Syracuse ASC, LLC has agreed to a $250,000 settlement with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) following a ransomware attack that exposed nearly 25,000 patient records.
What happened
On July 24, 2025, OCR announced its 14th ransomware enforcement action, this time involving Syracuse ASC, an ambulatory surgery center in New York. The investigation stemmed from a March 2021 ransomware breach using the PYSA variant, which compromised the electronic protected health information (ePHI) of 24,891 individuals.
OCR’s probe revealed that Syracuse ASC had never conducted a required HIPAA-compliant risk analysis and failed to provide timely notification of the breach, violating both the Security Rule and Breach Notification Rule.
The settlement includes a two-year corrective action plan monitored by OCR and a $250,000 penalty. Syracuse ASC will now be required to assess its security risks, revise HIPAA-related policies, and train staff annually.
Going deeper
Under the corrective action plan, Syracuse ASC must:
- Conduct a thorough and accurate risk assessment
- Develop and implement a risk management strategy
- Revise policies and procedures to comply with HIPAA
- Train workforce members annually on HIPAA compliance
OCR also advises all covered entities and business associates to:
- Identify all ePHI data flows
- Regularly update risk analyses and risk management plans
- Monitor system activity and implement audit controls
- Encrypt ePHI at rest and in transit
- Incorporate breach lessons into future security planning
What was said
“Conducting a thorough HIPAA-compliant risk analysis (and developing and implementing risk management measures to address any identified risks and vulnerabilities) is even more necessary as sophisticated cyberattacks increase,” said OCR Director Paula M. Stannard in the HHS press release.
Furthermore, “HIPAA covered entities and business associates make themselves soft targets for cyberattacks if they fail to implement the HIPAA Security Rule requirements.”
By the numbers
- 24,891: Number of individuals impacted by the ransomware breach
- 2021: Year Syracuse ASC reported the breach to OCR
- $250,000: Settlement amount paid to OCR
- 2 years: Duration of corrective action plan oversight by OCR
- 14: Total ransomware enforcement actions by OCR to date
In the know
PYSA (also known as Mespinoza) is a ransomware strain that targets large organizations, especially in the healthcare and education sectors. Known for double-extortion tactics, where data is both encrypted and exfiltrated, PYSA attacks often result in significant regulatory and financial consequences.
Read also: Report: Ransomware attacks cause $1.9 million daily loss
The big picture
Healthcare remains a major target for cybercriminals, and the OCR continues to signal that non-compliance, particularly failure to perform risk assessments, will not be tolerated. Failing to conduct regular risk assessments leaves these organizations vulnerable to cyberattacks, potentially compromising patient safety and privacy.
Healthcare organizations must conduct thorough and regular risk assessments to identify and address vulnerabilities in their systems. Failure to do so puts patient data at risk and undermines the trust and reputation of the healthcare organization.
FAQs
Who needs to comply with HIPAA?
HIPAA compliance is required for covered entities, including healthcare providers, health plans, healthcare clearinghouses, and their business associates, who handle protected health information (PHI).
What is a ransomware attack?
Ransomware attacks are a type of cyberattack where hackers gain unauthorized access to a computer, encrypt its data, and demand the return of this data upon payment.
Hackers often target sensitive information like personal, financial, or healthcare data, crippling their operations until the ransom is paid or recovered by other means.
Ransomware typically spreads through phishing emails, malicious links, or software vulnerabilities, exploiting weak cybersecurity defenses. Even after paying the ransom, victims are not guaranteed data recovery.
Why is the healthcare sector a major target of ransomware attacks?
Healthcare facilities handle individuals’ sensitive personal and medical data and operate with minimal downtime, making them attractive targets for cybercriminals.
