On July 23, 2025, the United States Department of Health and Human Services, Office of Civil Rights (“OCR”) announced a $250,000 settlement with the Specialty Surgery Center of Central New York (the “Surgery Center”) as a result of a ransomware attack involving the PYSA ransomware variant, which is known to target the healthcare industry. The attack occurred in March 2021 and affected 24,891 individuals. In evaluating the Surgery Center’s conduct, the OCR found that:
- The Surgery Center failed to conduct an accurate and thorough security risk analysis (“SRA”), as required by the HIPAA Security Rule; and
- The Surgery Center failed to provide notification to the affected individuals and the OCR in a timely manner, as required by the HIPAA Breach Notification Rule.
This Settlement, which is the OCR’s 14th settlement involving a ransomware attack, emphasizes:
- The importance for all covered entities to conduct and maintain an up-to-date, comprehensive SRA to identify risks and vulnerabilities in their systems.
- That ransomware attacks are typically considered to be a breach of unsecured PHI (“Breach”) unless there is evidence that the bad actors did not access PHI.
- The importance of making timely Breach notifications.
We recommend that all covered entities of any size take this opportunity to review the status of their SRAs and address any deficiencies immediately. The Office of the National Coordinator for Health Information Technology (“ONC”), in conjunction with the OCR, has published a tool that can be used by small- to medium-sized covered entities to perform the SRA internally. Here is the link to the tool: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool.
Should you have any questions regarding the information above, please contact the authors or the Garfunkel Wild attorney with whom you regularly work. We can also be reached at [email protected].
