In April 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a HIPAA enforcement settlement with Comprehensive Neurology, PC, a New York-based neurology practice, in connection with a ransomware incident that compromised the electronic protected health information (“ePHI”) of approximately 6,800 individuals.

This case marks OCR’s 12th ransomware-related enforcement action and its 8th under the agency’s Risk Analysis Initiative – an enforcement effort focused on driving compliance with the HIPAA Security Rule’s risk analysis provision.

According to the OCR, Comprehensive Neurology failed to conduct an accurate and thorough risk analysis to assess potential risks to the confidentiality, integrity and availability of ePHI. This failure came to light following a December 2020 breach report stating that Comprehensive Neurology’s IT network had been encrypted and rendered inaccessible due to a ransomware attack. The affected data included patient names, clinical and insurance information, demographic information, Social Security numbers and government-issued IDs.

Under the terms of the settlement, Comprehensive Neurology agreed to pay $25,000 and adopt a two-year corrective action plan. Required steps include conducting a comprehensive risk analysis, implementing a risk management plan, updating HIPAA policies and procedures and training staff on HIPAA Security Rule requirements.

This latest settlement reinforces OCR’s continued focus on ensuring covered entities assess and manage cybersecurity risks before incidents occur.