HHS OCR Settles HIPAA Security Rule Investigation Following Maze Ransomware Attack on Accounting Firm

In February 2020, the Maze Team executed a ransomware attack on BST & Co. CPAs, an accounting firm based in Albany, New York. This incident resulted in the exposure of protected health information (PHI), including birth dates and insurance coverage details, belonging to patients of Community Care Physicians. The attack underscores the critical importance of third-party risk management in the healthcare sector, as BST & Co. CPAs, although not a healthcare provider, had access to sensitive health data. The Maze Team's involvement highlights the evolving tactics of ransomware groups, which now often exfiltrate data before encryption to increase pressure on victims to pay the ransom. The subsequent investigation by the HHS Office for Civil Rights (OCR) led to a settlement regarding violations of the HIPAA Security Rule, emphasizing the necessity of adequate safeguards for electronic protected health information (ePHI). This case serves as a stark reminder for cybersecurity professionals to ensure that all third-party vendors with access to sensitive data comply with relevant security regulations. Moreover, it underscores the need for robust incident response plans and regular testing and updating of security measures. The settlement by HHS OCR sends a clear message about the importance of compliance with HIPAA Security Rule, even in the face of sophisticated cyber threats. For cybersecurity professionals, this incident highlights the need for continuous monitoring and assessment of third-party risks, as well as the implementation of comprehensive security frameworks that address both prevention and response to cyber incidents.