DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Attorney General James Reaches Agreement with Refuah Health Center to Invest $1.2 Million to Protect Patient Data and Pay $450,000 in Penalties to State

Posted on January 6, 2024 by Dissent
January 5, 2024

NEW YORK – New York Attorney General Letitia James today announced an agreement with a Hudson Valley-area health care provider, Refuah Health Center, Inc. (Refuah), for failing to safeguard the personal and private health information of its patients. The Office of the Attorney General (OAG) found that Refuah failed to maintain appropriate controls to protect and limit access to sensitive data, including by failing to encrypt patient information and using multi-factor authentication. As a result of Refuah’s poor data security, the health care provider experienced a ransomware attack that compromised the personal and private information of approximately 250,000 New Yorkers. Today’s agreement requires Refuah to invest $1.2 million to strengthen its cybersecurity and pay $450,000 in penalties and costs.

“New Yorkers should receive medical care and trust that their personal and health information is safe,” said Attorney General James. “This agreement will ensure that Refuah is taking the appropriate steps to protect patient data while also providing affordable health care. Strong data security is critically necessary in today’s digital age and my office will continue to protect New Yorkers’ data from companies with inadequate cybersecurity.”

Refuah is a health care provider that operates three facilities and five mobile medical vans in the Hudson Valley. In May 2021, Refuah experienced a ransomware attack where the cyber-attacker was able to access the data of thousands of patients. Refuah determined that attackers gained access to files containing names, addresses, phone numbers, social security numbers, driver’s license numbers, dates of birth, financial account numbers, medical insurance numbers, and various health-related information. The OAG’s investigation concluded that attackers were able to access this data because Refuah had failed to adopt appropriate data security practices to protect patients’ personal and health information. Refuah failed to decommission inactive user accounts, rotate user account credentials, restrict employees’ access to only those resources and data that were necessary for their business functions, use multi-factor authentication, and encrypt patient information.

As a result of today’s agreement, Refuah has agreed to invest $1.2 million to develop and maintain stronger information security programs to better protect patient data. The agreement also requires the health care provider to:

  • Maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of consumer information;
  • Implement and maintain policies and procedures that limit access to consumer information;
  • Require the use of multi-factor authentication to remotely access resources and data;
  • Regularly rotate credentials that are used to access resources and data;
  • Conduct audits at least semi-annually to ensure users only have access to resources and data necessary for their business functions;
  • Encrypt all consumer information, whether stored or transmitted;
  • Implement controls to monitor and log all security and operational activity of the company’s networks and systems; and
  • Develop, implement, and maintain a comprehensive incident response plan.

Refuah is also required to pay $450,000 in penalties and costs to the state, of which $100,000 will be suspended when the company spends $1.2 million to develop and maintain its information security program.

Today’s agreement continues Attorney General James’ efforts to protect New Yorkers’ personal information and hold companies accountable for their poor data security practices. In December, Attorney General James secured $400,000 from a dental insurance provider, Healthplex, Inc., for failing to safeguard consumers’ private information. In November, Attorney General James secured $450,000 from U.S. Radiology for failing to protect patient data. In October, Attorney General James secured $350,000 from Long Island health care company Personal Touch for failing to secure the data of 300,000 New Yorkers. Also in October, Attorney General James and a multistate coalition secured $49.5 million from cloud company Blackbaud for a 2020 data breach exposing the data of thousands of users. In September, Attorney General James reached an agreement with Marymount Manhattan College to invest $3.5 million to protect students’ online data. In May, Attorney General James recouped $550,000 from a medical management company for failing to protect patient data. In April, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices.

This matter was handled by Senior Enforcement Counsel Jordan Adler and Deputy Bureau Chief Clark Russell of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo. The Division of Economic Justice is overseen by First Deputy Attorney General Jennifer Levy.

Source:  NYS Attorney General Letitia James

h/t Brett Callow

Category: Health DataLegislationMalwareOf NoteState/LocalU.S.

Post navigation

← Major Us Museums Suffer Cyberattack Fallout
Personal, pregnancy details of Midwives of Windsor patients breached →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • B.C. health authority faces class-action lawsuit over 2009 data breach (1)
  • Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • Data Breach Lawsuits Against Chord Specialty Dental Partners Consolidated
  • PA: York County alerts residents of potential data breach
  • FTC Finalizes Order with GoDaddy over Data Security Failures
  • Hacker steals $223 million in Cetus Protocol cryptocurrency heist
  • Operation ENDGAME strikes again: the ransomware kill chain broken at its source
  • Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials
  • Mysterious hacking group Careto was run by the Spanish government, sources say
  • 16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says
  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law
  • Telegram Gave Authorities Data on More than 20,000 Users
  • Police secretly monitored New Orleans with facial recognition cameras

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.