On January 5, 2024, the New York Attorney General’s Office (“NY AG”) announced a settlement with Refuah Health Center, Inc. (“Refuah”) based on the company’s alleged failures to appropriately safeguard its patients’ information, including failing to encrypt patient information or use multifactor authentication, which allegedly resulted in a May 2021 ransomware attack that impacted approximately 300,000 patients. As part of the settlement, the company will pay $450,000 in penalties, with the possibility of suspending $100,000 when the company spends $1.2 million between fiscal years 2024 and 2028 to develop and maintain its information security program.
According to the settlement, in May 2021, attackers were able to gain access to a company system used for viewing video from internal cameras monitoring its facilities, leveraging administrative credentials from a former IT vendor that had not been changed in at least 11 years to access the data of thousands of patients. The attackers exfiltrated approximately a terabyte of data before deploying malware. The personal information involved included patient names, addresses, phone numbers, Social Security numbers, driver’s license numbers, dates of birth, financial account numbers, medical insurance numbers, and various health-related information. The NY AG’s investigation concluded that attackers were able to access this data because the company had failed to maintain a data security program with appropriate safeguards designed to protect patients’ personal and health information. Specifically, the company allegedly failed to decommission inactive user accounts, rotate user account credentials, use multi-factor authentication, restrict employees’ access to only those resources and data that were necessary for their business functions, encrypt patient information at rest, and implement appropriate systems for monitoring user activity on its network. The NY AG’s investigation found that the company’s data security practices violated the Health Insurance Portability and Accountability Act (“HIPAA”), as well as New York General Business Law §§ 899-aa and 899-bb.
The settlement requires, as part of strengthening its information security program, that the company implement multi-factor authentication, regularly rotate credentials that are used to access resources and data, conduct audits of account privilege levels at least semi-annually, encrypt—both at rest and in transit—all consumer information, implement controls to monitor and log all security and operational activity of the company’s networks and systems, and develop, implement, and maintain a comprehensive incident response plan. The company is also required to provide notice of the incident to the approximately 72,000 to 79,000 patients who have not yet been notified in accordance with NYGBL § 899‑aa and 45 C.F.R. § 164.404.
The settlement marks another data point in a recent trend by the NY AG to initiate actions for cybersecurity noncompliance against healthcare related organizations. While Refuah is the fifth healthcare organization cited by the NY AG for poor data security practices in the last two years, the settlement is unique in that the parties agreed to quantify a monetary investment in the covered entity’s cybersecurity systems as a condition of the settlement.