In April 2023, DataBreaches reported two ransomware groups had each listed Albany ENT & Allergy Services (AENT) on their respective leak sites. But one month later, when AENT sent notifications to regulators and 224,486 affected employees and patients, its notification letter made no mention of any ransomware attack, any encryption of files, any ransom demands, or any patient or employee data dumped on the dark web. The notification letter did not even reveal that there had been two attacks by both the RansomHouse and BianLian groups. What it said was:
On or about March 27, 2023, AENT became aware of suspicious activity on its computer network. AENT immediately launched an investigation, with the assistance of third-party computer forensic specialists, to determine the nature and scope of the incident. Through its investigation, AENT determined that, between March 23, 2023 and April 4, 2023, an unauthorized actor may have had access to certain systems that stored personal and protected health information. AENT reviewed those systems and files to confirm what information was stored therein, and to whom the information related.
AENT did not respond to DataBreaches’ inquiries at the time.
Those two incidents in 2023 weren’t AENT’s only data security problems, however.
The NYS Attorney General’s Office announced yesterday that it has settled charges against AENT for $500,000 and a commitment to invest $2.25 million in a cybersecurity program over the next five years. While the U.S. Department of Health & Human Services does not appear to have taken any enforcement action against AENT — at least none that has been made public as yet — New York State has taken enforcement under the state’s Executive Law§ 63(12), General Business Law (“GBL”) §§ 349, 899-aa, and 899-bb.
No One With Expertise in IT and No One Monitoring Vendors Doing a Poor Job
AENT’s investigation determined that the cyberattacks were able to access AENT data storage devices containing the patient records of 213,935 New Yorkers. These patient records included information such as name, address, date of birth, driver’s license number, social security number, diagnosis, conditions, lab results, medications, and other treatment information. AENT initially disclosed that the records included the social security numbers of over 120,000 New Yorkers. It failed, however, to disclose that 80,000 New York driver’s license numbers were also involved.
After the first breach was detected, AENT’s (unnamed) vendor that had been responsible for securing AENT’s data added some security measures and quickly restored the data. They reportedly did not, however, determine the cause of the breach, which left the vulnerability still exploitable by the second group of attackers. After the second breach, AENT hired a cybersecurity firm to investigate and address the problems. That firm was unable to confirm the attack vector, in part because AENT’s vendor had not retained server logs for a reasonable period of time and AENT did not have security programs in place to monitor and analyze server traffic. However, the forensic cybersecurity consultant concluded that the threat actors likely gained access to AENT’s systems through the exploitation of a vulnerability in AENT’s Cisco VPN firewall.
The state’s OAG investigation also discovered that AENT’s data storage devices continued to host unprotected private information months after the two ransomware incidents occurred.
One contributing factor that OAG identified was that there was only a single AENT employee who acted as a “liaison” to the third-party vendors “to implement recommended policies, procedures to ensure data quality, optimized system performance, and maintenance of security protocols.”
“This AENT employee has no IT or InfoSec experience or training,” the Assurance of Discontinuation noted.
The Assurance of Discontinuation includes a litany of security failures by the outsource vendors and AENT. The settlement imposes a number of security measures and protections plus a monetary penalty.
Under the terms, AENT is to pay the state $1 million in costs and penalties, of which $500,000 is suspended as long as AENT spends $2.25 million over the next five years to upgrade and maintain its information security program. Details of that program and requirements are specified in the Assurance of Discontinuance.
As of publication, there has been no closing statement from HHS OCR about any investigation of theirs into AENT. Although state attorneys general can enforce HIPAA, NYS often ignores its ability to enforce under HIPAA and just enforces under state business laws.
Whatever it takes.
aent-final-aod-fully-executed