Director Paula M. Stannard of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the 18th HIPAA penalty for 2025. Ambulatory surgery center in Liverpool, New York, Syracuse ASC dba Specialty Surgery Center of Central New York, agreed to pay a $250,000 financial penalty to resolve alleged violations of the HIPAA Security Law and the HIPAA Breach Notification Law.
OCR investigated Syracuse ASC because of a data breach report received on October 14, 2021, regarding a hacking incident that resulted in unauthorized access to the protected health information (PHI) of 24,891 present and past patients. The threat actor accessed its system between March 14, 2021, and March 31, 2021, and may have acquired names, birth dates, Social Security numbers, financial data, and clinical treatment data. Based on OCR’s investigation, the incident was a ransomware attack that deployed PYSA ransomware.
OCR’s investigation revealed that Syracuse ASC had not performed a risk analysis to determine probable risks and vulnerabilities to the integrity, confidentiality, and availability of electronic protected health information (ePHI), as ordered by the HIPAA Security Rule – 45 C.F.R. §164.308(a)(1)(ii)(A). OCR likewise confirmed that Syracuse ASC did not send prompt notifications to the HHS Secretary and the impacted persons. Syracuse ASC found out about the data breach on March 31, 2021, but did not send notifications for six and a half months. Under the HIPAA Breach Notification Rule – 45 C.F.R. § 164.404(b) and 45 C.F.R. § 164.408(b), covered entities need to send breach notifications within 60 days of the discovering a data breach.
OCR allowed Syracuse ASC to settle the alleged HIPAA violations in private, and the case was resolved. Syracuse ASC has consented to pay a $250,000 penalty and undertake a corrective action plan to make certain HIPAA Rules compliance. The corrective action plan calls for Syracuse ASC to perform a correct and comprehensive risk analysis; create and enforce a risk management strategy; create, enforce, and maintain guidelines and procedures to comply with the HIPAA Rules; circulate those guidelines and procedures to the employees; and give the employees training on HIPAA guidelines and procedures every year.
“Performing a comprehensive HIPAA-compliant risk analysis (and creating and applying risk management steps to deal with any determined risks and vulnerabilities) is more important with the increase in sophisticated cyberattacks. Cyberattackers commonly target HIPAA-covered entities and business associates when they are not able to enforce the HIPAA Security Rule conditions.
Image credit: Gorodenkoff, AdobeStock / logo©HHS
