On July 23, 2025, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $250,000 financial settlement and two-year corrective action plan (CAP) against New York-based Syracuse ASC, LLC, d/b/a Specialty Surgery Center of New York (Syracuse ASC), for alleged violations of the HIPAA Security and Breach Notification Rules.
Delayed breach notification reveals lack of risk analysis
Syracuse ASC is a single-facility, ambulatory surgery center (ASC) that provides ophthalmic and ENT surgical services and pain management procedures. Following receipt of a breach notification report from Syracuse ASC involving an incident that occurred from March 14 to March 31, 2021, OCR learned that a threat actor gained access to Syracuse ASC’s network and its patients’ electronic protected health information (ePHI). The report indicated that the breach impacted 24,891 current and former patients and included patient names, dates of birth, social security numbers, financial information, and clinical treatment information.
Throughout the course of its investigation, OCR became aware that Syracuse ASC’s system was accessed during a ransomware attack involving the PYSA ransomware variant, a weapon notorious for attacking healthcare entities. The investigation also revealed that Syracuse ASC failed to conduct an accurate and thorough risk analysis and notify impacted individuals and the HHS Secretary within the required sixty-day timeframe following a breach of unsecured protected health information (PHI).
Wide-ranging enforcement posture
While a lack of risk analysis is noted, this enforcement action emphasizes that OCR is pursuing HIPAA enforcement beyond its Right of Access and Risk Analysis Initiatives.
This settlement is OCR’s fourteenth ransomware enforcement action. Like other recent ransomware enforcement actions, including with Comstar, LLC, and Cascade Eye and Skin Centers, P.C., Syracuse ASC agreed to a two-year CAP. Syracuse ASC’s CAP, however, requires it to review and revise its Breach Notification Rule Policies and Procedures, following the delayed breach notification. The CAP is broader than recent CAPs that focus on OCR’s initiatives, such as the Risk Analysis Initiative. This indicates OCR’s focus is not only on its targeted initiatives but also on alleged violations that fall outside these categories.
Prevention and mitigation of cybersecurity threats through HIPAA compliance
In an email release, describing the enforcement, OCR Director Paula M. Stannard reiterated the need to conduct thorough and accurate risk analyses to respond to the increase in sophisticated cyberattacks, specifically noting that covered entities and business associates “make themselves soft targets for cyberattacks if they fail to implement the HIPAA Security Rule requirements.”
HIPAA-regulated entities should implement the following to prevent or mitigate cybersecurity risks presented by threat actors:
- Identify the location of all ePHI within an organization, including the entry, flow through, and exit of ePHI within the organization’s information systems.
- At least annually, conduct a risk analysis and develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Update the risk analysis whenever environmental or operational changes affecting the security of ePHI occur within the organization, including after a security incident.
- Implement audit controls to record and analyze information system traffic; conduct regular reviews of this activity.
- Implement user authentication procedures for individuals seeking access to ePHI.
- To prevent unauthorized access to ePHI, encrypt such information in transit and at rest.
- Conduct regular organization-specific HIPAA training for workforce members with access to PHI.