Missing Risk Analysis Cost NY CPA Firm 175KBut Not the Big Group Whose Data Was Breached in 2019 Health Care Compliance Association HCCA JDSupra

pppReport on Patient Privacy 25 no 9 September 2025ppCovered entities CEs and business associates BAs might be forgiven if the most recent HHS Office for Civil Rights OCR HIPAA enforcement action evoked little more than a yawn Yes the 175000 payment isnt a particularly large amount and the sole alleged violation is a retread Actually its the 10th in OCRs Risk Analysis Initiative and at least the 15th to have involved ransomwareppBut the settlement has some unusual aspects RPP has learnednot the least of which is the BA at issue is an accounting firm an apparent first for OCR In addition Community Care Physicians CCP of New York had nothing but nice things to say to RPP about BST Co CPAs LLP the firm whose protected health information PHI was breached in 2019 The fact that the two never broke up offers a plethora of compliance lessons in an era where most believe its a question of when not if a breach will happen and so theyre likely to face the same dilemmappThe BST settlement also includes a twoyear corrective action plan CAPi But this wasnt OCRs only recent HIPAA news On Sept 4 OCR signaled that it intends to issue a final regulation revising the Security Rule following publication in January of a highly controversial proposed rule see story p 10iippAs OCR described the arrangement BST based in Latham provides certified public accounting services business and asset valuations forensic accounting services and litigation support among other services BST receives financial information that also contains PHI from CCP for the purposes of providing tax advice and preparing tax returnsiiippSpokesperson Alexis Musto told RPP that CCP has worked with BST through almost all of CCPs 40year history But she declined to address any questions about the settlement referring those to BST and OCRppWe cant speak to the specific findings or internal processes of another organization Musto said What we can reiterate is that when the incident occurred BST worked closely with us to address it swiftly supported our patients throughout the process and implemented measures to prevent it from happening againppWith 230 physicians among its 440 providers CCP is the largest independent multispecialty group in the Capital Region of New York It includes 70 practices at more than 100 sites Musto saidppOCRs Aug 18 announcement and the accompanying settlement document reveal few details about the breach more of the story is told in CCPs notice to patients that is still posted online According to OCR BST notified the agency on Feb 16 2020 that for three days beginning Dec 4 2019 part of its network was infected with ransomware impacting the PHI of CCP BST the agency said determined that the malware was introduced by an unknown individuals outside the organization via a phishing email The PHI of 170000 individuals was affected it is not clear if all of them were CCP patients or if other CEs were involvedppOCR said BST failed to assess the potential risks and vulnerabilities to the confidentiality integrity and availability of electronic protected health information ePHI held by it as a BA The agency didnt call attention to the fact that the action is apparently its first against an accounting firmppIntrusion But No AccessppAccording to CCPs website BST was quickly able to restore all the files from its backups and maintained the integrity of the files as well This is good news however there was an unauthorized intrusion into BSTs network that contained Community Care Physicians data Out of an abundance of caution BST is providing notice of the event to potentially impacted individuals letter in the mail from BST to the media and to certain regulators and they have put measures in place to make sure this doesnt happen again The website also said BST offered one year of identity monitoring at no costppUnder the CAP BST is to conduct a risk analysis under a plan first approved by OCR as well as develop and implement a risk management plan The risk analysis must also be conducted annuallyppBST is required to augment its existing HIPAA and Security Training Program which shall include general instruction on compliance with BSTs HIPAA policies and procedures and will be provided to those workforce members to whom the policies and procedures apply including all workforce members who have access to PHI BST shall submit its proposed training materials on the policies and procedures to HHS for its review and approval HHS shall approve or if necessary require revisions to BSTs Training ProgramppRonald L Guzior the CPA firms managing partner signed the settlement agreement RPP asked Guzior if BST had paid a ransom why the settlement took five years what the 175000 payment was based on and if BST had any observations to share with other CEs and BAs about its experiences with the breach and with OCR Guzior did not respond to these questionsppBST conducted a thorough investigation in 2020 and OCR completed an investigation in 2025 both of which confirmed that no sensitive client or patient information was accessed during the 2019 malware attack Guzior told RPPppHowever OCR made no such public statement about whether data was accessed or not This is not mentioned in its news release nor in the settlement documentsppCCP Breach Successfully HandledppGuzior added that since the incident BST has implemented enhanced cybersecurity measures including consulting with industry experts to strengthen protection against future threatsppMusto called the breach an unfortunate and isolated incident which was quickly identified and addressed We knew that BST was doing everything in its power to assist our patients who were potentially affected and ensure this didnt happen again They had made many resources available to our patients which demonstrated their commitment to our patients security and satisfaction We feel very confident that our patients data is secureppShe added that CCP takes the privacy and security of our patients information very seriously The 2019 security incident referenced was not a Community Care Physicians incident Rather it involved one of our business partners BST whose network was impacted by a ransomware attack While some Community Care Physicians files were stored on BSTs systems our own systems and data remained secureppIn her statements to RPP Musto said BST immediately addressed the incident took the appropriate steps to notify each patient potentially affected and put measures in place to make sure this didnt happen again The breach was successfully handled Musto said adding that CCP continues to prioritize patient privacy and data security as a top organizational commitmentppIf You Stay TogetherppWhether to drop a BA after a breach is a common question Joseph J Lazzarotti a principal in the Tampa Florida office of Jackson Lewis PC told RPP Lazzarotti founded and currently coleads the firms privacy artificial intelligence and cybersecurity practice Rather than give in to a kneejerk reaction to sever ties many factors should be considered he saidppTwo are the cause and nature of the breach particularly whether the BA or other vendor was actually negligent or whether it should be viewed as the victim of a crime he said Perhaps it resulted from an inadvertent action The BA itself might not have been the source of a breachperhaps it was a subcontractor Moreover the grass isnt always greener on the other side as Lazzarotti put itppYou could be making that switch to a new BA thinking that youre going over to a company and the company could be fully transparent and say We dont have any issues But then two weeks after you sign the paper they have an attack and youve already transmitted all of your data to them to begin work Lazzarotti saidppThe CE could determine it needs to do a much deeper assessment than was initially done when the BA was first engaged to better understand the BAs controls and perhaps institute a more regular process for evaluating that and reviewing changes the BA makes Lazzarotti saidppAnother consideration is the length of the relationshipparticularly if the breach involved a services vendor and even if the BA did everything right after a breach For example the time may be apt to switch to a new accounting firm or to rotate those who actually complete audits regardless of whether there is a breachppIf you have had a long relationship maybe it makes sense to have someone with fresh eyes Lazzarotti said adding publicly traded firms are required to periodically change their auditors a move he said is also just a good idea in generalppAdam Greene a partner with Davis Wright Tremaine LLP said its not unusual for a CE to keep its BA after a breach As breaches become increasingly common they seemingly become less of a dealbreaker in a business relationship he told RPPppLike Lazzarotti Greene articulated factors that CEs should ponder regarding possibly severing ties including whether alternative service providers are available whether such alternatives necessarily have stronger information security the cost and disruption of switching service providers and whether the business associate handled the breach in compliance with law and in a manner that minimized disruption and reputational harm to your organizationppFrom the other side if youre the BA whos had a breach some steps that you can take to maximize your chances of retaining customers include putting customer service front and centerrather than taking an adversarial approach if disputes arise The BA should also consider whether to take on all breach notification obligations that you can in order to minimize the burden on your customers Greene saidppIts also important for the BA to simultaneously maintain transparency about the incident as much as possible while still maintaining attorneyclient privilege where needed and avoiding sharing initial conclusions until all relevant facts have been confirmed Greene addedppi US Department of Health and Human Services HHS Office for Civil Rights Settles HIPAA Ransomware Security Rule Investigation with BST Co CPAs LLP news release August 18 2025 httpsbitly3V6wKtCppii Theresa Defino HHS Sets Next Spring for Final Security Reg Revives Privacy Proposed Rule Report on Patient Privacy 25 no 9 September 2025 10ppiii US Department of Health and Human Services resolution agreement with BST Co CPAs LLP April 17 2025 httpsbitly3VC44smppLearn more httpswwwhccainfoorgpublicationsnewslettersreportresearchcomplianceppSee more pp
Health Care Compliance Association HCCA
var today new Date var yyyy todaygetFullYeardocumentwriteyyyy
ppRefine your interests ppPlease take our short survey your perspective helps to shape how firms create relevant useful content that addresses your needsppBack to TopppExplore 2025 Readers Choice AwardsppCopyright var today new Date var yyyy todaygetFullYeardocumentwriteyyyy JD Supra LLCp