OCR Fines Surgery Center After HIPAA Breach Exposes Nearly 25,000 Records

A Liverpool, New York surgery center has agreed to pay a $250,000 penalty for potential violations of the HIPAA Security and Breach Notification Rules. On July 23 the HHS’ Office for Civil Rights (OCR) announced the settlement with Syracuse ASC, a provider of ophthalmic and ENT surgical services and pain management procedures.

The settlement resolves an OCR investigation concerning a ransomware breach of electronic protected health information (ePHI) of 24,891 individuals. OCR initiated the investigation in October 2021 after Syracuse ASC reported to HHS that an unauthorized individual had accessed its network in March 2021. The incident involved the PYSA ransomware variant, which is a cross-platform cyber weapon known to target the healthcare industry.

OCR Finds Gaps in Risk Analysis and Breach Notification Compliance

OCR determined that Syracuse ASC never conducted an accurate and thorough risk analysis to determine the risks and vulnerabilities to the ePHI it held. The center also failed to notify affected individuals and HHS of the breach in a timely manner, as required by the HIPAA Breach Notification Rule.

“Conducting a thorough HIPAA-compliant risk analysis (and developing and implementing risk management measures to address any identified risks and vulnerabilities) is even more necessary as sophisticated cyberattacks increase,” said OCR Director Paula M. Stannard. “HIPAA covered entities and business associates make themselves soft targets for cyberattacks if they fail to implement the HIPAA Security Rule requirements.”

OCR Imposes Corrective Action Plan

Under the terms of the resolution agreement, Syracuse ASC agreed to implement a corrective action plan that OCR will monitor for a period of two years and paid $250,000 to OCR. The center committed to taking the following steps, as included in the plan, to ensure compliance with the HIPAA Rules and protect the security of ePHI.

• Conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
• Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
• Review, and to the extent necessary, revise, certain written policies and procedures to comply with the HIPAA Rules; and
• Provide annual training for workforce members on its written HIPAA policies and procedures.

HIPAA Security Tips: Risk Analysis, Encryption, and Training

Furthermore, OCR recommended that all HIPAA-covered entities ensure the following processes are in place to prevent or mitigate cyber threats:

• Identify the location of ePHI within the organization, including how it enters, flows through, and exits the organization’s information systems.
• Periodically conduct and update, as needed, a risk analysis, and develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
• Ensure audit controls are in place to record and examine information system activity.
• Implement regular reviews of information system activity.
• Implement procedures to authenticate users seeking access to ePHI.
• Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
• Incorporate lessons learned from incidents into the organization’s overall security management process.
• Provide workforce members with regular HIPAA training tailored to their respective job duties and the organization’s specific needs.

HIPAA Security Rule Updates:

Learn about significant changes being made to the HIPAA Security Rule that aim to strengthen the protection of ePHI and address cybersecurity threats in our article: Comments Deadline Closes for HIPAA Security Rule Proposed Changes.