Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Articles
    4. OCR resolves ransomware incident, delayed breach notification

      Articles

    Article

    OCR resolves ransomware incident, delayed breach notification

    July 31, 2025

    LinkedInX (Twitter)EmailCopy URL

    By Valerie Montague, Meredith LaMaster and Grace Connelly

    OCR’s recent enforcement action against a New York-based ASC underscores the need to regularly conduct an accurate and thorough risk analysis and provide timely notification to impacted individuals and the HHS Secretary upon occurrence of a breach.

    On July 23, 2025, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $250,000 financial settlement and two-year corrective action plan (CAP) against New York-based Syracuse ASC, LLC, d/b/a Specialty Surgery Center of New York (Syracuse ASC), for alleged violations of the HIPAA Security and Breach Notification Rules.

    Delayed breach notification reveals lack of risk analysis

    Syracuse ASC is a single-facility, ambulatory surgery center (ASC) that provides ophthalmic and ENT surgical services and pain management procedures. Following receipt of a breach notification report from Syracuse ASC involving an incident that occurred from March 14 to March 31, 2021, OCR learned that a threat actor gained access to Syracuse ASC’s network and its patients’ electronic protected health information (ePHI). The report indicated that the breach impacted 24,891 current and former patients and included patient names, dates of birth, social security numbers, financial information, and clinical treatment information.

    Throughout the course of its investigation, OCR became aware that Syracuse ASC’s system was accessed during a ransomware attack involving the PYSA ransomware variant, a weapon notorious for attacking healthcare entities. The investigation also revealed that Syracuse ASC failed to conduct an accurate and thorough risk analysis and notify impacted individuals and the HHS Secretary within the required sixty-day timeframe following a breach of unsecured protected health information (PHI).

    Wide-ranging enforcement posture

    While a lack of risk analysis is noted, this enforcement action emphasizes that OCR is pursuing HIPAA enforcement beyond its Right of Access and Risk Analysis Initiatives.

    This settlement is OCR’s fourteenth ransomware enforcement action. Like other recent ransomware enforcement actions, including with Comstar, LLC, and Cascade Eye and Skin Centers, P.C., Syracuse ASC agreed to a two-year CAP. Syracuse ASC’s CAP, however, requires it to review and revise its Breach Notification Rule Policies and Procedures, following the delayed breach notification. The CAP is broader than recent CAPs that focus on OCR’s initiatives, such as the Risk Analysis Initiative. This indicates OCR’s focus is not only on its targeted initiatives but also on alleged violations that fall outside these categories.

    Prevention and mitigation of cybersecurity threats through HIPAA compliance

    In an email release, describing the enforcement, OCR Director Paula M. Stannard reiterated the need to conduct thorough and accurate risk analyses to respond to the increase in sophisticated cyberattacks, specifically noting that covered entities and business associates “make themselves soft targets for cyberattacks if they fail to implement the HIPAA Security Rule requirements.”

    HIPAA-regulated entities should implement the following to prevent or mitigate cybersecurity risks presented by threat actors:

    • Identify the location of all ePHI within an organization, including the entry, flow through, and exit of ePHI within the organization’s information systems.
    • At least annually, conduct a risk analysis and develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Update the risk analysis whenever environmental or operational changes affecting the security of ePHI occur within the organization, including after a security incident.
    • Implement audit controls to record and analyze information system traffic; conduct regular reviews of this activity.
    • Implement user authentication procedures for individuals seeking access to ePHI.
    • To prevent unauthorized access to ePHI, encrypt such information in transit and at rest.
    • Conduct regular organization-specific HIPAA training for workforce members with access to PHI.

    Practices

    HealthcareHealthcare Regulatory & ComplianceLife Sciences & Healthcare Compliance and Investigations

    Industries

    Healthcare

    Insights And Happenings

    • Alert

      Updated—One Big Beautiful Bill Act’s restriction on family planning services

      July 28, 2025
    • Alert

      DOJ-HHS False Claims Act Working Group re-established

      July 22, 2025
    • Alert

      Healthcare trends we're watching

      July 16, 2025
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved