An ASC in Liverpool, N.Y., has reached a settlement with the U.S. Department of Health and Human Services Office for Civil Rights over alleged violations of the HIPAA Security and Breach Notification Rules, according to a July 23 HHS news release.
What happened?
- The investigation began after Syracuse ASC, which provides ophthalmic, ENT surgical services and pain management procedures, reported a ransomware attack in March 2021. The breach compromised the electronic protected health information of 24,891 individuals.
- The incident involved the PYSA ransomware variant, a sophisticated, cross-platform malware known for targeting the healthcare sector.
- OCR determined that Syracuse ASC had not conducted a thorough and accurate risk analysis to identify potential threats to patient information. The center also failed to notify affected individuals and HHS of the breach in a timely manner, as required by the HIPAA Breach Notification Rule.
- To resolve the allegations, Syracuse ASC agreed to a $250,000 financial settlement. Additionally, the center will implement a two-year corrective action plan, which will be monitored by OCR to ensure compliance with HIPAA requirements.
At the Becker's 23rd Annual Spine, Orthopedic and Pain Management-Driven ASC + The Future of Spine Conference, taking place June 11-13 in Chicago, spine surgeons, orthopedic leaders and ASC executives will come together to explore minimally invasive techniques, ASC growth strategies and innovations shaping the future of outpatient spine care. Apply for complimentary registration now.
