Data Privacy
,
Data Security
,
Healthcare
2021 Pysa Hack Compromised PHI of Nearly 25,000 Patients
A HIPAA breach investigation into a 2021 attack involving a variant of Pysa ransomware resulted in a $250,000 fine for an upstate New York specialty surgery practice, which also agreed to a corrective action plan that will be monitored by federal regulators for the next two years.
See Also: Using the Netskope HIPAA Mapping Guide
The U.S. Department of Health and Human Services on Wednesday said the agreement with Syracuse ASC LLC, which does business as Specialty Surgery Center of Central New York, resolves potential HIPAA violations the government agency found while investigating a breach that the eye, ear, nose and throat surgery practice reported as affecting nearly 25,000 people.
The Liverpool, New York-based practice, which also provides pain management care, describes itself on its website as being owned by a group of 15 physicians and employing about 50 workers.
HHS’ Office for Civil Rights said Syracuse ASC reported the hacking incident on Oct. 14, 2021. A threat actor that gained access to Syracuse ACS’ network for more than two weeks, from March 14 to March 31, 2021.
Further investigation into the breach determined that Syracuse ASC suffered a ransomware attack involving the Pysa ransomware variant, “a cross-platform cyber weapon known to target the healthcare industry,” HHS OCR said.
In fact, Pysa – also known as Mespinoza – was the subject of an HHS cyber alert in January 2022 (see: HHS Warns Healthcare Sector of Pysa Ransomware Threats).
At that time, security researchers had counted at least 190 Pysa victims worldwide. While healthcare and public health entities were a favorite target, Pysa also launched attacks on other sectors, including education, utilities, transportation, construction and business services.
From the time Pysa first surfaced in July 2020 until its last attack was discovered in September 2022, the gang chalked up 311 victims, according to the ransomware monitoring website, Ransomware.live.
Electronic protected health information compromised in the Syracuse ACS hack included names, dates of birth, Social Security numbers, financial information and clinical treatment information of current and former patients.
HHS OCR’s investigation into the incident found that Syracuse ACS failed to conduct an accurate and thorough HIPAA security risk analysis.
The agency also found that Syracuse ACS failed to notify affected individuals and federal regulators in a timely manner.
Under the HIPAA breach notification rule, covered entities must notify affected individuals within 60 days of discovering a breach. Covered entities must also report to HHS OCR HIPAA breaches affecting 500 or more individuals within 60 days of discovery.
Under Syracuse ACS’ corrective action plan, which HHS OCR will monitor for two years, the practice agreed to take several measures to ensure its compliance with the HIPAA rules.
Those actions include conducting an accurate and thorough HIPAA security risk analysis; developing and implementing a risk management plan to address security risks and vulnerabilities identified in its risk analysis; revising written policies and procedures as needed to comply with the HIPAA rules; and providing annual HIPAA training for workforce members.
Syracuse ACS did not immediately respond to Information Security Media Group’s request for comment on the settlement with HHS OCR and additional details about the ransomware incident.
Under the Spotlight
The settlement with Syracuse ACS is HHS OCR’s 14th HIPAA enforcement action involving a ransomware incident and the agency’s 11th focused on risk analysis since naming ransomware in October 2023 and risk analysis in October 2024 as top HIPAA enforcement priorities.
“Conducting a thorough HIPAA-compliant risk analysis – and developing and implementing risk management measures to address any identified risks and vulnerabilities – is even more necessary as sophisticated cyberattacks increase,” said Paula Stannard, HHS OCR director in a statement about the Syracuse ACS settlement.
“HIPAA-covered entities and business associates make themselves soft targets for cyberattacks if they fail to implement the HIPAA security rule requirements,” she said.
Overall, the Syracuse ACS settlement HHS OCR’s 18th HIPAA enforcement action so far in 2025. Six settlements were announced under the Biden administration before leaving office, and 12 under the Trump administration.
