The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with BST & Co. CPAs, LLP (“BST”), a New York public accounting, business advisory, and management consulting firm, concerning a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. BST is a HIPAA business associate and receives financial information that also contains protected health information (PHI) from a HIPAA covered entity. The settlement resolves an investigation of BST that OCR initiated after receiving a breach report that BST filed on February 16, 2020. BST reported that on December 7, 2019, BST discovered that part of its network was infected with ransomware, impacting the PHI of its covered entity client. OCR’s investigation determined that BST had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by BST.