$250K Penalty Paid by Syracuse ASC to Resolve HIPAA Risk Analysis and Breach Notification Violations

by Ryan Coyne | Aug 3, 2025

Director Paula M. Stannard of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reported the 18th HIPAA penalty of 2025. Syracuse ASC, also known as Specialty Surgery Center of Central New York, has agreed to pay a $250,000 financial penalty to resolve alleged violations of the HIPAA Security Law and HIPAA Breach Notification Law.

OCR investigated Syracuse ASC after it submitted a data breach report on October 14, 2021, regarding a hacking incident and unauthorized access to the protected health information (PHI) of 24,891 patients. A threat actor accessed the system between March 14, 2021, and March 31, 2021, and potentially stole names, birth dates, Social Security numbers, financial data, and clinical treatment information. OCR confirmed that the incident was a ransomware attack using the PYSA ransomware.

The investigation did not find any evidence that shows Syracuse ASC had complied with the HIPAA Security Rule’s requirement to conduct a risk analysis to determine potential risks and vulnerabilities to the integrity, availability, and confidentiality of electronic protected health information. OCR likewise confirmed that Syracuse ASC did not send prompt notifications to the HHS Secretary and the impacted patients. Syracuse ASC detected the data breach on March 31, 2021, but did not issue notifications for six and a half months. As per the HIPAA Breach Notification Law, breach notifications must be issued within 60 days of discovering a data breach.

OCR gave Syracuse ASC the chance to settle the alleged HIPAA violations case in private. Syracuse ASC has decided to pay $250,000 as a penalty for the violation and undertake a corrective action plan to show HIPAA Rules compliance. The corrective action plan calls for Syracuse ASC to perform an appropriate and complete risk analysis; create and enforce a risk management plan; create, implement, and keep guidelines and procedures to ensure HIPAA Rules compliance; give employees those guidelines and procedures; and give annual HIPAA training to the employees, including the new guidelines and procedures.

Doing a complete HIPAA-compliant risk analysis and creating and enforcing risk management procedures to deal with any discovered risks and vulnerabilities are required as advanced cyberattacks increase. HIPAA-covered entities and business associates become easy targets for cybercriminals when they do not follow the HIPAA Security Rule.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter