On August 18, 2025, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement with BST & Co. CPAs, LLP (BST). The announcement continues OCR’s escalating enforcement of the HIPAA Security Rule, particularly around ransomware and risk analysis inadequacies.
For the OCR, this is the agency’s 15th ransomware enforcement action and 10th enforcement action in OCR’s Risk Analysis Initiative. For BST, the settlement means the payment of a Resolution Amount of $175,000 and a two-year Corrective Action Plan.
What Happened?
The underlying facts outlined in the settlement are all too familiar. BST discovered a ransomware attack in December 2019 triggered by a phishing email. The business associate reported the attack to OCR in February 2020. The attack affected client PHI pertaining to 170,000 individuals.
BST is a New York–based accounting and business advisory firm that provides services—including tax preparation and forensic accounting—to covered entities. One of BST’s HIPAA covered healthcare provider clients provided BST with financial data that included protected health information (PHI).
The administrative services BST provided using that PHI caused BST to be a business associate under HIPAA. As a business associate, BST was directly subject to the HIPAA Security Rule—and certain provisions of the Privacy and Breach Notification Rules.
Business Associates: When thinking about HIPAA, it’s common to focus on healthcare providers. The reality is, however, that for each healthcare provider there are many business associates supporting that provider’s business and, in doing so, processing PHI. These businesses include accounting firms, medical billing firms, transcription services, law firms, practice management consultants, cloud storage providers, and the list goes on.
OCR’s Risk Analysis Enforcement Initiative
“A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it,” said OCR Director Paula M. Stannard. “Completing an accurate and thorough risk analysis that informs a risk management plan is a foundational step to mitigate or prevent cyberattacks and breaches.”
Upon investigation, OCR determined that BST had failed to perform an accurate and thorough risk analysis under the HIPAA Security Rule (45 C.F.R. § 164.308(a)(1)(ii)(A)). That lapse, according to OCR, left BST ill-prepared to identify or mitigate vulnerabilities—something OCR has emphasized repeatedly in similar enforcement actions.
Terms of the Settlement
To resolve the investigation, BST entered into a resolution agreement with OCR that included:
- Payment of $175,000.
- A Corrective Action Plan (CAP), monitored by OCR for two years, which requires BST to:
- Conduct a comprehensive risk analysis.
- Develop and implement a risk management plan addressing the vulnerabilities identified.
- Draft, maintain, and periodically revise written policies and procedures to comply with HIPAA Privacy and Security Rules.
- Enhance its HIPAA/security training and deliver annual training to all relevant workforce members.
What This Means for Business Associates
This enforcement action is another reminder that business associates are bound by nearly all the same obligations as covered entities when it comes to protecting ePHI.
Today, data breaches are a near certainty for most organizations. The question is whether an organization is prepared to weather the incident and be strongly positioned to defend an enforcement action by federal or state agencies. In the case of a HIPAA business associate, that means the OCR and its focus on performing a risk analysis. To that end, while not an exhaustive list, business associates should be:
- Conducting an accurate and thorough risk analysis to assess risks to the confidentiality, integrity, and availability of ePHI.
- Implementing corresponding risk management plans to mitigate identified risks.
- Maintain and regularly update written policies and procedures that align with HIPAA Privacy, Security, and, when applicable, Breach Notification Rules.
- Provide security awareness training tailored to their workforce.
- If a breach occurs, especially affecting unsecured PHI, promptly notify the covered entity (within 60 days), and supply all necessary details for breach notifications
HIPAA isn’t just about covered entities—it’s a shared responsibility.