Ransomware Reality Check: Business Associate Pays Big HIPAA Fine

6/2/2025

 

Did you know Business Associates (BAs) are at risk for ransomware attacks just as much as Covered Entities? 

Ransomware attacks disproportionately affect healthcare organizations, with malicious actors looking to exploit Protected Health Information (PHI). When PHI includes sensitive information such as Social Security Numbers, addresses, phone numbers, and more, it provides someone with a lot of information to use for the wrong reasons. 

medical billing BA in Massachusetts, Comstar, LLC, recently experienced the fallout of a ransomware attack. Trusted with the PHI of over 70 practices, the organization did not have the proper safeguards to mitigate risk after a cybercrime. Part of this was a missing Security Risk Analysis (SRA), or a thorough assessment of an organization’s potential vulnerabilities.  

This latest enforcement represents the responsibility of BAs to uphold their commitments and for all HIPAA-regulated entities to complete and maintain an SRA. 

 

What Happened?

In May 2022, a malicious actor intruded Comstar’s network servers. Comstar was unaware of this intrusion for several days. In the meantime, the hacker encrypted nearly 600,000 patient records with ransomware. Even though these patients weren’t directly Comstar’s, they assumed the responsibility of protecting their data. 

While it is not public what steps Comstar took to mitigate risks after the initial ransomware breach, it was discovered that the organization did not complete an SRA. This assessment is at the foundation of a compliant practice and is a requirement of HIPAA. 

After this discovery, the organization was fined $75,000 and put under a Corrective Action Plan (CAP), or government monitoring, for two years. 

This assessment is at the foundation of a compliant practice and is a requirement of HIPAA. 

Recently, the Office for Civil Rights (OCR) has sharpened its focus on this commonly missed requirement with the latest Risk Analysis Initiative. This fine is the 9th enforcement of this initiative. 

 

Streamlining the SRA with Software

When less than 20% of BAs could showcase a compliant SRA when being audited, completing the SRA is unfortunately a common oversight by regulated entities. Additionally, this is a responsibility of both Covered Entities and BAs, and both parties must carefully handle PHI. 

With smart software, BAs can easily streamline the SRA and complete the assessment that pinpoints common vulnerabilities organizations face. By simplifying the SRA, intelligent solutions can empower an organization to cultivate a culture of compliance for its staff, securely meet requirements, and handle PHI. 

To learn more about how your organization can easily complete the SRA, meet with a compliance expert today

RECENT POSTS

Related posts

OSHA Healthcare Fine
Abyde News, Fines, OSHA

OSHA’s Rapid Response: Why Every Practice Needs a Safety Culture

June 19, 2025 No comments yet

June 19, 2025 The success of your practice hinges on the safety of your staff. When staff feel unsafe, OSHA quickly demonstrates its commitment to staff protection.  A recent healthcare OSHA fine highlights how efficiently OSHA complaints are handled.  Opulent Pediatrics faced expedited penalties following a staff complaint, just months after the initial complaint.  From the case opening in March to its resolution in June, OSHA underscored the severity and importance it places on staff complaints. Complaints are also the most common way HIPAA investigations are initiated.  This rapid response showcases the need for practices to provide a safe work environment and foster a culture of compliance, empowering staff members to communicate needs and concerns.    What Happened? In March 2025, a staff member of Opulent Pediatrics sent a formal complaint to OSHA due to unsafe working conditions. The Roanoke regional office investigated the pediatric practice unannounced, not providing time for the practice to address any concerns.  Following their investigation, it was discovered that the practice violated several safety requirements, such as bloodborne pathogen safety, improper medical services, or missing first aid unavailable to staff, improper handling of wiring and equipment, and insufficient hazard communication documentation. After the investigation, by April, OSHA noted seven citations and issued an initial penalty of over $14,000. It’s inferred that the practice was willing and cooperative, with the final fine totalling over $2,000 by the abatement date in May.    Protecting Staff in Healthcare While Opulent Pediatrics dodged a more significant fine, this enforcement action demonstrates OSHA’s swift investigative response to complaints. From the initial investigation to its conclusion, the case only took three months. OSHA can and will investigate without notice, so ensure your OSHA program documentation is readily available.  With the right tools, ensuring staff safety can be simplified. In this case, training and proper documentation could have avoided these fines. Consider how an intelligent OSHA software solution centralizes training, such as for bloodborne pathogens, hazard communication, and all other OSHA documentation, making it easily accessible to every staff member within a compliance hub. Moreover, by prioritizing safety in your practice, staff can feel empowered to communicate concerns.  To learn more about streamlining OSHA compliance in your healthcare practice, schedule a consultation with an expert today. 

Abyde News, HIPAA

Introducing SRA Contributor: Master Your HIPAA Risk Analysis

June 3, 2025 No comments yet

June 3, 2025 Have you ever been stumped by a HIPAA Security Risk Analysis (SRA) question because you didn’t know the answer? Even the most seasoned HIPAA Compliance Officers encounter administrative and technical security questions outside their area of expertise, and that’s completely normal. Remember, you’re not expected to have all the answers. So, how are you supposed to get the right answers for the questions you don’t know from those who do? Abyde’s latest update, SRA Contributor, helps you get the necessary answers. This feature allows you to send questions internally to other Abyde users (at your practice) or externally to trusted contacts of your Business Associates (BAs), allowing you to complete your SRA confidently.  The Users section has now been updated to include both Users and Contributors. Once in this section, click the SRA Contributor tab to add external individuals, such as your IT partner, who can assist in answering SRA questions.   Then, complete the SRA. We encourage users to mark uncertain questions with ‘Don’t Know’. Once the SRA is complete, Abyde users can access the SRA Contributor feature from their Scorecard module and securely send any questions as needed. Hit the Abyde Flag icon to the right of any question on your Scorecard to activate the SRA Contributor pop-up and select your Contributors. As a reminder, you can add a note to any question for your Contributors.   Once flagged, the question(s) are batched and ready to be sent. Abyde recommends reviewing any and all questions for Contributors and sending them in one batch to reduce the number of emails. After all questions are flagged, send them together by hitting the send icon on the Contributor line below the question or from the global SEND button at the top of the Scorecard module.  Once sent, your SRA Contributors (and other Abyde users) will receive an email to the secure SRA Contributor Portal. The Contributor Portal includes all flagged questions. Your Contributors can answer your questions, add notes, and send their responses to you once they complete the portal.  From there, you will receive an email notification that your question has been answered and is ready for review. Then, you can either reject or approve an SRA Contributor’s answers. If approved, their answer and note (if present) replace your initial response on the SRA. If rejected, you can send the question again to other contributors or manually change the answer yourself. SRA Contributors’ answers and Contributor Portal links (if they never answered the question) can also be deleted from the Scorecard by clicking the Trash Can icon.  Why This Matters A thorough and accurate Security Risk Analysis (SRA) is paramount for safeguarding patient data and ensuring compliance. It is the foundation of a compliant practice.  The SRA Contributor enables you to complete the SRA more efficiently and confidently, enhancing collaboration with your business associates and other Contributors who manage the more technical aspects of your practice.  This ensures that the required SRA is completed accurately and thoroughly, giving you confidence in the integrity and completeness of your answers.  To learn more, contact our support team at support@abyde.com, or call 1.877.816.1620. 

BayCare HIPAA Fine
Abyde News, Fines, HIPAA

BayCare’s $800k HIPAA Violation: The Consequences of Unmonitored Staff Access

May 29, 2025 No comments yet

May 29, 2025   A successful practice is built upon a strong foundation of well-trained and aware staff.  Protecting patient data is a critical responsibility for healthcare staff. Data breaches involving Protected Health Information (PHI) can occur in many ways, but the foundation of security lies in a workforce committed to safeguarding it. A Florida healthcare provider, BayCare Health System, experienced the consequences of improper disclosure of PHI due to a complaint and a noncompliant staff member in the latest HIPAA fine.  Acting Director of the Office for Civil Rights (OCR) Anthony Archeval commented on the importance of managing staff access, saying, “allowing unrestricted access to patient health information can create an attractive target for a malicious insider.”   What Happened? In 2018, an unnamed complainant visited St. Joseph’s Hospital, a facility under the BayCare Health System, for an appointment. After treatment, she received communication from an unknown contact who sent the complainant photos of her medical records and a video of a BayCare associate scrolling through her file as well.  This communication led to a complaint filed with the OCR. Several years of legal interactions and investigations by the OCR resulted in an $800,000 settlement six years later.  After the investigation, it was found that BayCare failed to have procedures and policies for handling ePHI, failed to reduce risks, and did not review staff access.  This nearly million-dollar fine resulted from a malicious insider, insufficient documentation, and an oversight of staff privileges.  Reviewing staff access is vital for protecting patient data. By monitoring staff activity, you can ensure that PHI does not end up in the wrong hands. Additionally, when providing staff with access to PHI, confirm that access is necessary to complete essential job tasks. This falls under the Minimum Necessary Standard within the HIPAA Privacy Rule, which enforces that disclosed PHI is only shared for an authorized and required purpose.  Staff must be thoroughly trained in their responsibilities before accessing PHI, and policies and procedures regarding handling PHI must be readily available for staff to review.  While this situation did not lead to jail time, it is not unheard of in the medical field, so staff must also be aware of the consequences.    Training and Monitoring Staff with Abyde Smart compliance solutions streamline training, policies and procedures, and monitoring access, creating a culture of compliance that protects your organization from malicious insiders. With an intelligent platform managing compliance, you can dynamically generate unique policies and procedures in seconds, automating this task without human error.  Additionally, a centralized compliance hub allows staff to review documentation before working with patients and refer to it if there is any confusion. Access logs can also be found in this hub, which keeps staff accountable when they review patient PHI.  With intelligent solutions, proactive compliance is made easy, encouraging staff to take their HIPAA responsibilities seriously. Speak with a compliance expert today to learn more about how compliance can be simplified for your practice. 

What's coming next in HIPAA? Join our June webinar to stay up to date.

REGISTER NOW
X