The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a settlement with Comprehensive Neurology, PC—a small neurology practice based in New York—over potential violations of the HIPAA Security Rule. This action follows an OCR investigation into a ransomware attack that compromised patient data.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which mandate how covered entities (such as health care providers, health plans, and clearinghouses) and their business associates must protect patients’ protected health information (PHI). Specifically, the HIPAA Security Rule requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI). One critical requirement is the “Risk Analysis” provision, which obligates organizations to conduct thorough assessments of potential risks and vulnerabilities to their ePHI systems.

“Effective cybersecurity requires proactively implementing the HIPAA Security Rule requirements before a breach or cybersecurity incident occurs,” said Acting OCR Director, Anthony Archeval. “We urge health care entities to prioritize the HIPAA Security Rule’s risk analysis requirement.”

Ransomware and hacking continue to pose major cybersecurity threats in health care. Ransomware—malicious software that encrypts data and demands payment for its release—was the attack method used against Comprehensive. This case marks OCR’s 12th enforcement action related to ransomware and the 8th under its Risk Analysis Initiative, which aims to increase compliance with the HIPAA Security Rule and highlight its importance in safeguarding ePHI.

The breach reported by Comprehensive in December 2020 revealed that its IT systems—including ePHI—were encrypted and rendered unusable by ransomware, affecting approximately 6,800 individuals. The compromised data included names, clinical details, insurance information, demographic data, Social Security numbers, and state-issued IDs. OCR found that Comprehensive had failed to conduct a proper risk analysis to identify and mitigate vulnerabilities in its systems.

As part of the settlement, Comprehensive agreed to pay $25,000 and implement a corrective action plan, which will be monitored by OCR for two years. The plan requires Comprehensive to:

  • Conduct a complete risk analysis to identify threats to its ePHI systems.

  • Develop and implement a risk management plan to address identified vulnerabilities.

  • Review and update HIPAA-related policies and procedures as needed.

  • Provide HIPAA training tailored to workforce roles and responsibilities.

OCR also recommends the following best practices for all HIPAA-covered entities to better defend against cyber threats:

  • Map the flow of ePHI throughout the organization.

  • Embed risk analysis and risk management in business operations.

  • Establish and review audit controls regularly.

  • Use strong authentication measures to limit ePHI access to authorized personnel.

  • Encrypt ePHI in transit and at rest when appropriate.

  • Apply insights from past security incidents to strengthen current practices.

  • Offer regular, job-specific HIPAA training to all staff.

For more details, the full resolution agreement and corrective action plan are available at: HHS HIPAA Enforcement Agreements.