In a bold move, the state of New York has mandated a healthcare provider, Refuah Health Center, to beef up its cybersecurity with a substantial $1.2 million investment. This enforcement comes in the wake of a ransomware attack in 2021 that left the sensitive information of over 250,000 individuals exposed.
Enforcement Details
New York Attorney General Letitia James, on January 5, unveiled the verdict, adding a $450,000 penalty to the tab for Refuah’s failure to adequately safeguard patient information and adopt multi-factor authentication.
Attorney General’s Statement
James emphasized, “New Yorkers deserve medical care with the assurance that their personal and health data is secure. This agreement ensures that Refuah takes the necessary steps to protect patient data while delivering affordable healthcare. In today’s digital age, robust data security is paramount, and my office is committed to shielding New Yorkers’ data from companies with subpar cybersecurity.”
Ransomware Incident
Refuah, with three facilities in the Hudson Valley region and five mobile medical vans, fell victim to a ransomware attack by the Lorenz gang in May 2021. This breach exposed patient names, addresses, phone numbers, Social Security numbers, driver’s license numbers, dates of birth, financial account numbers, medical insurance numbers, and various health-related information.
Investigative Findings
An investigation by the state attorney general’s office pointed fingers at Refuah for lacking basic data security measures. Inactive user accounts weren’t deactivated, credentials weren’t rotated, employee access wasn’t restricted, multi-factor authentication was absent, and patient information wasn’t encrypted.
Entry Point and Attack Details
The ransomware entry point? A video camera system within the company’s facilities, which acted as a gateway to the larger network using unchanged administrative credentials from an IT vendor inactive for 11 years. The IT vendor’s account, untouched since 2014, lacked deletion or disabling, and multi-factor authentication remained a distant dream.
The attackers infiltrated thousands of files related to the company’s dental practice, exfiltrating 1 terabyte of data over two days. A shocking revelation showed that more than 260,740 patients were affected, including 175,077 New York residents.
Company Response and Fallout
Refuah’s notice of the incident in April 2022 and subsequent offering of credit monitoring services to those with leaked Social Security numbers faced criticism. The investigation uncovered that nearly 79,000 affected individuals were left without breach notification letters.
Remediation Agreement
The agreement mandates Refuah to invest $1.2 million in fortifying patient data security, enforcing access restriction policies, implementing multi-factor authentication, and conducting semi-annual audits. Encryption of data and the introduction of network activity monitoring controls are also on the agenda, alongside the development of an incident response plan.
Within a year, Refuah must secure a security assessment, with ongoing third-party assessments for five years. Additionally, the company has 90 days to notify all victims of the 2021 incident who were initially overlooked.
To add a financial sting, Refuah will pay $117,000 of the $450,000 penalty annually, with a $100,000 deduction if the $1.2 million cybersecurity investment is confirmed between 2024 and 2028.
Context and Precedent
This crackdown aligns with previous cybersecurity breach settlements and fines by James’ office, reinforcing the commitment to safeguarding sensitive information in the digital age. In September, a local college was compelled to invest $3.5 million in cybersecurity, and a private radiology company faced a $450,000 fine after a ransomware attack in 2021. In October, Long Island healthcare company Personal Touch paid a $350,000 penalty for negligence in securing the data of 300,000 New Yorkers.
