Full Report
In February 2020, DataBreaches reported that patients of Community Care Physicians in New York may have had their protected health information, date of birth, and insurance coverage exposed as a result of a ransomware attack by Maze Team at the Albany-based accounting firm BST & Co. CPAs. The incident was reported at the time to... Source
Analysis Summary
# Incident Report: BST & Co. Ransomware Attack and HIPAA Settlement
## Executive Summary
In December 2019, accounting firm BST & Co. CPAs experienced a ransomware attack, attributed to Maze Team, which resulted in the compromise of Protected Health Information (PHI) belonging to the clients of their covered entity partner, Community Care Physicians. The resulting breach impacted approximately 170,000 patients. The subsequent investigation by the HHS Office for Civil Rights (OCR) found that BST failed to conduct an adequate risk analysis, leading to a settlement where BST paid \$175,000 and agreed to a two-year corrective action plan to ensure HIPAA Security Rule compliance.
## Incident Details
- **Discovery Date:** December 7, 2019 (Discovery of ransomware infection)
- **Incident Date:** Occurred on or before December 7, 2019
- **Affected Organization:** BST & Co. CPAs, LLP (Business Associate)
- **Sector:** Accounting/Business Advisory (Handling Healthcare Data)
- **Geography:** New York (Albany-based firm)
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to December 7, 2019
- **Vector:** Ransomware attack (Attributed to Maze Team)
- **Details:** Part of BST's network was infected with ransomware, leading to the compromise of ePHI.
### Lateral Movement
- Details are not explicitly provided in the summary, but the scope indicates the ransomware spread sufficiently to impact PHI data stores.
### Data Exfiltration/Impact
- **Impact:** Exposure of Protected Health Information (PHI), date of birth, and insurance coverage for approximately 170,000 patients of Community Care Physicians.
### Detection & Response
- **Detection:** December 7, 2019, when BST discovered the ransomware infection.
- **Response Actions:** BST filed a breach report with HHS on February 16, 2020. The OCR conducted an investigation, which concluded with a resolution agreement and a \$175,000 payment.
## Attack Methodology
- **Initial Access:** Ransomware infection (Maze Team).
- **Persistence:** Not specified, likely maintained via the established ransomware presence until remediation.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specifically documented, although the lack of a thorough risk analysis suggests weaknesses were exploited.
- **Credential Access:** Not specified.
- **Discovery:** Not specified.
- **Lateral Movement:** Inferred due to the scale of impact across the network.
- **Collection:** Implied collection or locking of ePHI necessary for the ransomware operation.
- **Exfiltration:** Not explicitly stated if data was encrypted only or exfiltrated (common for Maze ransomware), but relevant data was impacted/exposed.
- **Impact:** Encryption/disruption of systems holding ePHI, leading to a reportable breach.
## Impact Assessment
- **Financial:** BST paid \$175,000 to the HHS OCR as part of the settlement. Compliance monitoring costs are ongoing.
- **Data Breach:** Compromise of PHI, DOB, and insurance coverage for an estimated 170,000 patients affiliated with Community Care Physicians.
- **Operational:** Disruption due to ransomware infection (date of discovery noted).
- **Reputational:** Public settlement announcement and investigation by a federal regulatory body (HHS OCR).
## Indicators of Compromise
*Note: No specific IoCs (URLs/IPs) were provided in the source text.*
- **Network indicators:** Ransomware activity related to Maze Team infrastructure (Defanged context needed if known).
- **File indicators:** Ransomware payload files associated with Maze.
- **Behavioral indicators:** Unauthorized encryption of files containing ePHI.
## Response Actions
- **Containment:** Not detailed, but required stopping the ransomware spread/infection.
- **Eradication:** Needed to remove the ransomware and restore affected systems (inferred).
- **Recovery actions:** Implementation of a two-year Corrective Action Plan (CAP) monitored by OCR, including:
- Conducting an accurate and thorough risk analysis.
- Developing and implementing a risk management plan.
- Developing/revising written policies and procedures for HIPAA Privacy and Security Rules.
- Augmenting and providing annual HIPAA/security training for all workforce members with PHI access.
## Lessons Learned
- The most critical failure identified was the **failure to conduct an accurate and thorough risk analysis** to determine vulnerabilities to ePHI, a core requirement of the HIPAA Security Rule (Integrity, Confidentiality, and Availability).
- Business Associates (BAs) handling PHI must maintain robust security measures equivalent to Covered Entities to prevent supply chain risk transfer.
## Recommendations
- **Mandatory and Regular Risk Analysis:** Conduct comprehensive, accurate, and periodic risk analyses specifically targeting ePHI, followed immediately by the implementation of a documented risk management plan to mitigate identified findings.
- **Policy Maintenance:** Ensure all written policies and procedures related to HIPAA Security and Privacy Rules are current and frequently reviewed.
- **Training:** Enhance security and HIPAA training programs, ensuring annual mandatory refreshers for all personnel who access sensitive data like PHI.