A Costly Reminder of HIPAA’s Ransomware Readiness Requirements. The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Syracuse ASC, LLC, doing business as Specialty Surgery Center of Central New York, for potential violations of the HIPAA Security and Breach Notification Rules. This case marks OCR’s 14th ransomware enforcement action, reinforcing the growing federal focus on cybersecurity preparedness across the healthcare sector.
History
Syracuse ASC is a single-facility ambulatory surgery center in Liverpool, New York, specializing in ophthalmic, ENT, and pain management procedures. In March 2021, the center experienced a ransomware attack involving the PYSA variant—a sophisticated cross-platform malware known for targeting healthcare organizations.
The incident compromised electronic protected health information (ePHI) for 24,891 individuals. OCR initiated an investigation in October 2021 after Syracuse ASC reported the breach to HHS. The investigation revealed that the center had never conducted an accurate and thorough HIPAA risk analysis, as required by the Security Rule. OCR also found that Syracuse ASC failed to provide timely breach notifications to both affected individuals and HHS.
Settlement Terms
Under the Resolution Agreement, Syracuse ASC agreed to:
- Pay $250,000 to HHS OCR.
- Implement a Corrective Action Plan (CAP) monitored for two years.
The CAP requires Syracuse ASC to:
- Conduct a complete and thorough risk analysis of ePHI systems.
- Develop and implement a risk management plan to address identified vulnerabilities.
- Review and revise policies and procedures to ensure compliance with HIPAA.
- Provide annual HIPAA training for all workforce members handling PHI.
OCR’s Message: Ransomware Risks Are Real
OCR Director Paula M. Stannard stressed the critical importance of proactive cybersecurity, stating:
“Conducting a thorough HIPAA-compliant risk analysis—and developing and implementing risk management measures to address identified risks and vulnerabilities—is even more necessary as sophisticated cyberattacks increase. HIPAA covered entities and business associates make themselves soft targets for cyberattacks if they fail to implement the HIPAA Security Rule requirements.”
This case underscores that failing to complete and document a proper risk analysis not only weakens an organization’s defenses but also constitutes a direct violation of the HIPAA Security Rule.
The Role of the Breach Notification Rule
In addition to security failures, OCR determined that Syracuse ASC violated the HIPAA Breach Notification Rule, which requires covered entities and their business associates to:
- Notify affected individuals without unreasonable delay (no later than 60 days after discovery).
- Report the breach to HHS within the same timeframe.
- Document the scope, cause, and mitigation actions taken.
Delayed notification denies patients their right to act quickly to protect their personal and financial information and signals poor incident response readiness.
OCR’s Recommendations for Preventing Cyber Threats
To help prevent or mitigate ransomware and other cyber threats, OCR recommends that all healthcare entities and business associates:
- Identify where ePHI is stored, transmitted, and processed across all systems.
- Conduct and regularly update risk analyses.
- Implement and maintain a risk management plan addressing identified threats.
- Establish audit controls to monitor system activity.
- Authenticate all users accessing ePHI.
- Encrypt ePHI both at rest and in transit.
- Incorporate lessons learned from past incidents into the security program.
- Provide ongoing, role-specific HIPAA training for all staff.
Summary
Ransomware attacks are no longer rare events – they’re a daily threat to healthcare organizations of all sizes. OCR’s 14th ransomware enforcement action makes one thing clear: a missing or incomplete risk analysis is a direct pathway to vulnerability and liability.
Every covered entity and business associate must have a documented risk analysis and risk management plan. This is not just for compliance, but to protect patients, data, and the integrity of their operations.
At Aris Medical Solutions, our online HIPAA Keeper™ is an all in one secure, cloud-based system that helps healthcare providers and business associates simplify compliance by maintaining up-to-date policies, procedures, HIPAA training and documentation to meet every aspect of the HIPAA Privacy and Security Rules.
Protect your practice before an attack happens. Schedule your HIPAA compliance review today and protect your organization from the next enforcement headline.
