Author Archives: Steve Alder

New Texas Law Gives Physicians 3 Days to Communicate Sensitive Test Results to Patients

Posted by Steve Alder

Texas Governor Greg Abbott has signed a bill into law that provides physicians in the state with a 3-day window to review sensitive medical test results and communicate the findings to patients before they are notified electronically, and the test result is added to their electronic medical record.

Senate Bill 922, titled Relating to the disclosure of certain medical information by electronic means, was introduced by Sen. Kelly Hancock (R-North Richland Hills) and Rep. Caroline Fairly (R-Amarillo) in response to calls from physicians in the state to give them time to review sensitive test results and communicate that information to patients.

The bill was in response to a provision of the 21st Century Cures Act that required the immediate release of health information to patients’ information portals. Since the spring of 2021, test results have been sent to patients’ information portals immediately. While rapid access to health information has its benefits, there have been many cases where patients have received a cancer diagnosis via their smartphone rather than have the results explained by a physician in an informative and compassionate manner.

“As an oncologist, I’ve had many conversations with patients about their cancer-related tests. It is always a confusing and scary time for them, as the results can be life-changing. Oncologists are trained to convey this information in a timely, informative, and supportive manner so that patients understand not only what the test means but what options they have. This is an opportunity to offer hope and reassurance to the patient,” explained David Gerber, MD, on behalf of the Texas Medical Association in testimony provided to the House Public Health Committee.

Dr. Gerber testified about many horror stories, such as patients being alerted about a cancer diagnosis via a smartphone notification during a business dinner, while reading a bedtime story to a young child, and during the commute to work. Dr. Gerber estimated that as many as three in four patients received pathology test results before the physician who ordered the test had viewed them. “Although this bill places a brief pause on the electronic transfer of some test results to a patient, it allows for a physician to call a patient with the results at any time,” Dr. Gerber said. “Giving the right information, rather than just the fastest information.”

The new law will take effect on September 1, 2025, and applies to pathology and radiology reports that have a reasonable likelihood of showing a finding of a malignancy, and any test result that may reveal a genetic marker. The new law will ensure that patients continue to receive timely medical information; however, there will be a 3-day delay from the finalization of the test results before they can be disclosed to a patient or the patient’s representative by electronic means.

The post New Texas Law Gives Physicians 3 Days to Communicate Sensitive Test Results to Patients appeared first on The HIPAA Journal.

Mount Sinai Health System Settles Web Tracking Lawsuit for $5.3 Million

Posted by Steve Alder

Mount Sinai Health System, the largest hospital network in New York City, has agreed to a $5.3 million settlement to resolve allegations it violated federal and state laws by sharing the personal health information of website and patient portal users with Facebook without their knowledge or consent.

Legal action was taken against Mount Sinai Health over its use of the Facebook Pixel and Conversions Application Programming Interface (CAPI) on its website and MyChart patient portal between October 2020 and October 2023. The tool can collect information about website users and transmit that information to Facebook. Mount Sinai Health has denied any wrongdoing and specifically denies that any medical information from either its website or patient portal was shared with Facebook.

The lawsuit – Cooper, et al., v. Mount Sinai Health System, Inc. – was filed in the United States District Court for the Southern District of New York by plaintiffs Ronda Cooper, Coral Fraser, David Gitlin, and Gilbert Manda, who alleged that their personally identifiable health information was being collected and shared with Facebook without their knowledge or consent due to the implementation of CAPI, in violation of the federal Electronic Communications Privacy Act and New York Deceptive Trade Practices. The lawsuit also asserted claims of negligence, invasion of privacy, breach of implied contract, breach of fiduciary duty, unjust enrichment, breach of confidence, constructive bailment, and breach of implied covenant of good faith and fair dealing.

The lawsuit survived a motion to dismiss and proceeded to discovery. During discovery, the parties engaged in mediation, and a settlement was agreed in principle to bring the litigation to an end to avoid the cost and risk of a trial and related appeals, while giving appropriate benefits to class members. The terms of the settlement have now been finalized, and the settlement has received preliminary approval from the court.

The settlement class consists of 1,314,147 individuals, and claims will be accepted from individuals who logged into their MyChart account via the mountsinai.org website between October 27, 2020, and October 27, 20-23. Under the terms of the settlement, Mount Sinai Health has agreed to establish a $5,256,588 settlement fund to cover legal costs and expenses and claims from class members. The plaintiffs’ attorneys will receive up to 35% of the settlement fund and reimbursement of court-approved attorneys’ expenses. Settlement administration costs of up to $200,000 will also be deducted, along with service awards of $2,500 per named plaintiff. The remainder of the settlement fund will be distributed to class members on a pro rata basis.

The deadline for objecting to the settlement, opting out, and filing a claim for benefits is October 14, 2025. The final approval hearing has been scheduled for October 24, 2025.

The post Mount Sinai Health System Settles Web Tracking Lawsuit for $5.3 Million appeared first on The HIPAA Journal.

Mower County, MN Confirms HIPAA-Data Compromised in June Ransomware Attack

Posted by Steve Alder

Data breaches have recently been announced by Mower County in Minnesota, Seasons Living in Oregon, Dr. Doug’s Pediatric Dentistry in Utah, and Provail in Washington State.

Mower County, Minnesota

Officials in Mower County, Minnesota, have confirmed that HIPAA-protected data was acquired by hackers in a June 2025 ransomware attack. The ransomware attack was identified on June 18, 2025, and an investigation is underway to determine the types of data involved and the individuals affected. The stolen data related to individuals who have previously received services from the County Health and Human Services Department.

Individual notification letters will be mailed to the affected individuals when the investigation is concluded, and County officials have confirmed that complimentary credit monitoring and identity theft protection services will be provided. In the meantime, anyone who has previously received services from the Health and Human Services Department has been advised to be vigilant against identity theft and fraud by reviewing their account statements, explanation of benefits statements, and free credit reports.

Seasons Living

Seasons Living, an assisted living facility in Lake Oswego, Oregon, has disclosed a security incident involving the theft of sensitive data. The security breach was identified on March 4, 2025, and the forensic investigation confirmed that an unauthorized third party accessed its network and acquired files containing information related to its vendors, applicants, tenants, owners, and current and former employees.

In a press release about the incident, Seasons Living CEO Eric Jacobsen said the incident has been fully contained, unauthorized access to its network has been blocked, and additional security measures have been implemented to prevent similar incidents in the future. He also confirmed that complimentary credit monitoring services are being provided to all affected individuals.

The press release does not mention the types of data involved; however, a hacker has taken credit for the attack and claims to have stolen information such as names, addresses, birthdates, Social Security and driver’s license numbers, health insurance information, medical records, and financial information. The data breach is not currently listed on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

Dr. Doug’s Pediatric Dentistry

Dr. Doug’s Pediatric Dentistry in Logan, Utah, has recently announced a data security incident that was detected in September 2024. Unusual activity was identified in an employee’s email account. The password was reset, and an investigation was launched, which confirmed that the breach was confined to a single email account and no other systems were affected.

The account was reviewed to determine whether any patient information was present, and contact information was verified to allow notification letters to be mailed. Those processes were concluded in June 2025. The information potentially compromised in the incident includes names, dates of birth, diagnosis or dental treatment information, and Medicaid numbers/health insurance information. A very limited number of patients also had their Social Security numbers and/or driver’s license numbers exposed. The incident has been reported to regulators, although it is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals were affected.

Provail

Provail, a nonprofit provider of disability services in Washington State, has recently disclosed a cybersecurity incident that was detected on or around June 8, 2025. Suspicious network activity was identified, and the forensic investigation confirmed that an unauthorized actor had access to its network between June 7, 2025, and June 9, 2025, and viewed or acquired files containing sensitive client data.

The investigation and file review are ongoing; however, it has been confirmed that the data compromised in the incident included names in combination with one or more of the following: diagnosis/condition information, lab results, medications, other treatment information, addresses, dates of birth, driver’s license numbers, Social Security numbers, other identifying information, claims information, credit card numbers, bank account numbers, and other financial information.

Individual notification letters will be mailed to the affected individuals when the investigation and file review are concluded. The OCR breach portal includes a placeholder figure of at least 501 affected individuals.

The post Mower County, MN Confirms HIPAA-Data Compromised in June Ransomware Attack appeared first on The HIPAA Journal.

Business Associate Data Breach Affects 87 Skilled Nursing Facilities

Posted by Steve Alder

Fundamental Administrative Services, LLC, a healthcare management services company in Sparks, Maryland, that manages more than 85 skilled nursing facilities and rehabilitation centers in Indiana, Maryland, Nevada, New Mexico, South Carolina, Texas, and Wisconsin, has confirmed that the protected health information of 56,235 individuals has potentially been compromised in a cyberattack.

Suspicious network activity was identified on or around January 13, 2025, and immediate action was taken to secure its systems and contain the incident. A forensic investigation was launched to determine the nature and scope of the activity, which confirmed unauthorized access to its network for around two and a half months from October 27, 2024, to January 13, 2025. During that time, files were exfiltrated from the network that contained HIPAA-protected data.

The file review confirmed that the information compromised in the incident included names, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, financial account information, medical treatment information, health insurance information, and Medicare/Medicaid plan names. Fundamental Administrative Services said it is reviewing its policies, procedures, and processes related to the storage and access to information.

The data breach was initially reported to the HHS’ Office for Civil Rights using a placeholder figure of 500 affected individuals, but has been updated now that the file review has concluded. The skilled nursing facilities and rehabilitation centers affected by the incident are listed in the table below:

Affected Facilities
Alamo Heights Health and Rehabilitation Center Harmon Hospital Restore Health Rehabilitation Center
Allegany Health Nursing and Rehabilitation Hearthstone of Northern Nevada Retama Manor Nursing Center/Victoria South
BellTower Health & Rehabilitation Center Hillside Heights Rehabilitation Suites Riverside Health and Rehab
Bennettsville Health & Rehabilitation Center Horizon Health & Rehab Center San Gabriel Rehabilitation and Care Center
Berlin Nursing and Rehabilitation Center Horizon Specialty Hospital of Henderson Sandy Lake Rehabilitation and Care Center
Bremond Nursing and Rehabilitation Center Horizon Specialty Hospital of Las Vegas Sedona Trace Health and Wellness
Bridgecrest Rehabilitation Suites Julia Manor Nursing and Rehabilitation Center Sierra Ridge Health and Wellness Suites
Brownfield Rehabilitation and Care Center Kirkland Court Health and Rehabilitation Center Solidago Health and Rehabilitation
Calhoun Convalescent Center Lake Emory Post Acute Care Southpointe Healthcare and Rehabilitation
Canton Oaks Lancaster Health and Rehabilitation Spanish Hills Wellness Suites
Casa Arena Blanca Nursing Center Las Brisas Rehabilitation and Wellness Suites Spanish Trails Rehabilitation Suites
Casa Maria Health Care Center and Pecos Valley Rehabilitation Suites Las Ventanas de Socorro St. George Healthcare Center
Cedar Pointe Health and Wellness Suites Los Arcos del Norte Care Center Sterling Oaks Rehabilitation
Central Desert Behavioral Health Hospital Magnolia Manor of Greenville Sunset Villa Care Center
College Park Rehabilitation Center Magnolia Manor of Greenwood Terra Bella Health and Wellness Suites
Corinth Rehabilitation Suites on the Parkway Magnolia Manor of Inman The Brazos of Waco
Courtyards at Pasadena Magnolia Manor of Rock Hill The Casitas at Las Brisas ALF
Creekside Terrace Rehabilitation Magnolia Manor of Spartanburg The Hillcrest of North Dallas
Crimson Heights Health & Wellness ALF Meadowbrook Care Center The Pavilion at Creekwood
Crimson Heights Health and Wellness Midlands Behavioral Health Hospital The Pavilion at Glacier Valley
Crosbyton Nursing and Rehabilitation Center Midlands Health & Rehabilitation Center The Terrace at Denison
Devlin Manor Nursing and Rehabilitation Center Mira Vista Court The Village at Richardson
Edgewood Rehabilitation and Care Center Monarch Pavilion Rehabilitation Suites Valley Falls Terrace
Fairfield Nursing and Rehabilitation Center Moran Nursing and Rehabilitation Center Villa Haven Health and Rehabilitation Center
Falcon Ridge Rehabilitation North Las Vegas Care Center Villa Rosa Nursing and Rehabilitation
Forest Haven Nursing and Rehabilitation Center Northampton Manor Nursing and Rehabilitation Center Willow Springs Health & Rehabilitation Center
Founders Plaza Nursing & Rehab Oakbrook Health and Rehabilitation Center Woodlands Place Rehabilitation Suites
Fruitvale Healthcare Center Oakland Nursing and Rehabilitation Center  
Green Valley Health and Wellness Suites Physical Rehabilitation and Wellness Center of Spartanburg  
Hallmark Healthcare Center Rehab Center of Cheraw  

The post Business Associate Data Breach Affects 87 Skilled Nursing Facilities appeared first on The HIPAA Journal.

Cyberattack on Medical Equipment Provider Affects 90,000 Patients

Posted by Steve Alder

Data breaches have been announced by medical equipment provider CPAP Medical Supplies and Services, a Miracle Ear franchisee, and a 20-bed critical access hospital in Washington State.

CPAP Medical Supplies and Services Inc.

CPAP Medical Supplies and Services Inc. (CPAP Medical) has announced a major data breach, potentially involving unauthorized access to the personal and protected health information of up to 90,133 patients. CPAP Medical is a Jacksonville, FL-based medical equipment provider that specializes in sleep therapy products for military families and active duty/retired service members. According to the breach notice provided to the Maine Attorney General, hackers had access to its network between December 13, 2024, and December 21, 2024, and files containing sensitive data may have been viewed or exfiltrated from its network.

After securing its systems, a forensic investigation was conducted, followed by a document review to determine the types of data involved and the individuals affected. The document review was complex and took until June 27, 2025, to complete, when it was confirmed that the compromised data included full names, dates of birth, Social Security numbers, financial and banking information, medical information, and health insurance information. CPAP Medical is unaware of any misuse of patient data as a result of the incident; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Health Services LLC (Miracle Ear)

Health Services LLC has started notifying individuals affected by a security incident that was identified on or around January 28, 2025. Suspicious network activity was detected, and the forensic investigation confirmed that an unauthorized actor had breached its security defenses and had access to its network from January 2, 2025, and January 28, 2025.

Health Services LLC operates a franchise of Miracle Ear, and the data relates to individuals who interacted with the company concerning hearing aid products. On or around May 14, 2025, the data review was completed, and confirmed that the exposed data included full names, phone numbers, email addresses, postal addresses, dates of birth, patient ID numbers, Social Security numbers, health insurance information, and diagnosis and treatment information.

The data breach was initially reported to the HHS’ Office for Civil Rights in April as an incident affecting 2,400 individuals; however, the breach portal has since been updated to 75,906 affected individuals.

East Adams Rural Healthcare

East Adams Rural Healthcare, the operator of a 20-bed critical access hospital in Ritzville, Washington, has recently notified the Washington State Attorney General about a data breach that has affected 8,896 state residents. Suspicious network activity was identified on September 12, 2024, and an investigation was launched to determine the cause of the activity.

Forensic evidence was found to indicate its network had been accessed by an unauthorized third party between September 7, 2024, and September 14, 2024, and patient data may have been viewed or acquired. East Adams Rural Healthcare published a substitute notice on its website about the incident on October 4, 2025; however, at the time, the investigation and data review were ongoing, so it was not possible to confirm how many individuals were affected or the specific information involved.

The file review has now been completed, and it has been confirmed that the compromised information included names, addresses, dates of birth, Social Security numbers, medical information, and health insurance information. No evidence has been found to indicate that any patient data has been misused; however, as a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The post Cyberattack on Medical Equipment Provider Affects 90,000 Patients appeared first on The HIPAA Journal.

Patient Data Lost in Ransomware Attack on EHR Vendor

Posted by Steve Alder

The electronic medical record vendor MDLand International Corporation has fallen victim to a ransomware attack that resulted in the encryption of some of its computer systems. The ransomware attack was detected on May 2, 2025, when certain systems became inaccessible. Immediate action was taken to isolate its network, and a forensic investigation was launched with the assistance of third-party cybersecurity specialists.

The forensic investigation confirmed that an unknown actor encrypted a limited number of MDLand’s systems on May 1, 2025, and may have gained access to patient information stored in one specific database on its network. There was no unauthorized access to the networks or systems of its clients, and no evidence was found to indicate any information in the impacted database was viewed or exfiltrated in the attack, although unauthorized data access and data theft could not be ruled out.

Certain data was encrypted and rendered inaccessible; however, it was possible to restore some of the impacted data, but despite MDLand’s best efforts, some records could not be recovered or recreated. Those records related to the period from April 1, 2025, to May 1, 2025. Data input into patients’ medical records during that time has been lost, including patient names, treatment plan information, and providers’ notes about patients.

The impacted database includes the following data elements: name, date of birth, gender, marital status, address, phone number, and prescription information. Financial account information, Social Security numbers, and health benefits information were not involved.

The incident has been reported to the HHS’ Office for Civil Rights as affecting 22,586 individuals. Additional security measures have been implemented, and security policies and procedures are being reviewed to identify any areas for improvement. At the time of issuing notifications, no evidence of misuse of patient data had been identified; however, as a precaution, the affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services.

The post Patient Data Lost in Ransomware Attack on EHR Vendor appeared first on The HIPAA Journal.

Insider Breaches Identified by Three Healthcare Providers

Posted by Steve Alder

Three insider incidents have recently been identified by healthcare providers in Florida, Massachusetts, and Indiana, including one privacy breach that has been ongoing for more than two and a half years.

University of Miami Health System

University of Miami Health System (UMHS) is notifying almost 3,000 patients about an insider data breach that has been ongoing for more than two and a half years. In June 2025, UMHS discovered that an employee had been accessing the medical records of patients when there was no legitimate business or clinical reason for doing so.

The review of access logs showed the unauthorized access started in September 2022 and continued until May 2025. Under HIPAA, medical records may only be accessed by employees for reasons related to treatment, payment for healthcare, and healthcare operations. If unauthorized medical record access is identified, individuals face sanctions, which in this case was termination of employment. UMHS is also collaborating with law enforcement over the incident.

The former employee did not have the necessary access rights to view financial information or Social Security numbers, but was able to view patient information such as names, dates of birth, medical record numbers, provider names, diagnosis/condition information, insurance information, and vaccination status. In total, the medical records of 2,928 patients were accessed over the space of more than two and a half years.

The affected individuals are being notified by Kroll and are being offered complimentary credit monitoring and identity theft protection services. UMHS is also enhancing its security measures and practices to better safeguard patient data.

Berkshire Health Systems

Berkshire Health Systems (BHS) in Massachusetts has discovered that an employee has been accessing patients’ medical records without authorization. An investigation was launched after BHS received a report about an employee potentially accessing patients’ medical records without a legitimate work reason for doing so. The privacy team immediately launched an investigation, which involved a review of access logs.

The access logs confirmed there had been unauthorized access to patient records, but no evidence was found to indicate any of the information in those records was downloaded, printed, or copied. BHS believes the employee was acting independently, with no other individuals involved. The employee was interviewed and denied disclosing any patient information to other individuals and was terminated for the HIPAA violation.

BHS said it has optimized its privacy monitoring software to help prevent further incidents of this nature in the future, and wrote to the affected patients on August 12, 2025, informing them about the privacy breach. The former employee only had limited access to patient data and could not view highly sensitive information such as financial information, health insurance information, or Social Security numbers. Information potentially viewed includes patient names, dates of birth, medical record numbers, diagnoses, and visit notes. BHS has not publicly disclosed how many individuals were affected, and the incident is not currently shown on the HHS’ Office for Civil Rights breach portal.

Life in Motion Family Wellness Center

Life in Motion Family Wellness Center in Evansville, Indiana, has discovered that patient data has been provided to a local physician and used to try to solicit business. The data breach occurred on July 22, 2025, and involved an individual who had previously rented office space in the center. That individual obtained a list of patient names, addresses, telephone numbers, and dates of birth, which she provided to the physician for marketing purposes.

The HHS’ Office for Civil Rights has been notified, law enforcement has been informed, and individual notification letters have been sent to the affected patients. Steps have also been taken to prevent similar incidents in the future, including reviewing system access and adding new layers of protection.

The post Insider Breaches Identified by Three Healthcare Providers appeared first on The HIPAA Journal.

$2.8 Million Crypto Seizure from Ransomware Operator That Targeted Healthcare

Posted by Steve Alder

Hot on the heels of the Blacksuit ransomware disruption comes another announcement about major enforcement action against a ransomware group. The U.S. Department of Justice has announced the seizure of $2.8 million in cryptocurrency from the suspected operator of the now-defunct Zeppelin ransomware group.

Six warrants were recently unsealed by federal prosecutors in the U.S. District Courts for the Eastern District of Virginia, the Central District of California, and the Northern District of Texas, which authorized the seizure. The funds were held in a cryptocurrency wallet controlled by Ianis Aleksandrovich Antropenko, who has been indicted in Texas on charges of computer fraud and money laundering. A luxury vehicle and $70,000 in cash were also seized. The funds are suspected of being obtained from companies attacked with Zeppelin ransomware between 2019 and 2022.

While Zeppelin was not the most prolific ransomware operation, the group was responsible for attacks on many U.S. entities, especially those in healthcare and IT, typically targeting vulnerabilities in MSP software. Zeppelin was a ransomware-as-a-service (RaaS) operation that paid affiliates to conduct attacks for a cut of any ransom payments they generated. The group engaged in data theft, file encryption, and extortion, demanding payment for the decryption keys and to ensure data deletion.

The proceeds from the attacks were laundered in a number of ways, such as exchanging the funds for cash and depositing them in structured cash deposits. ChipMixer, a dark web cryptocurrency mixing service, was also used to hide the origin of the cryptocurrency. Through ChipMixer, funds were cashed out in untraceable chips that could be paid into clean cryptocurrency wallets. ChipMixer was taken down in an international law enforcement operation in 2023 that was coordinated by Europol. The operation resulted in the seizure of $46.5 million in cryptocurrency. According to the DOJ, some of the funds were

While the Blacksuit operation was conducted against an active ransomware group, the latest announcement shows that action can and will be taken against cybercriminals for their historic crimes. This case is being handled by Trial Attorney Benjamin Bleiberg of the Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorney Jongwoo “Daniel” Chung for the Northern District of Texas.

Since 2020, CCIPS has obtained court orders to seize more than $350 million in victim funds and has secured the convictions of more than 180 cybercriminals. Along with partners such as the FBI, CCIPS has disrupted the operations of many ransomware groups and has prevented payments of over $200 million by victims of ransomware groups.

The post $2.8 Million Crypto Seizure from Ransomware Operator That Targeted Healthcare appeared first on The HIPAA Journal.

New York Business Associate Pays $175,000 to Resolve HIPAA Risk Analysis Violation

Posted by Steve Alder

A New York business associate has chosen to settle an alleged violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and will pay a $175,000 financial penalty.

BST & Co. CPAs, LLP, is a public accounting, business advisory, and management consulting firm that has clients in the healthcare industry. The provision of services to HIPAA-covered entities requires access to financial information, which includes information protected under HIPAA. As such, BST & Co. CPAs is classed as a business associate and is required to comply with the HIPAA Rules.

OCR launched an investigation following a report of a breach of protected health information in a ransomware attack. The Maze ransomware group had access to the BST & Co. CPAs network between December 4, 2019, and December 7, 2019, and installed ransomware that was used to encrypt files. The attack was detected on December 7, 2019, and the forensic investigation revealed that initial access was achieved following a response to a phishing email.

The ransomware group had access to parts of the network where protected health information was stored. In total, the protected health information of up to 170,000 individuals was potentially compromised in the attack, including names, dates of birth, medical record numbers, medical billing codes, and insurance descriptions relating to patients of the New York medical group, Community Care Physicians P.C. OCR was notified about the attack and data breach on February 16, 2020.

OCR investigates all data breaches impacting 500 or more individuals to determine if noncompliance with the HIPAA Rules was a factor in the data breach. OCR found no evidence to suggest that a HIPAA-compliant risk analysis had been conducted. The risk analysis is a foundational provision of the HIPAA Security Rule and requires regulated entities to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. If the risk analysis is not conducted or is incomplete, risks are likely to remain unaddressed and can be exploited to gain access to protected networks and sensitive data.

OCR currently has a risk analysis enforcement initiative focused on this important Security Rule provision, as while it is one of the most important HIPAA provisions, it is also one of the most common areas of noncompliance. Under this specific enforcement initiative, OCR has resolved ten cases with a financial penalty. So far this year, OCR has announced nineteen enforcement actions that included a financial penalty to resolve HIPAA noncompliance. Sixteen of those investigations uncovered risk analysis failures.

“A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it,” said OCR Director Paula M. Stannard.  “Completing an accurate and thorough risk analysis that informs a risk management plan is a foundational step to mitigate or prevent cyberattacks and breaches.”

In addition to the financial penalty, BST & Co. CPAs has agreed to adopt a corrective action plan and will be monitored for compliance with that plan for 2 years. The plan includes the requirement to conduct a comprehensive and accurate risk analysis and develop and implement a risk management plan to address all identified risks and vulnerabilities. BST & Co. CPAs must also develop, implement, and maintain policies and procedures to ensure HIPAA compliance, distribute those policies and procedures to the workforce, provide HIPAA training to the workforce, and augment its security awareness training program.

With nineteen HIPAA enforcement actions announced by OCR so far this year, 2025 looks set to become the most active year for OCR in terms of HIPAA enforcement. These penalties send a message to all HIPAA-regulated entities about the importance of HIPAA compliance. Across those nineteen enforcement actions, OCR has collected more than $8 million in financial penalties.

OCR penalties for HIPAA violations 2009-2025

The post New York Business Associate Pays $175,000 to Resolve HIPAA Risk Analysis Violation appeared first on The HIPAA Journal.