Breach Notification Rule

Syracuse ASC, also known as Specialty Surgery Center of Central New York, has been fined $250,000 to resolve violations of the HIPAA Security Law and Breach Notification Law. OCR was able to confirm that the incident was a ransomware attack using the PYSA variant. The data breach dates back to March 2021 where unauthorized access to ePHI of a reported 24,891 patients. The threat potentially stole names, birth dates, Social Security numbers, financial data, and clinical information. The breach was not reported to the affected individuals until October 2021.

EngageMED, a healthcare support system, filed notice of data breach. They recognized that an authorized part was able to access the company's IT network. This resulted in unauthorized access to names, addresses, dates of birth, Social Security numbers, medical information, health insurance information, and claim information.