Neurology Practice Hit with $25K Fine After Ransomware Attack

In a recent enforcement action, federal regulators have imposed a $25,000 fine on a New York-based neurology practice following a 2020 ransomware breach that compromised the personal data of nearly 7,000 individuals. The investigation revealed that Comprehensive Neurology, a specialty practice located in Hollis, New York, with a team of five staff members, did not conduct a thorough risk analysis to assess potential vulnerabilities to its electronic protected health information (ePHI). This settlement also requires the practice to adhere to a corrective action plan.

This enforcement action by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is part of their ongoing initiatives targeting ransomware-related HIPAA violations. It marks the 12th such enforcement since the initiative began in 2023 and the eighth action under their security risk analysis program. The program was launched to ensure healthcare entities identify and mitigate risks to ePHI adequately. Comprehensive Neurology’s failure to do so resulted in sensitive patient information, including names, clinical details, health insurance data, and Social Security numbers, being encrypted by hackers during the breach.

As part of the resolution agreement signed on February 7, Comprehensive Neurology is not only required to pay the financial penalty but must also implement a corrective action plan that HHS OCR will oversee for the next two years. The practice is mandated to perform a comprehensive security risk analysis and develop a risk management plan to address identified vulnerabilities. Additionally, they must train their workforce on HIPAA policies and procedures to prevent future breaches.

The 2020 incident at Comprehensive Neurology highlights the critical need for healthcare practices to prioritize cybersecurity and conduct regular risk assessments. With ransomware attacks on the rise, healthcare organizations must ensure robust security measures are in place to protect patient data from malicious actors. Comprehensive Neurology’s experience serves as a cautionary tale for other practices to bolster their cybersecurity defenses and comply with HIPAA regulations.

Comprehensive Neurology has so far declined to comment on its settlement with HHS OCR. Nevertheless, this case underscores the importance of regulatory compliance and proactive risk management in safeguarding sensitive health information against cyber threats.

Neurology Practice Hit with $25K Fine After Ransomware Attack

Trump Axes Biden’s AI Safety Directive

Trump Axes Biden’s AI Safety Directive

Integrating Managed Risk and Strategy into SecOps

US Appeals Court Overturns Tornado Cash Sanctions

US Appeals Court Overturns Tornado Cash Sanctions

AI Scaling Laws Boost Efficiency and Slash Costs

AI Scaling Laws Boost Efficiency and Slash Costs

RSAC Conference 2025: Day 1 Highlights Unveiled!

Chinese Hackers Breach U.S. Government Networks using Trimble Cityworks Vulnerability

Unpatched Versa Concerto Vulnerabilities Allow Hackers to Break Free from Docker and Hijack Host

Act Now: Critical Windows Server 2025 Vulnerability Puts Active Directory at Risk

Chinese Hackers Breach U.S. Government Networks using Trimble Cityworks Vulnerability

Unpatched Versa Concerto Vulnerabilities Allow Hackers to Break Free from Docker and Hijack Host

New Best Practices Guide for Securing AI Data Released

Cybersecurity Engineer (Top Secret Clearance Required)

Cybersecurity Engineer, Littoral Combat Ship Software Support (San Diego, CA)

Cybersecurity Architect