New York AG: Health Center Must Pay $450K HIPAA Fine, Invest $1.2 Million in Cybersecurity Improvements

Refuah Health experienced a ransomware attack that compromised the personal information of approximately 250,000 New Yorkers.
Published: January 11, 2024

New York, N.Y. — New York Attorney General Letitia James announced on Friday that her office reached an agreement with Refuah Health Center Inc. for failing to safeguard the personal and private health information of its patients. The Office of the Attorney General (OAG) found that Refuah Health failed to maintain appropriate controls to protect and limit access to sensitive data, including by failing to encrypt patient information and using multi-factor authentication.

“As a result of Refuah’s poor data security, the health care provider experienced a ransomware attack that compromised the personal and private information of approximately 250,000 New Yorkers,” James’ office said in a press release.

The agreement requires Refuah to invest $1.2 million to strengthen its cybersecurity and pay $450,000 in penalties and costs.

“This agreement will ensure that Refuah is taking the appropriate steps to protect patient data while also providing affordable health care. Strong data security is critically necessary in today’s digital age and my office will continue to protect New Yorkers’ data from companies with inadequate cybersecurity.”

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.

OAG launched its investigation into Refuah Health when it was notified of a ransomware attack that happened in May 2021, reports The Record. It accessed the names, addresses, phone numbers, Social Security numbers, driver’s license numbers, dates of birth, account numbers, insurance numbers, and other health-related information of thousands of patients.

The Lorenz gang that carried out the ransomware attack typically double-extorts its victims after stealing data, according to The Record.

The OAG’s investigation concluded that the attackers were able to access this data because Refuah failed to adopt appropriate data security practices to protect patients’ personal and health information. Refuah failed to decommission inactive user accounts, rotate user account credentials, restrict employees’ access to only those resources and data that were necessary for their business functions, use multi-factor authentication, and encrypt patient information.

Refuah has agreed to invest $1.2 million to develop and maintain stronger information security programs to better protect patient data. The agreement also requires the health care provider to:

  • Maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of consumer information;
  • Implement and maintain policies and procedures that limit access to consumer information;
  • Require the use of multi-factor authentication to remotely access resources and data;
  • Regularly rotate credentials that are used to access resources and data;
  • Conduct audits at least semi-annually to ensure users only have access to resources and data necessary for their business functions;
  • Encrypt all consumer information, whether stored or transmitted;
  • Implement controls to monitor and log all security and operational activity of the company’s networks and systems; and
  • Develop, implement, and maintain a comprehensive incident response plan.

Refuah is also required to pay $450,000 in penalties and costs to the state, of which $100,000 will be suspended when the company spends $1.2 million to develop and maintain its information security program.

Posted in: News

ADVERTISEMENT
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series