6/2/2025
Did you know Business Associates (BAs) are at risk for ransomware attacks just as much as Covered Entities?
Ransomware attacks disproportionately affect healthcare organizations, with malicious actors looking to exploit Protected Health Information (PHI). When PHI includes sensitive information such as Social Security Numbers, addresses, phone numbers, and more, it provides someone with a lot of information to use for the wrong reasons.
A medical billing BA in Massachusetts, Comstar, LLC, recently experienced the fallout of a ransomware attack. Trusted with the PHI of over 70 practices, the organization did not have the proper safeguards to mitigate risk after a cybercrime. Part of this was a missing Security Risk Analysis (SRA), or a thorough assessment of an organization’s potential vulnerabilities.
This latest enforcement represents the responsibility of BAs to uphold their commitments and for all HIPAA-regulated entities to complete and maintain an SRA.
What Happened?
In May 2022, a malicious actor intruded Comstar’s network servers. Comstar was unaware of this intrusion for several days. In the meantime, the hacker encrypted nearly 600,000 patient records with ransomware. Even though these patients weren’t directly Comstar’s, they assumed the responsibility of protecting their data.
While it is not public what steps Comstar took to mitigate risks after the initial ransomware breach, it was discovered that the organization did not complete an SRA. This assessment is at the foundation of a compliant practice and is a requirement of HIPAA.
After this discovery, the organization was fined $75,000 and put under a Corrective Action Plan (CAP), or government monitoring, for two years.
This assessment is at the foundation of a compliant practice and is a requirement of HIPAA.
Recently, the Office for Civil Rights (OCR) has sharpened its focus on this commonly missed requirement with the latest Risk Analysis Initiative. This fine is the 9th enforcement of this initiative.
Streamlining the SRA with Software
When less than 20% of BAs could showcase a compliant SRA when being audited, completing the SRA is unfortunately a common oversight by regulated entities. Additionally, this is a responsibility of both Covered Entities and BAs, and both parties must carefully handle PHI.
With smart software, BAs can easily streamline the SRA and complete the assessment that pinpoints common vulnerabilities organizations face. By simplifying the SRA, intelligent solutions can empower an organization to cultivate a culture of compliance for its staff, securely meet requirements, and handle PHI.
To learn more about how your organization can easily complete the SRA, meet with a compliance expert today.