New York Surgery Center Pays $250K to Settle HIPAA Risk Analysis; Breach Notification Violations
Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Director, Paula M. Stannard, has announced OCR’s 18th HIPAA penalty of the year. Syracuse ASC, which does business as Specialty Surgery Center of Central New York, a single-facility ambulatory surgery center in Liverpool, New York, has agreed to settle alleged violations of the HIPAA Security Rule and HIPAA Breach Notification Rule and will pay a $250,000 financial penalty.
OCR launched an investigation of Syracuse ASC after receiving a data breach notification report on October 14, 2021, about a hacking incident involving unauthorized access to the protected health information of 24,891 current and former patients. A threat actor had access to its network from March 14, 2021, through March 31, 2021, and potentially obtained names, dates of birth, Social Security numbers, financial information, and clinical treatment information. OCR investigation confirmed that this was a ransomware attack involving PYSA ransomware.
OCR’s investigation uncovered no evidence to suggest that Syracuse ASC had ever conducted a risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information, as required by the HIPAA Security Rule – 45 C.F.R. §164.308(a)(1)(ii)(A). OCR also determined that Syracuse ASC had failed to issue timely notifications to the HHS Secretary and the affected individuals. The data breach was identified on March 31, 2021, yet notifications were not issued for six and a half months. The HIPAA Breach Notification Rule requires notifications to be issued within 60 days of the discovery of a data breach – 45 C.F.R. § 164.404(b) and 45 C.F.R. § 164.408(b).
Syracuse ASC was given the opportunity to resolve the alleged HIPAA violations informally, and the case was settled. Syracuse ASC has agreed to pay a $250,000 penalty and adopt a corrective action plan to ensure compliance with the HIPAA Rules. The corrective action plan requires Syracuse ASC to conduct an accurate and thorough risk analysis; develop and implement a risk management plan; develop, implement and maintain policies and procedures to ensure compliance with the HIPAA Rules; distribute those policies and procedures to the workforce; and provide the workforce with training on those policies and procedures at least every 12 months.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“Conducting a thorough HIPAA-compliant risk analysis (and developing and implementing risk management measures to address any identified risks and vulnerabilities) is even more necessary as sophisticated cyberattacks increase,” said OCR Director Paula M. Stannard. “HIPAA covered entities and business associates make themselves soft targets for cyberattacks if they fail to implement the HIPAA Security Rule requirements.”
