In a bold move, the state of New York has mandated a healthcare provider, Refuah Health Center, to beef up its cybersecurity with a substantial $1.2 million investment. This enforcement comes in the wake of a ransomware attack in 2021 that left the sensitive information of over 250,000 individuals exposed.

Enforcement Details

New York Attorney General Letitia James, on January 5, unveiled the verdict, adding a $450,000 penalty to the tab for Refuah’s failure to adequately safeguard patient information and adopt multi-factor authentication.

Attorney General’s Statement

James emphasized, “New Yorkers deserve medical care with the assurance that their personal and health data is secure. This agreement ensures that Refuah takes the necessary steps to protect patient data while delivering affordable healthcare. In today’s digital age, robust data security is paramount, and my office is committed to shielding New Yorkers’ data from companies with subpar cybersecurity.”

Ransomware Incident

Refuah, with three facilities in the Hudson Valley region and five mobile medical vans, fell victim to a ransomware attack by the Lorenz gang in May 2021. This breach exposed patient names, addresses, phone numbers, Social Security numbers, driver’s license numbers, dates of birth, financial account numbers, medical insurance numbers, and various health-related information.

Investigative Findings

An investigation by the state attorney general’s office pointed fingers at Refuah for lacking basic data security measures. Inactive user accounts weren’t deactivated, credentials weren’t rotated, employee access wasn’t restricted, multi-factor authentication was absent, and patient information wasn’t encrypted.

Entry Point and Attack Details

The ransomware entry point? A video camera system within the company’s facilities, which acted as a gateway to the larger network using unchanged administrative credentials from an IT vendor inactive for 11 years. The IT vendor’s account, untouched since 2014, lacked deletion or disabling, and multi-factor authentication remained a distant dream.

The attackers infiltrated thousands of files related to the company’s dental practice, exfiltrating 1 terabyte of data over two days. A shocking revelation showed that more than 260,740 patients were affected, including 175,077 New York residents.

Company Response and Fallout

Refuah’s notice of the incident in April 2022 and subsequent offering of credit monitoring services to those with leaked Social Security numbers faced criticism. The investigation uncovered that nearly 79,000 affected individuals were left without breach notification letters.

Remediation Agreement

The agreement mandates Refuah to invest $1.2 million in fortifying patient data security, enforcing access restriction policies, implementing multi-factor authentication, and conducting semi-annual audits. Encryption of data and the introduction of network activity monitoring controls are also on the agenda, alongside the development of an incident response plan.

Within a year, Refuah must secure a security assessment, with ongoing third-party assessments for five years. Additionally, the company has 90 days to notify all victims of the 2021 incident who were initially overlooked.

To add a financial sting, Refuah will pay $117,000 of the $450,000 penalty annually, with a $100,000 deduction if the $1.2 million cybersecurity investment is confirmed between 2024 and 2028.

Context and Precedent

This crackdown aligns with previous cybersecurity breach settlements and fines by James’ office, reinforcing the commitment to safeguarding sensitive information in the digital age. In September, a local college was compelled to invest $3.5 million in cybersecurity, and a private radiology company faced a $450,000 fine after a ransomware attack in 2021. In October, Long Island healthcare company Personal Touch paid a $350,000 penalty for negligence in securing the data of 300,000 New Yorkers.

Related Posts - TKS Blog

TKS Newsletter - 2024 December
Here's our December 2024 Newsletter Read the full PDF version here: The TKS Sentinel - December Issue In this month's edition, we discuss: Ransomware Threats PDF Hijacking ...
Read more
5 New Trends from a Study on the State of AI at Work
5 New Trends of AI At Work
The pace of technological advancement is accelerating. This is not news to anyone wading through the ChatGPT craze. Artificial intelligence (AI) is at the forefront...
Read more
zero trust protections
Zero Trust Cybersecurity: Essential for Keeping Your Data Secure
As cyber threats become increasingly sophisticated, businesses can no longer rely solely on traditional methods to protect their data. Hackers are no longer trying to...
Read more
voice technology options
Harnessing the Power of Voice Technology
Voice technology is quickly becoming one of the most valuable tools for businesses seeking to improve customer interactions, streamline operations, and cut costs. With...
Read more