An ASC in Liverpool, N.Y., has reached a settlement with the U.S. Department of Health and Human Services Office for Civil Rights over alleged violations of the HIPAA Security and Breach Notification Rules, according to a July 23 HHS news release.
What happened?
- The investigation began after Syracuse ASC, which provides ophthalmic, ENT surgical services and pain management procedures, reported a ransomware attack in March 2021. The breach compromised the electronic protected health information of 24,891 individuals.
- The incident involved the PYSA ransomware variant, a sophisticated, cross-platform malware known for targeting the healthcare sector.
- OCR determined that Syracuse ASC had not conducted a thorough and accurate risk analysis to identify potential threats to patient information. The center also failed to notify affected individuals and HHS of the breach in a timely manner, as required by the HIPAA Breach Notification Rule.
- To resolve the allegations, Syracuse ASC agreed to a $250,000 financial settlement. Additionally, the center will implement a two-year corrective action plan, which will be monitored by OCR to ensure compliance with HIPAA requirements.
