New York AG: Health Center Must Pay $450K HIPAA Fine, Invest $1.2 Million in Cybersecurity Improvements

Refuah Health experienced a ransomware attack that compromised the personal information of approximately 250,000 New Yorkers.

New York AG: Health Center Must Pay $450K HIPAA Fine, Invest $1.2 Million in Cybersecurity Improvements

Image via Adobe, by Vitali Vodalazskyi

New York, N.Y. — New York Attorney General Letitia James announced on Friday that her office reached an agreement with Refuah Health Center Inc. for failing to safeguard the personal and private health information of its patients. The Office of the Attorney General (OAG) found that Refuah Health failed to maintain appropriate controls to protect and limit access to sensitive data, including by failing to encrypt patient information and using multi-factor authentication.

“As a result of Refuah’s poor data security, the health care provider experienced a ransomware attack that compromised the personal and private information of approximately 250,000 New Yorkers,” James’ office said in a press release.

The agreement requires Refuah to invest $1.2 million to strengthen its cybersecurity and pay $450,000 in penalties and costs.

“This agreement will ensure that Refuah is taking the appropriate steps to protect patient data while also providing affordable health care. Strong data security is critically necessary in today’s digital age and my office will continue to protect New Yorkers’ data from companies with inadequate cybersecurity.”

OAG launched its investigation into Refuah Health when it was notified of a ransomware attack that happened in May 2021, reports The Record. It accessed the names, addresses, phone numbers, Social Security numbers, driver’s license numbers, dates of birth, account numbers, insurance numbers, and other health-related information of thousands of patients.

The Lorenz gang that carried out the ransomware attack typically double-extorts its victims after stealing data, according to The Record.

The OAG’s investigation concluded that the attackers were able to access this data because Refuah failed to adopt appropriate data security practices to protect patients’ personal and health information. Refuah failed to decommission inactive user accounts, rotate user account credentials, restrict employees’ access to only those resources and data that were necessary for their business functions, use multi-factor authentication, and encrypt patient information.

Refuah has agreed to invest $1.2 million to develop and maintain stronger information security programs to better protect patient data. The agreement also requires the health care provider to:

  • Maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of consumer information;
  • Implement and maintain policies and procedures that limit access to consumer information;
  • Require the use of multi-factor authentication to remotely access resources and data;
  • Regularly rotate credentials that are used to access resources and data;
  • Conduct audits at least semi-annually to ensure users only have access to resources and data necessary for their business functions;
  • Encrypt all consumer information, whether stored or transmitted;
  • Implement controls to monitor and log all security and operational activity of the company’s networks and systems; and
  • Develop, implement, and maintain a comprehensive incident response plan.

Refuah is also required to pay $450,000 in penalties and costs to the state, of which $100,000 will be suspended when the company spends $1.2 million to develop and maintain its information security program.

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

About the Author

robin hattersley headshot

Robin has been covering the security and campus law enforcement industries since 1998 and is a specialist in school, university and hospital security, public safety and emergency management, as well as emerging technologies and systems integration. She joined CS in 2005 and has authored award-winning editorial on campus law enforcement and security funding, officer recruitment and retention, access control, IP video, network integration, event management, crime trends, the Clery Act, Title IX compliance, sexual assault, dating abuse, emergency communications, incident management software and more. Robin has been featured on national and local media outlets and was formerly associate editor for the trade publication Security Sales & Integration. She obtained her undergraduate degree in history from California State University, Long Beach.

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety HQ