Report on Patient Privacy 25, no. 9 (September, 2025)
Covered entities (CEs) and business associates (BAs) might be forgiven if the most recent HHS Office for Civil Rights (OCR) HIPAA enforcement action evoked little more than a yawn. Yes, the $175,000 payment isn’t a particularly large amount, and the sole alleged violation is a retread. Actually, it’s the 10th in OCR’s Risk Analysis Initiative, and at least the 15th to have involved ransomware.
But the settlement has some unusual aspects, RPP has learned—not the least of which is the BA at issue is an accounting firm, an apparent first for OCR. In addition, Community Care Physicians (CCP) of New York had nothing but nice things to say to RPP about BST & Co. CPAs LLP, the firm whose protected health information (PHI) was breached in 2019. The fact that the two never broke up offers a plethora of compliance lessons in an era where most believe it’s a question of when not if a breach will happen, and so they’re likely to face the same dilemma.
The BST settlement also includes a two-year corrective action plan (CAP).[i] But this wasn’t OCR’s only recent HIPAA news. On Sept. 4, OCR signaled that it intends to issue a final regulation revising the Security Rule, following publication in January of a highly controversial proposed rule (see story, p. 10).[ii]
As OCR described the arrangement, BST, based in Latham, “provides certified public accounting services, business and asset valuations, forensic accounting services, and litigation support, among other services. BST receives financial information, that also contains” PHI from CCP, “for the purposes of providing tax advice and preparing tax returns.”[iii]
Spokesperson Alexis Musto told RPP that CCP has “worked with BST through almost all of CCP’s 40-year history.” But she declined to address any questions about the settlement, referring those to BST and OCR.
“We can’t speak to the specific findings or internal processes of another organization,” Musto said. “What we can reiterate is that when the incident occurred, BST worked closely with us to address it swiftly, supported our patients throughout the process, and implemented measures to prevent it from happening again.”
With 230 physicians among its 440 providers, CCP is the largest independent multispecialty group in the Capital Region of New York. It includes 70 practices at more than 100 sites, Musto said.
OCR’s Aug. 18 announcement and the accompanying settlement document reveal few details about the breach; more of the story is told in CCP’s notice to patients that is still posted online. According to OCR, BST notified the agency on Feb. 16, 2020, that for three days beginning Dec. 4, 2019, “part of its network was infected with ransomware, impacting” the PHI of CCP. BST, the agency said, “determined that the malware [. . .] was introduced by an unknown individual(s) outside the organization via a phishing email.” The PHI of 170,000 individuals was affected; it is not clear if all of them were CCP patients or if other CEs were involved.
OCR said BST “failed to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by it” as a BA. The agency didn’t call attention to the fact that the action is apparently its first against an accounting firm.
Intrusion, But No Access?
According to CCP’s website, “BST was quickly able to restore all the files from its backups and maintained the integrity of the files, as well. This is good news; however, there was an unauthorized intrusion into BST’s network that contained Community Care Physicians’ data. Out of an abundance of caution, BST is providing notice of the event to potentially impacted individuals (letter in the mail from BST), to the media, and to certain regulators, and they have put measures in place to make sure this doesn’t happen again.” The website also said BST offered “one year of identity monitoring at no cost.”
Under the CAP, BST is to conduct a risk analysis under a plan first approved by OCR, as well as develop and implement a risk management plan. The risk analysis must also be conducted annually.
BST is required to “augment its existing HIPAA and Security Training Program,” which “shall include general instruction on compliance with BST’s HIPAA policies and procedures and will be provided to those workforce members to whom the policies and procedures apply, including all workforce members who have access to PHI. BST shall submit its proposed training materials on the policies and procedures to HHS for its review and approval. HHS shall approve, or, if necessary, require revisions to BST’s Training Program.”
Ronald L. Guzior, the CPA firm’s managing partner, signed the settlement agreement. RPP asked Guzior if BST had paid a ransom, why the settlement took five years, what the $175,000 payment was based on and if BST had any observations to share with other CEs and BAs about its experiences with the breach and with OCR. Guzior did not respond to these questions.
“BST conducted a thorough investigation in 2020, and OCR completed an investigation in 2025, both of which confirmed that no sensitive client or patient information was accessed during the 2019 malware attack,” Guzior told RPP.
However, OCR made no such public statement about whether data was accessed or not. This is not mentioned in its news release nor in the settlement documents.
CCP: Breach ‘Successfully Handled’
Guzior added that, “[s]ince the incident, BST has implemented enhanced cybersecurity measures, including consulting with industry experts, to strengthen protection against future threats.”
Musto called the breach “an unfortunate and isolated incident, which was quickly identified and addressed. We knew that BST was doing everything in its power to assist our patients who were potentially affected and ensure this didn’t happen again. They had made many resources available to our patients, which demonstrated their commitment to our patients’ security and satisfaction. We feel very confident that our patients’ data is secure.”
She added that CCP “takes the privacy and security of our patients’ information very seriously. The 2019 security incident referenced was not a Community Care Physicians’ incident. Rather, it involved one of our business partners, BST, whose network was impacted by a ransomware attack. While some Community Care Physicians’ files were stored on BST’s systems, our own systems and data remained secure.”
In her statements to RPP, Musto said “BST immediately addressed the incident, took the appropriate steps to notify each patient potentially affected, and put measures in place to make sure this didn’t happen again.” The breach “was successfully handled,” Musto said, adding that CCP “continues to prioritize patient privacy and data security as a top organizational commitment.”
If You Stay Together…
Whether to drop a BA after a breach is a common question Joseph J. Lazzarotti, a principal in the Tampa, Florida, office of Jackson Lewis P.C., told RPP. Lazzarotti founded and currently co-leads the firm’s privacy, artificial intelligence and cybersecurity practice. Rather than give in to a “knee-jerk reaction” to sever ties, many factors should be considered, he said.
Two are the cause and nature of the breach, particularly whether the BA or other vendor was actually negligent or whether it should be viewed as the victim of a crime, he said. Perhaps it resulted from an inadvertent action. The BA itself might not have been the source of a breach—perhaps it was a subcontractor. Moreover, the grass isn’t always greener on the other side, as Lazzarotti put it.
“You could be making that switch [to a new BA] thinking that you’re going over to a company and the company could be fully transparent and say, ‘We don’t have any issues.’ But then two weeks after you sign the paper, they have an attack and you’ve already transmitted all of your data to them to begin work,” Lazzarotti said.
The CE could determine it needs to do a “much deeper assessment” than was initially done when the BA was first engaged to “better understand” the BA’s controls and perhaps institute a “more regular process for evaluating that and reviewing changes” the BA makes, Lazzarotti said.
Another consideration is the length of the relationship—particularly if the breach involved a services vendor and even if the BA did everything right after a breach. For example, the time may be apt to switch to a new accounting firm or to rotate those who actually complete audits, regardless of whether there is a breach.
“If you have had a long relationship, maybe it makes sense to have someone with fresh eyes,” Lazzarotti said, adding publicly traded firms are required to periodically change their auditors, a move he said is also just a good idea in general.
Adam Greene, a partner with Davis Wright Tremaine LLP, said it’s not unusual for a CE to keep its BA after a breach. “As breaches become increasingly common, they seemingly become less of a dealbreaker in a business relationship,” he told RPP.
Like Lazzarotti, Greene articulated factors that CEs should ponder regarding possibly severing ties, including “whether alternative service providers are available, whether such alternatives necessarily have stronger information security, the cost and disruption of switching service providers, and whether the business associate handled the breach in compliance with law and in a manner that minimized disruption and reputational harm to your organization.”
From the other side, if you’re the BA who’s had a breach, “some steps that you can take to maximize your chances of retaining customers include putting customer service front and center—rather than taking an adversarial approach if disputes arise.” The BA should also consider “whether to take on all breach notification obligations that you can in order to minimize the burden on your customers,” Greene said.
It’s also important for the BA to simultaneously maintain “transparency about the incident as much as possible, while still maintaining attorney-client privilege where needed and avoiding sharing initial conclusions until all relevant facts have been confirmed,” Greene added.