New York AG forces healthcare firm to invest $1.2 million in cybersecurity after ransomware attack

The state of New York is forcing a healthcare provider to invest more than $1.2 million on cybersecurity after a 2021 ransomware attack exposed the sensitive information of more than 250,000 people.

On January 5, New York Attorney General Letitia James announced that Refuah Health Center, which serves residents in the Hudson Valley, will also have to pay a $450,000 penalty for failing to appropriately protect patient information and use multi-factor authentication.

“New Yorkers should receive medical care and trust that their personal and health information is safe,” James said in a statement. “This agreement will ensure that Refuah is taking the appropriate steps to protect patient data while also providing affordable health care. Strong data security is critically necessary in today’s digital age and my office will continue to protect New Yorkers’ data from companies with inadequate cybersecurity.”

Refuah runs three different facilities in the Hudson Valley region and also operates five mobile medical vans.

In May 2021, the company was hit with a ransomware attack by the Lorenz gang, which accessed patient names, addresses, phone numbers, Social Security numbers, driver’s license numbers, dates of birth, financial account numbers, medical insurance numbers, and various health-related information.

After Lorenz emerged in February 2021, the Dutch cybersecurity firm Tesorion released a free application in June 2021 to help victims of the ransomware recover encrypted files without paying a ransom. That has done little to stop the group, which typically performs double-extortion after stealing troves of data.

An investigation run by the state attorney general’s office determined that the attackers gained access to the data because Refuah did not enact basic data security procedures.

The company did not deactivate inactive user accounts, never rotated credentials, did not restrict employee access to certain parts of their network, did not use multi-factor authentication, and failed to encrypt patient information.

The ransomware gang broke in through a video camera system used within the company’s facilities and pivoted from there into the larger network using administrative credentials from an IT vendor that had not been changed in 11 years. The IT vendor’s account had not been active since 2014 yet was never deleted or disabled and multi-factor authentication was never enabled.

The hackers accessed thousands of files related to the company’s dental practice. Over two days, the hackers exfiltrated 1 terabyte of data. An investigation revealed that more than 260,740 patients were affected, including 175,077 New York residents.

The company provided notice of the incident in April 2022 but only offered credit monitoring services to people who had Social Security numbers leaked. The subsequent investigation by New York officials revealed that nearly 79,000 people should have received a breach notification letter but did not.

In the agreement, the company said it would spend $1.2 million to better secure patient data, implement policies that restrict employee access, require multi-factor authentication and conduct audits at least semi-annually to ensure users only have access to resources and data necessary for their business functions.

Data will have to be encrypted and controls will be implemented that monitor all activity on the company networks. The company will also develop an incident response plan.

Within one year of the agreement, Refuah needs to obtain a security assessment of their systems and the company needs to get third-party assessments done every year for five years. The company also has 90 days to provide notice to all of the victims of the 2021 incident who were not initially sent letters.

Anyone whose information was contained in the accessed database will need to get credit monitoring services, the agreement states.

The company will have to pay $117,000 of the $450,000 penalty each year, and $100,000 will be subtracted from the cost if the company confirms that it has spent the $1.2 million on better cybersecurity protections between 2024 and 2028.

The action follows several recent settlements and fines issued by James’ office for cybersecurity breaches.

In September, she used a settlement to force a local college to invest $3.5 million into cybersecurity after a 2021 data breach leaked troves of sensitive information about almost 200,000 people.

Her office also fined one of the nation’s largest private radiology companies $450,000 after a 2021 ransomware attack led to the exposure of sensitive information from nearly 200,000 patients. In October, she forced Long Island health care company Personal Touch to pay a $350,000 penalty for failing to secure the data of 300,000 New Yorkers.