$2.8 Million Crypto Seizure from Ransomware Operator That Targeted Healthcare

Posted by Steve Alder

Hot on the heels of the Blacksuit ransomware disruption comes another announcement about major enforcement action against a ransomware group. The U.S. Department of Justice has announced the seizure of $2.8 million in cryptocurrency from the suspected operator of the now-defunct Zeppelin ransomware group.

Six warrants were recently unsealed by federal prosecutors in the U.S. District Courts for the Eastern District of Virginia, the Central District of California, and the Northern District of Texas, which authorized the seizure. The funds were held in a cryptocurrency wallet controlled by Ianis Aleksandrovich Antropenko, who has been indicted in Texas on charges of computer fraud and money laundering. A luxury vehicle and $70,000 in cash were also seized. The funds are suspected of being obtained from companies attacked with Zeppelin ransomware between 2019 and 2022.

While Zeppelin was not the most prolific ransomware operation, the group was responsible for attacks on many U.S. entities, especially those in healthcare and IT, typically targeting vulnerabilities in MSP software. Zeppelin was a ransomware-as-a-service (RaaS) operation that paid affiliates to conduct attacks for a cut of any ransom payments they generated. The group engaged in data theft, file encryption, and extortion, demanding payment for the decryption keys and to ensure data deletion.

The proceeds from the attacks were laundered in a number of ways, such as exchanging the funds for cash and depositing them in structured cash deposits. ChipMixer, a dark web cryptocurrency mixing service, was also used to hide the origin of the cryptocurrency. Through ChipMixer, funds were cashed out in untraceable chips that could be paid into clean cryptocurrency wallets. ChipMixer was taken down in an international law enforcement operation in 2023 that was coordinated by Europol. The operation resulted in the seizure of $46.5 million in cryptocurrency. According to the DOJ, some of the funds were

While the Blacksuit operation was conducted against an active ransomware group, the latest announcement shows that action can and will be taken against cybercriminals for their historic crimes. This case is being handled by Trial Attorney Benjamin Bleiberg of the Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorney Jongwoo “Daniel” Chung for the Northern District of Texas.

Since 2020, CCIPS has obtained court orders to seize more than $350 million in victim funds and has secured the convictions of more than 180 cybercriminals. Along with partners such as the FBI, CCIPS has disrupted the operations of many ransomware groups and has prevented payments of over $200 million by victims of ransomware groups.

The post $2.8 Million Crypto Seizure from Ransomware Operator That Targeted Healthcare appeared first on The HIPAA Journal.

New York Business Associate Pays $175,000 to Resolve HIPAA Risk Analysis Violation

Posted by Steve Alder

A New York business associate has chosen to settle an alleged violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and will pay a $175,000 financial penalty.

BST & Co. CPAs, LLP, is a public accounting, business advisory, and management consulting firm that has clients in the healthcare industry. The provision of services to HIPAA-covered entities requires access to financial information, which includes information protected under HIPAA. As such, BST & Co. CPAs is classed as a business associate and is required to comply with the HIPAA Rules.

OCR launched an investigation following a report of a breach of protected health information in a ransomware attack. The Maze ransomware group had access to the BST & Co. CPAs network between December 4, 2019, and December 7, 2019, and installed ransomware that was used to encrypt files. The attack was detected on December 7, 2019, and the forensic investigation revealed that initial access was achieved following a response to a phishing email.

The ransomware group had access to parts of the network where protected health information was stored. In total, the protected health information of up to 170,000 individuals was potentially compromised in the attack, including names, dates of birth, medical record numbers, medical billing codes, and insurance descriptions relating to patients of the New York medical group, Community Care Physicians P.C. OCR was notified about the attack and data breach on February 16, 2020.

OCR investigates all data breaches impacting 500 or more individuals to determine if noncompliance with the HIPAA Rules was a factor in the data breach. OCR found no evidence to suggest that a HIPAA-compliant risk analysis had been conducted. The risk analysis is a foundational provision of the HIPAA Security Rule and requires regulated entities to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. If the risk analysis is not conducted or is incomplete, risks are likely to remain unaddressed and can be exploited to gain access to protected networks and sensitive data.

OCR currently has a risk analysis enforcement initiative focused on this important Security Rule provision, as while it is one of the most important HIPAA provisions, it is also one of the most common areas of noncompliance. Under this specific enforcement initiative, OCR has resolved ten cases with a financial penalty. So far this year, OCR has announced nineteen enforcement actions that included a financial penalty to resolve HIPAA noncompliance. Sixteen of those investigations uncovered risk analysis failures.

“A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it,” said OCR Director Paula M. Stannard.  “Completing an accurate and thorough risk analysis that informs a risk management plan is a foundational step to mitigate or prevent cyberattacks and breaches.”

In addition to the financial penalty, BST & Co. CPAs has agreed to adopt a corrective action plan and will be monitored for compliance with that plan for 2 years. The plan includes the requirement to conduct a comprehensive and accurate risk analysis and develop and implement a risk management plan to address all identified risks and vulnerabilities. BST & Co. CPAs must also develop, implement, and maintain policies and procedures to ensure HIPAA compliance, distribute those policies and procedures to the workforce, provide HIPAA training to the workforce, and augment its security awareness training program.

With nineteen HIPAA enforcement actions announced by OCR so far this year, 2025 looks set to become the most active year for OCR in terms of HIPAA enforcement. These penalties send a message to all HIPAA-regulated entities about the importance of HIPAA compliance. Across those nineteen enforcement actions, OCR has collected more than $8 million in financial penalties.

OCR penalties for HIPAA violations 2009-2025

The post New York Business Associate Pays $175,000 to Resolve HIPAA Risk Analysis Violation appeared first on The HIPAA Journal.

Large Vision Care Provider Announced Breach of Patient Data

Posted by Steve Alder

Data breaches have been announced by CEI Vision Partners, MedicareCompareUSA, Academic Urology & Urogynecology of Arizona, and the Friesen Group.

CEI Vision Partners

CEI Vision Partners (CVP), a network of more than 300 ophthalmologists and 700 optometrists across the United States (now part of EyeCare Partners), has disclosed a 2024 data breach to several state attorneys general. According to the notifications, CVP identified unauthorized access to its computer network on May 26, 2024. The forensic investigation confirmed that a threat actor had access to its network between May 24, 2024, and May 27, 2024, and potentially obtained files containing patient information.

The extensive review and data validation process was completed on June 10, 2025. CVP determined that information potentially compromised in the cyberattack included names, birth dates, Social Security numbers, financial account information, health insurance information, and limited clinical information. Notification letters are being mailed to the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services. CVP has also confirmed that it is enhancing its technical security measures to prevent similar incidents in the future. There is currently no data breach listed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

MedicareCompareUSA

MedicareCompareUSA, the nation’s largest provider-controlled Medicare insurance agency and a business associate of several HIPAA-covered health insurers, issued notification letters in May 2025 about a security incident involving unauthorized access to employee email accounts. Suspicious activity was identified within its email system in November 2024. A forensic investigation was initiated to determine the nature and scope of the unauthorized activity, and it was confirmed that certain email accounts were accessed by an unauthorized third party between November 5, 2024, and November 21, 2024.

The accounts were reviewed and found to contain names, birth dates, Social Security numbers, driver’s license/state identification numbers, financial account information, health insurance information, Medicare information, and individual taxpayer identification numbers. The breach also involved the data of Humana members, including names, dates of birth, health insurance policy numbers, Medicare numbers, and Social Security numbers.

Complimentary credit monitoring services have been offered to the affected individuals, additional email security measures have been implemented, and further email security training has been provided to the workforce. The Washington attorney general was informed that MedicareCompareUSA is issuing notification letters to 822 Humana members in Washington state who have been affected. The HHS’ Office for Civil Rights was informed that 5,782 individuals were affected in total.

Friesen Group

Friesen Group, a California-based provider of business support services to healthcare companies, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected at least 500 individuals. The 500 figure is a commonly used placeholder when the number of affected individuals has not been confirmed by the HIPAA breach reporting deadline.

According to its website notice, a data security incident was identified by The Friesen Group on or around May 19, 2025. Its incident response protocols were initiated, and an investigation was launched to determine the nature and scope of the unauthorized activity. While the investigation is ongoing, Friesen Group says the unauthorized access was only for “a limited period of time.” It is not yet possible to determine the number of individuals affected or the types of data involved.

No misuse of data has been identified so far, but as a precaution, the affected individuals have been advised to remain vigilant against potential misuse of their information and should check their credit reports, account statements, and Explanation of Benefits statements carefully and report any suspicious activity to the appropriate entity. Friesen Group performed a reset of user passwords and has implemented new endpoint detection and monitoring tools.

Academic Urology & Urogynecology of Arizona

Academic Urology & Urogynecology of Arizona has recently confirmed that sensitive patient data may have been stolen in a recent cybersecurity incident, identified on May 22, 2025. A forensic investigation was conducted to determine the nature and scope of the unauthorized activity, and the investigation and file review are ongoing. Academic Urology has published a substitute data breach notice on its website that warns patients that the following information may have been stolen in the incident:

Full name, address, Social Security number, driver’s license number/government-issued identification number, tribal identification card, date of birth, digital signatures, passport number, taxpayer identification number/IRS-issued identity protection personal identification number, health insurance information, any information in an individual’s application and claims history, including any appeals records, diagnosis/conditions information, lab results, medications, credit card information, and potentially other types of sensitive data.

At the time of publication of the website notice, no misuse of patient data had been identified. Since the investigation is ongoing, it is currently unclear how many individuals have been affected. While ransomware was not mentioned in the breach notice, this appears to have been an attack by the Inc Ransom ransomware group, which added Academic Urology to its dark web data leak site in June 2025.

The post Large Vision Care Provider Announced Breach of Patient Data appeared first on The HIPAA Journal.