell us quickly so we can contain it.” Shame is not a cybersecurity control. It is just a way to make incidents quieter until they become louder.
For small and mid-sized organizations, the BST settlement should not create panic. It should create urgency. OCR does not expect every organization to have the budget of a national hospital system. The Security Rule is flexible and scalable. But OCR does expect regulated entities to take the requirement seriously, document their work, and implement reasonable safeguards. A smaller organization can still maintain an inventory, perform a risk analysis, train staff, review access, use multifactor authentication, encrypt sensitive data where appropriate, and test backups.
The most useful mindset is simple: assume you may someday need to explain your security decisions to regulators, clients, patients, insurers, and your own leadership. Build the record now. Document the risks you found. Document the actions you took. Document what remains open and why. When a ransomware event happens, the organization with a current, honest, actionable risk management program is in a much stronger position than the organization trying to create one after the fact with a tired legal team and too much coffee.
Conclusion: The BST Case Is a Warning, Not Just a Settlement
The OCR settlement with BST over ransomware and risk analysis gaps is more than a $175,000 headline. It is a reminder that HIPAA compliance follows the data, including when that data moves into accounting, consulting, billing, technology, and other business associate environments. The case shows that ransomware investigations often become examinations of preparation: risk analysis, risk management, policies, training, access controls, audit reviews, and documentation.
For healthcare providers and business associates, the smartest response is not fear. It is disciplined action. Find the ePHI. Map the systems. Assess the threats. Fix the highest risks. Train the workforce. Review activity. Test response plans. Update everything when the environment changes. Ransomware attackers look for confusion, delay, and weak controls. OCR looks for evidence that an organization understood its risks and took reasonable steps to manage them.
In the end, the BST settlement delivers a very practical message: cybersecurity compliance is not a binder, a slogan, or a once-a-year meeting with stale donuts. It is an ongoing process of knowing your data, managing your risks, and being able to prove it when the knock on the door comes from either an attacker or a regulator.
Note: This article is based on public OCR and HHS settlement materials, the BST resolution agreement and corrective action plan, HIPAA Security Rule guidance, ONC security risk assessment resources, NIST HIPAA cybersecurity guidance, CISA ransomware guidance, FBI cybercrime reporting, and reputable U.S. healthcare privacy and cybersecurity reporting.
