The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Comprehensive Neurology, PC, a small New York neurology practice, concerning a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. In December 2020, OCR received a breach report from Comprehensive that stated that its IT network, including all of its ePHI, had been encrypted and rendered inaccessible by ransomware. Comprehensive determined that 6,800 individuals may have been affected. OCR’s investigation found that Comprehensive failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI held by Comprehensive. Under the terms of the settlement, Comprehensive agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $25,000 to OCR.