New Jersey Neurology Practice Fined $25,000 over Ransomware Incident

A New Jersey neurology practice has agreed to pay a $25,000 penalty to settle a case with the US Department of Health and Human Services (HHS) over a ransomware incident that likely compromised the security and privacy of nearly 7,000 people.

Comprehensive Neurology is an adult and pediatric neurology practice based in Hamilton, the most populous municipality in Mercer County, in the eastern U.S. state.

The clinic diagnoses and treats a wide range of neurological disorders, including epilepsy, stroke, multiple sclerosis, ADD/ADHD, headaches and migraines, movement and neuromuscular disorders, dementias and dizziness. It also offers in-office testing such as EEGs and ambulatory EEGs for diagnosis of epilepsy and EMG/nerve conduction studies for diagnosis of neuromuscular disorders. It boasts “admitting privileges at top nationally ranked hospitals throughout the region.”

The neuro practice suffered a ransomware attack in 2020, prompting an investigation by the HHS.

Locked out of its own IT network

On Dec. 17, 2020, the HHS’s Office for Civil Rights (OCR) received a breach notification report from Comprehensive Neurology saying that “on December 14, 2020, Comprehensive became aware of an issue with its systems when an employee discovered that they could not access medical records.”

Comprehensive immediately started an internal investigation and determined that “it had been subjected to ransomware and that 6,800 individuals may have been affected by the breach incident,” according to the settlement papers.

HHS’ investigation found that “Comprehensive failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to ePHI held by Comprehensive,” reads the agreement.

Comprehensive has agreed to pay the health regulator $25,000 to settle the matter, and will carry out a corrective action plan, which includes conducting a thorough risk assessment, implementing a risk management plan, and training staff to spot unusual activity on the network.

Read: How Scammers Stole $20 Million by Hacking Emails of Real Estate Agents – Here’s Why Small Firms Must Take Cybersecurity Seriously

Don’t let this happen to you

Last month, the UK Information Commissioner’s Office (ICO) issued a £3 million levy to British IT service provider Advanced Software over the company’s poor security posture during an encounter with hackers in 2022.

Read: £3 Million Fine for a Victim of LockBit Ransomware

As we note in our guide Small Office, Big Threats: 7 Ways to Cyber-Proof Your Business in 2025, running even a small firm comes with big risks.

If you run a small business, be sure to thoroughly review your cybersecurity posture to avoid a similar fate.

Bitdefender strongly recommends deploying a dedicated security solution to stem the chances of a successful breach.

Bitdefender Ultimate Small Business Security is an extended version of our consumer-friendly security suite, designed specifically for small firms. It includes malware detection, ransomware prevention, email protection, account breach protection, scam protection, and VPN. It can be administered by anyone in your organization thanks to a natural, intuitive dashboard designed for use even by non-techies.

Advice for Comprehensive Neurology customers

Anyone affected by a data breach should consider a data monitoring service. Bitdefender Digital Identity Protection lets you know if your data has been caught up in a breach or has been compromised or leaked online, as well as what risks you face and how to protect yourself.

Personal, health, and financial info stolen in breaches fuels socially engineered scams and fraud. When in doubt about a suspicious text, phone call, or social media interaction that cites your personal data, Bitdefender recommends using Scamio, our free, scam-fighting AI bot. You can share with Scamio the exact thing you want to check, such as a screenshot, link, or QR code – or simply describe the situation to our chatbot in your own words. Scamio lets you know in seconds if it’s a sham.

For peace of mind, consider using a security solution on all your personal devices.

You may also want to read:

US Clinical Lab Tells 1.6 Million Customers to 'Protect' Their Data Following Cyberattack