The HHS Office for Civil Rights reached a $25,000 settlement with Comprehensive Neurology, PC, following a ransomware attack that compromised the data of 6,800 patients. This marks the 12th enforcement action concerning ransomware and emphasizes the need for compliance with HIPAA risk analysis requirements.
What happened
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a settlement with Comprehensive Neurology, PC, a small New York-based neurology practice, following a ransomware attack that exposed sensitive patient information. The practice will pay $25,000 and adopt a corrective action plan monitored by OCR for two years. This settlement marks the agency’s 12th ransomware enforcement action and the 8th under its Risk Analysis Initiative.
Read also: The proposed removal of limits on HIPAA fines
The backstory
OCR’s investigation stemmed from a breach notification received in December 2020, when Comprehensive reported a ransomware incident that encrypted its entire IT network and electronic protected health information (ePHI), impacting approximately 6,800 individuals. The compromised data included names, clinical details, insurance and demographic information, Social Security numbers, and government-issued identification.
The investigation revealed that Comprehensive failed to comply with a critical HIPAA Security Rule requirement: conducting an accurate and thorough risk analysis to assess potential threats and vulnerabilities to its ePHI systems. As a result, OCR found the practice in violation of federal privacy and security obligations.
See also: What are the 18 PHI identifiers?
What was said
“Effective cybersecurity requires proactively implementing the HIPAA Security Rule requirements before a breach or cybersecurity incident occurs,” said OCR Acting Director Anthony Archeval. “OCR urges health care entities to prioritize compliance with the HIPAA Security Rule risk analysis requirement.”
In the know
Ransomware is a form of malware that locks or encrypts healthcare data until a ransom is paid. Healthcare organizations are frequent targets due to their reliance on real-time data and the high value of patient information. Common attack methods include phishing and exploiting software vulnerabilities.
Under HIPAA, organizations must implement safeguards to protect electronic protected health information (ePHI), including conducting regular risk analyses. A ransomware incident may be considered a reportable breach.
The consequences can be severe: disrupted patient care, legal penalties, reputational harm, and costly recovery efforts. Prevention involves staff training, system updates, data encryption, secure backups, and tested response plans.
Why it matters
Healthcare organizations are increasingly targeted by ransomware, which can lead to serious privacy violations and service disruptions. Comprehensive Neurology’s case demonstrates the legal and financial consequences of failing to conduct proper risk assessments. The OCR’s enforcement efforts are also a warning to other providers that cybersecurity and HIPAA compliance must be proactive, not reactive.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQS
What is a corrective action plan (CAP)?
A CAP outlines steps the organization must take to bring its operations into HIPAA compliance. This can include performing a new risk analysis, updating policies and procedures, providing employee training, and undergoing OCR monitoring.
What happens when a healthcare organization experiences a data breach or ransomware attack?
Organizations must report breaches of unsecured PHI to the HHS Office for Civil Rights (OCR), affected individuals, and in some cases, the media. OCR may then open an investigation to determine whether HIPAA rules were followed.
How can healthcare providers reduce their risk of HIPAA violations?
Providers should conduct regular risk analyses, update security policies, implement data encryption, monitor system activity, and train employees on HIPAA and cybersecurity best practices.
Tshedimoso Makhene
