Business Associate Ransomware Investigation and Settlement isn’t just a headline—it’s the reality clinics and vendors face when ransomware strikes a partner that touches patient data. The case against BST & Co. CPAs, LLP shows how quickly an incident becomes a formal investigation and, ultimately, a settlement when HIPAA Security Rule basics—like a risk analysis—aren’t in place.
What happened: a Business Associate Ransomware Investigation and Settlement snapshot
BST, an accounting and consulting firm, reported a ransomware incident that exposed ePHI. OCR’s investigation found gaps in BST’s HIPAA Security Rule compliance (notably an incomplete or insufficient risk analysis). The matter concluded with a monetary payment and a multi-year corrective action plan (CAP)—a classic arc for a Business Associate Ransomware Investigation and Settlement.
Why this matters to every vendor and covered entity
A Business Associate Ransomware Investigation and Settlement reminds leaders that HIPAA applies beyond the clinic. Any partner that creates, receives, maintains, or transmits ePHI—accountants, billing firms, IT providers, cloud hosts, shredding services, law firms—must meet Security Rule standards. “We don’t see patients” is not a defense when ePHI is in play.
The corrective action plan (CAP): the baseline in a Business Associate Ransomware Investigation and Settlement
OCR’s CAP requirements outline the minimum every business associate should expect:
- Perform an accurate, thorough risk analysis of where ePHI lives and how it flows.
- Build and execute a risk management plan to reduce risks to a reasonable and appropriate level.
- Update policies and procedures (Security and Privacy) to reflect actual practice.
- Provide role-based workforce training and refresh it annually.
- Track and document everything—because if you didn’t document it, you didn’t do it.
“But we never see patients” is not a defense
- Many partners handle PHI without direct patient contact. Think accountants, billing firms, cloud providers, IT support, shredding services, law firms, and transcription services. If they create, receive, maintain, or transmit ePHI, they are regulated and must comply
Practical steps you can take this week
Start simple, then build:
- Inventory your business associates. List who creates, receives, maintains, or transmits your ePHI.
- Verify risk analysis. Ask each associate for current risk analysis evidence and a risk management plan.
- Tighten contracts. Confirm BAAs are in place and reference Security Rule duties.
- Review safeguards. Check audit controls, access management, and encryption practices.
- Train people. Give role-specific HIPAA training and refresh it each year.
- Vendor oversight. Establish a review cadence (e.g., annually) to reconfirm posture, update contact points, and test notification paths.
What this means for leaders
This case is a reminder, not an outlier. Regulators continue to focus on ransomware and risk analysis failures. Proposed Security Rule updates in 2025 would raise expectations further, including stronger authentication and encryption. Plan for that now. Federal Register
- Proximity to risk is not immunity. If your vendor is compromised, you are still accountable for due diligence.
- Documentation wins (or loses) cases. OCR looks for traceable risk analysis, decisions, and remediation steps.
- Plan for the bar to rise. Expect stronger expectations around authentication, encryption, and third-party oversight. Build now rather than bolt on later.
Where to learn more (and what to save in your files)
- OCR Press Release: Settlement with BST & Co. CPAs, LLP.
- Resolution Agreement (PDF): Terms, payment, and CAP.
- Security Rule Summary: Who must comply and what safeguards apply.
- Risk Analysis Guidance: How to evaluate likelihood and impact.
- Risk Analysis Requirement: 45 C.F.R. § 164.308(a)(1)(ii)(A).
- Your internal playbooks: incident response, vendor risk management, and training logs
How Taino Consultants and EPICompliance can help
You do not need to solve this alone. Taino Consultants and EPICompliance help clinics and business associates perform risk analyses, build risk management plans, update policies, and deliver workforce training. We also help you assess your vendors and close gaps fast. If you handle PHI, we can help you prove it is protected.
I learn a phrase from a friend of mine that I will never forget: “Mistakes are paid with money.” But in this environment and with the stakes so high, I will prefer to avoid some of those mistakes. Shouldn’t you do the same?