The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Syracuse ASC, LLC doing business as Specialty Surgery Center of Central New York, for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules. Syracuse ASC is a single-facility, ambulatory surgery center located in Liverpool, New York that provides ophthalmic and ENT surgical services and pain management procedures to patients. The settlement resolves an OCR investigation concerning a ransomware breach of ePHI that affected 24,891 individuals. OCR initiated the investigation in October 2021 after Syracuse ASC reported to HHS that an unauthorized individual had accessed its network in March 2021. Further investigation revealed that Syracuse ASC was affected by a ransomware attack involving the PYSA ransomware variant, which is a cross-platform cyber weapon known to target the healthcare industry. OCR’s investigation found that Syracuse ASC never conducted an accurate and thorough risk analysis to determine the risks and vulnerabilities to the ePHI it held. OCR also found that Syracuse ASC failed to timely notify affected individuals and the Secretary of the breach.