The U.S. Department of Health and Human Services (HHS) has reached a $250,000 settlement with Syracuse ASC LLC, doing business as Specialty Surgery Center of Central New York, over a ransomware breach that compromised the protected health information (PHI) of nearly 25,000 individuals.
Announced July 23 by HHS’s Office for Civil Rights (OCR), the settlement addresses potential violations of the HIPAA Security and Breach Notification Rules. It also includes a two-year corrective action plan placing the ambulatory surgery center (ASC) under federal monitoring.
The case traces back to a March 2021 cyberattack involving the PYSA ransomware variant, a known threat to health care providers.
OCR launched its investigation later that year after Syracuse ASC self-reported that an unauthorized party had accessed its network. The agency concluded the ASC failed to conduct a HIPAA-compliant risk analysis and did not timely notify affected patients or HHS of the breach, both of which are required under federal law.
“Conducting a thorough HIPAA-compliant risk analysis (and developing and implementing risk management measures to address any identified risks and vulnerabilities) is even more necessary as sophisticated cyberattacks increase,” OCR Director Paula M. Stannard said in a statement. “HIPAA covered entities and business associates make themselves soft targets for cyberattacks if they fail to implement the HIPAA Security Rule requirements.”
As part of the settlement, Syracuse ASC must assess its security vulnerabilities, adopt a risk management strategy, revise HIPAA-related policies and procedures, and train its workforce annually.
The ASC, located in Liverpool, New York, provides ophthalmic, ENT and pain management procedures.
OCR’s announcement also served as a broader warning to health care organizations about growing cyberthreats.
The agency encourages regular risk assessments, robust data encryption, access controls and frequent staff training to avoid compliance failures.
Organizations that suffer a breach of unsecured PHI must notify both affected individuals and HHS through its breach portal. The full resolution agreement with Syracuse ASC is available here.
ASCs have been particularly vulnerable to cyber threats in recent years.
In another recent example, Covenant Surgical Partners — a Nashville, Tennessee-based operator of single and limited-specialty ASCs — reported a data breach impacting 88,609 individuals.
