On July 23, 2025, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with a central New York surgery center for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification rules. The single-facility ambulatory surgery center in Liverpool, New York, provides ophthalmic and ENT (ear, nose, and throat) surgical services as well as pain management procedures for patients.
The settlement resolves an OCR investigation concerning a ransomware breach of electronic protected health information (ePHI) that affected 24,891 individuals. OCR initiated the investigation in October 2021 after the center reported to HHS that an unauthorized individual had accessed its network in March 2021. The breach involved PYSA ransomware, a cross-platform malware strain known to target the healthcare sector.
OCR determined that the center had never conducted an accurate and thorough risk analysis to assess the risks and vulnerabilities to its ePHI. Investigators also found the center failed to notify affected individuals and the Secretary of HHS in a timely manner, as required under HIPAA.
Under the resolution agreement, the center agreed to pay $250,000 and implement a corrective action plan that OCR will monitor for two years. The plan includes several compliance steps:
- Conducting an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI;
- Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
- Reviewing, and to the extent necessary, revising, certain written policies and procedures to comply with the HIPAA Rules; and
- Providing annual training for workforce members on its written HIPAA policies and procedures.
Compliance Perspective
Issue
OCR enforces the HIPAA Privacy, Security, and Breach Notification rules, which establish requirements for covered entities (health plans, healthcare clearinghouses, and most healthcare providers), and business associates to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule sets national standards for safeguarding ePHI through administrative, physical, and technical safeguards. One key requirement is the Risk Analysis provision, which mandates that covered entities and business associates conduct an accurate and thorough assessment of potential risks and vulnerabilities to ePHI. Under the Breach Notification Rule, covered entities must notify affected individuals, the Secretary of HHS, and, for breaches affecting 500 or more individuals, the media—without unreasonable delay and no later than 60 days after discovery of the breach.
Discussion Points
- Review and update written policies and procedures related to HIPAA compliance, including the Privacy, Security, and Breach Notification rules. Ensure they address regular risk analyses, identification and mitigation of security vulnerabilities, and timely breach notifications. Clearly define internal responsibilities, documentation practices, and response timelines following a breach.
- Train appropriate staff on HIPAA requirements, including breach reporting obligations and risk analysis protocols. Training should cover how to recognize and report potential incidents, and emphasize the importance of timely action. Conduct training at onboarding, annually, and whenever significant policy or technology changes occur.
- Conduct periodic audits to verify compliance with HIPAA policies and procedures. Assess whether staff understand breach response protocols and confirm that risk analyses are being performed, documented, and acted upon. Use audit results to identify and remediate any gaps in breach detection, reporting, or mitigation.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*