Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Syracuse ASC, LLC doing business as Specialty Surgery Center of Central New York, for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules. Syracuse ASC is a single-facility, ambulatory surgery center located in Liverpool, New York that provides ophthalmic and ENT surgical services and pain management procedures to patients.
The settlement resolves an OCR investigation concerning a ransomware breach of ePHI that affected 24,891 individuals. OCR initiated the investigation in October 2021 after Syracuse ASC reported to HHS that an unauthorized individual had accessed its network in March 2021. Further investigation revealed that Syracuse ASC was affected by a ransomware attack involving the PYSA ransomware variant, which is a cross-platform cyber weapon known to target the healthcare industry. OCR’s investigation found that Syracuse ASC never conducted an accurate and thorough risk analysis to determine the risks and vulnerabilities to the ePHI it held. OCR also found that Syracuse ASC failed to timely notify affected individuals and the Secretary of the breach.
Under the terms of the resolution agreement, Syracuse ASC agreed to implement a corrective action plan that OCR will monitor for 2 years and paid $250,000 to OCR. Under the corrective action plan, Syracuse ASC committed to take steps to ensure compliance with the HIPAA Rules and protect the security of ePHI, including:
- Conducting an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
- Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
- Reviewing, and to the extent necessary, revising, certain written policies and procedures to comply with the HIPAA Rules; and
- Providing annual training for workforce members on its written HIPAA policies and procedures.
The resolution agreement and corrective action plan may be found at https://www.hhs.gov/sites/default/files/ocr-hipaa-racap-syracuse-asc.pdf [PDF, 175 KB].
As is usually the case, there is no admission of any wrongdoing or guilt. DataBreaches notes that if HHS OCR found Syracuse out of compliance with the timely notification requirement because notification was seven months after the breach (the date of discovery was not reported), then why isn’t it penalizing many more entities who are even more delayed in their notifications?
Read more at HHS.