HHS OCR Settles HIPAA Ransomware Case with Neurology Practice: Key Takeaways for Security Teams

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a settlement with Comprehensive Neurology, PC, a New York-based neurology practice, following a ransomware attack that exposed protected health information (PHI) of 6,800 patients. The $25,000 settlement highlights OCR’s intensified focus on small healthcare providers and ransomware preparedness under HIPAA’s Security Rule¹.

TL;DR: Key Points for Security Professionals

$25,000 settlement for a ransomware incident affecting 6,800 patient records
4th OCR ransomware settlement since 2024, following Cascade Eye & Skin Centers ($250K) and others²
Primary violations: Inadequate risk analysis and system monitoring per § 164.308(a)(1)(ii)
Corrective actions include 2-year OCR monitoring and mandatory risk management plans
264% increase in large healthcare breaches since 2018, with ransomware as leading cause³

Case Breakdown: Technical and Compliance Failures

The Comprehensive Neurology case stemmed from a ransomware attack where attackers encrypted systems containing electronic PHI (ePHI). OCR’s investigation revealed the practice had not conducted a thorough risk analysis to identify vulnerabilities to ransomware, nor implemented sufficient monitoring to detect anomalous activity. These failures directly violated HIPAA’s Security Rule requirements for risk analysis (§ 164.308(a)(1)(ii)) and system activity monitoring (§ 164.308(a)(1)(ii)(D))⁴.

Notably, the settlement amount reflects the practice’s small size and cooperation during the investigation. For comparison, larger entities like PIH Health faced $600,000 fines for similar violations in 2025⁵. The corrective action plan mandates:

Requirement	Timeline
Comprehensive risk analysis	Within 60 days
Risk management plan implementation	Within 90 days
Workforce training on ransomware	Within 120 days

Ransomware Trends in Healthcare

The healthcare sector saw a 264% increase in large breaches from 2018-2025, with ransomware accounting for 45% of incidents³. Recent high-profile cases include:

“The UnitedHealth breach in 2024 via the Change Healthcare attack compromised over 100 million records, demonstrating how third-party vulnerabilities can cascade through healthcare ecosystems.” – HIPAA Journal⁶

Smaller practices face particular risks due to limited IT resources. OCR’s 2025 audit program specifically targets Security Rule provisions tied to ransomware preparedness, including:

Risk analysis procedures
Contingency planning
Encryption status of ePHI

Actionable Recommendations

For organizations handling PHI, these technical controls can reduce ransomware risks:

1. Mandatory Risk Analysis: Conduct and document annual risk assessments that specifically evaluate ransomware threats. The 2016-2017 OCR audits found 70% of entities lacked compliant risk analyses – still a top violation in 2025⁷.

2. System Monitoring: Implement log monitoring for unusual file access patterns (especially mass file encryption) and failed login attempts. CISA recommends deploying endpoint detection and response (EDR) tools with ransomware-specific detection rules⁸.

3. Workforce Training: The PIH Health case demonstrated that inadequate training (§ 164.308(a)(5)) significantly increases breach risks. Training should cover:

Phishing identification (responsible for 32% of healthcare breaches in 2024⁹)
Reporting procedures for suspicious emails
Secure handling of ePHI

Regulatory Outlook

OCR’s 2025 Notice of Proposed Rulemaking (NPRM) includes several changes relevant to ransomware defense:

Annual (vs. biennial) risk assessments required
Mandatory multi-factor authentication (MFA) for all ePHI access
Stricter business associate agreement (BAA) requirements for vendors

The Comprehensive Neurology settlement serves as a warning that OCR now holds even small practices accountable for ransomware preparedness. With healthcare breaches costing an average of $10.1 million per incident in 2025¹⁰, proactive security measures are both a compliance necessity and financial imperative.