Syracuse ASC, also known as Specialty Surgery Center of Central New York, has been fined $250,000 to resolve violations of the HIPAA Security Law and Breach Notification Law. OCR was able to confirm that the incident was a ransomware attack using the PYSA variant. The data breach dates back to March 2021 where unauthorized access to ePHI of a reported 24,891 patients. The threat potentially stole names, birth dates, Social Security numbers, financial data, and clinical information. The breach was not reported to the affected individuals until October 2021.
OCR's investigation revealed that Syracuse ASC committed two violations of Health Insurance Portability and Accountability Act (HIPAA): the failure to conduct a comprehensive, enterprise-wide risk analysis as mandated by the HIPAA Security Rule and the failure to provide timely breach notifications as required by the HIPAA Breach Notification Rule.
The primary and most critical violation was the center's failure to conduct a thorough and accurate risk analysis. A risk analysis is considered the foundational requirement for cybersecurity compliance under HIPAA. Without this essential assessment, an organization cannot accurately identify and mitigate potential vulnerabilities to its ePHI. The failure to perform a risk analysis is not merely a technicality; it is a strategic vulnerability that threat actors actively exploit. As OCR Director Paula M. Stannard has stated, healthcare entities that do not implement the HIPAA Security Rule requirements "make themselves soft targets for cyberattacks".
In addition to the security failure, Syracuse ASC violated the HIPAA Breach Notification Rule. This delay of approximately six and a half months significantly exceeded the 60-day notification deadline required by the HIPAA Breach Notification Rule. The delay prevented individuals from taking timely action to protect themselves from potential identity theft or fraud. While a "substantial data validation process" was cited as the cause of the delay, this is not a legally sufficient reason, as the 60-day timeframe begins upon the discovery of the breach, not the completion of an investigation.
OCR has made it clear that it is negligent for medical providers to fail to conduct a Security Risk Analysis. At TLD Systems, we make this process comprehensive yet easy to understand. Our program provides an online platform to track the safeguards in place at your office, an expert support team to answer your questions, and a customized mitigation plan to guide your next steps. What can feel overwhelming becomes a valuable benefit for your practice, helping you stay compliant, reduce risk, and protect your patients.
If you have not used TLD Systems in the past please contact us. You will find that the money you spend to have us assist you will save you time and money in the long run over trying to do this yourself.
For more information contact TLD Systems at
(631) 403 6687
Read Comments