The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $250,000 settlement with Syracuse ASC, LLC, doing business as Specialty Surgery Center of Central New York, resolving allegations of violations of the HIPAA Security and Breach Notification Rules. The enforcement followed a ransomware breach reported in October 2021 involving the PYSA variant that exposed electronic protected health information (ePHI) of 24,891 individuals.
As we’ve covered and stated not only are organizations in the healthcare space under greater scrutiny now than ever but that they are also targets of HIPAA litigation from not only private right of actions but also from the government via HHS. If you’d like help getting your website and healthcare organization compliant connect with a Captain Compliance team member today to learn more on how we can assist with your data privacy requirements and help mature your internal privacy program.
Incident and OCR Findings
The breach occurred between March 14 and March 31, 2021. OCR’s investigation found that Syracuse ASC had:
- Never conducted a required, “accurate and thorough” HIPAA risk analysis :contentReference
- Failed to notify affected individuals and the HHS Secretary within the required 60‑day timeframe
Enforcement Measures
As part of the resolution:
- Syracuse ASC agreed to pay $250,000 in settlement
- A two-year corrective action plan (CAP) will be monitored by OCR, including requirements to conduct risk assessments, revise policies, and implement annual workforce HIPAA training
OCR’s Warning
OCR Director Paula M. Stannard stressed:
“Conducting a thorough HIPAA-compliant risk analysis (and developing and implementing risk management measures to address any identified risks and vulnerabilities) is even more necessary as sophisticated cyberattacks increase. HIPAA covered entities and business associates make themselves soft targets for cyberattacks if they fail to implement the HIPAA Security Rule requirements.”
Why This Matters
- This case represents OCR’s 14th ransomware enforcement action, highlighting growing federal scrutiny of cybersecurity failures in healthcare
- It shows that even small, single-site facilities can face severe consequences—despite their size
- The combination of unperformed risk assessments and untimely breach notification underlines two of OCR’s most frequently enforced violations.
Best Practices
OCR guidance emphasizes critical compliance steps that every HIPAA-covered organization should take:
- Identify all locations where ePHI is maintained, how it flows, and how it exits your systems.
- Conduct and regularly update a comprehensive risk analysis—and follow it with a documented risk management plan.
- Implement technical safeguards: encryption, audit controls, user authentication, monitoring of system activity.
- Maintain robust breach notification processes: notify affected individuals and the HHS Secretary within 60 calendar days of discovering a breach.
- Ensure workforce members receive regular, role‑specific HIPAA training and certify compliance annually.
How To Protect Against OCR Fines?
The OCR settlement with Syracuse ASC is a reminder that cybersecurity diligence and HIPAA compliance cannot be overlooked—even by modest healthcare providers. Fines of $250,000, multi-year CAP obligations, and potential reputational damage reflect the real cost of gaps in risk analysis and breach response and you should always tie in good cybersecurity with good privacy practices.
