$2.8 Million Crypto Seizure from Ransomware Operator That Targeted Healthcare

Posted by Steve Alder

Hot on the heels of the Blacksuit ransomware disruption comes another announcement about major enforcement action against a ransomware group. The U.S. Department of Justice has announced the seizure of $2.8 million in cryptocurrency from the suspected operator of the now-defunct Zeppelin ransomware group.

Six warrants were recently unsealed by federal prosecutors in the U.S. District Courts for the Eastern District of Virginia, the Central District of California, and the Northern District of Texas, which authorized the seizure. The funds were held in a cryptocurrency wallet controlled by Ianis Aleksandrovich Antropenko, who has been indicted in Texas on charges of computer fraud and money laundering. A luxury vehicle and $70,000 in cash were also seized. The funds are suspected of being obtained from companies attacked with Zeppelin ransomware between 2019 and 2022.

While Zeppelin was not the most prolific ransomware operation, the group was responsible for attacks on many U.S. entities, especially those in healthcare and IT, typically targeting vulnerabilities in MSP software. Zeppelin was a ransomware-as-a-service (RaaS) operation that paid affiliates to conduct attacks for a cut of any ransom payments they generated. The group engaged in data theft, file encryption, and extortion, demanding payment for the decryption keys and to ensure data deletion.

The proceeds from the attacks were laundered in a number of ways, such as exchanging the funds for cash and depositing them in structured cash deposits. ChipMixer, a dark web cryptocurrency mixing service, was also used to hide the origin of the cryptocurrency. Through ChipMixer, funds were cashed out in untraceable chips that could be paid into clean cryptocurrency wallets. ChipMixer was taken down in an international law enforcement operation in 2023 that was coordinated by Europol. The operation resulted in the seizure of $46.5 million in cryptocurrency. According to the DOJ, some of the funds were

While the Blacksuit operation was conducted against an active ransomware group, the latest announcement shows that action can and will be taken against cybercriminals for their historic crimes. This case is being handled by Trial Attorney Benjamin Bleiberg of the Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorney Jongwoo “Daniel” Chung for the Northern District of Texas.

Since 2020, CCIPS has obtained court orders to seize more than $350 million in victim funds and has secured the convictions of more than 180 cybercriminals. Along with partners such as the FBI, CCIPS has disrupted the operations of many ransomware groups and has prevented payments of over $200 million by victims of ransomware groups.

The post $2.8 Million Crypto Seizure from Ransomware Operator That Targeted Healthcare appeared first on The HIPAA Journal.

New York Business Associate Pays $175,000 to Resolve HIPAA Risk Analysis Violation

Posted by Steve Alder

A New York business associate has chosen to settle an alleged violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and will pay a $175,000 financial penalty.

BST & Co. CPAs, LLP, is a public accounting, business advisory, and management consulting firm that has clients in the healthcare industry. The provision of services to HIPAA-covered entities requires access to financial information, which includes information protected under HIPAA. As such, BST & Co. CPAs is classed as a business associate and is required to comply with the HIPAA Rules.

OCR launched an investigation following a report of a breach of protected health information in a ransomware attack. The Maze ransomware group had access to the BST & Co. CPAs network between December 4, 2019, and December 7, 2019, and installed ransomware that was used to encrypt files. The attack was detected on December 7, 2019, and the forensic investigation revealed that initial access was achieved following a response to a phishing email.

The ransomware group had access to parts of the network where protected health information was stored. In total, the protected health information of up to 170,000 individuals was potentially compromised in the attack, including names, dates of birth, medical record numbers, medical billing codes, and insurance descriptions relating to patients of the New York medical group, Community Care Physicians P.C. OCR was notified about the attack and data breach on February 16, 2020.

OCR investigates all data breaches impacting 500 or more individuals to determine if noncompliance with the HIPAA Rules was a factor in the data breach. OCR found no evidence to suggest that a HIPAA-compliant risk analysis had been conducted. The risk analysis is a foundational provision of the HIPAA Security Rule and requires regulated entities to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. If the risk analysis is not conducted or is incomplete, risks are likely to remain unaddressed and can be exploited to gain access to protected networks and sensitive data.

OCR currently has a risk analysis enforcement initiative focused on this important Security Rule provision, as while it is one of the most important HIPAA provisions, it is also one of the most common areas of noncompliance. Under this specific enforcement initiative, OCR has resolved ten cases with a financial penalty. So far this year, OCR has announced nineteen enforcement actions that included a financial penalty to resolve HIPAA noncompliance. Sixteen of those investigations uncovered risk analysis failures.

“A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it,” said OCR Director Paula M. Stannard.  “Completing an accurate and thorough risk analysis that informs a risk management plan is a foundational step to mitigate or prevent cyberattacks and breaches.”

In addition to the financial penalty, BST & Co. CPAs has agreed to adopt a corrective action plan and will be monitored for compliance with that plan for 2 years. The plan includes the requirement to conduct a comprehensive and accurate risk analysis and develop and implement a risk management plan to address all identified risks and vulnerabilities. BST & Co. CPAs must also develop, implement, and maintain policies and procedures to ensure HIPAA compliance, distribute those policies and procedures to the workforce, provide HIPAA training to the workforce, and augment its security awareness training program.

With nineteen HIPAA enforcement actions announced by OCR so far this year, 2025 looks set to become the most active year for OCR in terms of HIPAA enforcement. These penalties send a message to all HIPAA-regulated entities about the importance of HIPAA compliance. Across those nineteen enforcement actions, OCR has collected more than $8 million in financial penalties.

OCR penalties for HIPAA violations 2009-2025

The post New York Business Associate Pays $175,000 to Resolve HIPAA Risk Analysis Violation appeared first on The HIPAA Journal.