DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Albany ENT & Allergy Services settles state charges stemming from two patient data breaches; agrees to spend $2.25M on security program

Posted on October 30, 2024 by Dissent

In April 2023, DataBreaches reported two ransomware groups had each listed Albany ENT & Allergy Services (AENT)  on their respective leak sites. But one month later, when AENT sent notifications to regulators and 224,486 affected employees and patients, its notification letter made no mention of any ransomware attack, any encryption of files, any ransom demands, or any patient or employee data dumped on the dark web. The notification letter did not even reveal that there had been two attacks by both the RansomHouse and BianLian groups. What it said was:

On or about March 27, 2023, AENT became aware of suspicious activity on its computer network. AENT immediately launched an investigation, with the assistance of third-party computer forensic specialists, to determine the nature and scope of the incident. Through its investigation, AENT determined that, between March 23, 2023 and April 4, 2023, an unauthorized actor may have had access to certain systems that stored personal and protected health information. AENT reviewed those systems and files to confirm what information was stored therein, and to whom the information related.

AENT did not respond to DataBreaches’ inquiries at the time.

Those two incidents in 2023 weren’t AENT’s only data security problems, however.

The NYS Attorney General’s Office announced yesterday that it has settled charges against AENT for $500,000 and a commitment to invest $2.25 million in a cybersecurity program over the next five years. While the U.S. Department of Health & Human Services does not appear to have taken any enforcement action against AENT — at least none that has been made public as yet — New York State has taken enforcement under the state’s Executive Law§ 63(12), General Business Law (“GBL”) §§ 349, 899-aa, and 899-bb.

No One With Expertise in IT and No One Monitoring Vendors Doing a Poor Job

AENT’s investigation determined that the cyberattacks were able to access AENT data storage devices containing the patient records of 213,935 New Yorkers. These patient records included information such as name, address, date of birth, driver’s license number, social security number, diagnosis, conditions, lab results, medications, and other treatment information. AENT initially disclosed that the records included the social security numbers of over 120,000 New Yorkers. It failed, however, to disclose that 80,000 New York driver’s license numbers were also involved.

After the first breach was detected, AENT’s (unnamed) vendor that had been responsible for securing AENT’s data added some security measures and quickly restored the data. They reportedly did not, however, determine the cause of the breach, which left the vulnerability still exploitable by the second group of attackers. After the second breach, AENT hired a cybersecurity firm to investigate and address the problems. That firm was unable to confirm the attack vector, in part because AENT’s vendor had not retained server logs for a reasonable period of time and AENT did not have security programs in place to monitor and analyze server traffic. However, the forensic cybersecurity consultant concluded that the threat actors likely gained access to AENT’s systems through the exploitation of a vulnerability in AENT’s Cisco VPN firewall.

The state’s OAG investigation also discovered that AENT’s data storage devices continued to host unprotected private information months after the two ransomware incidents occurred.

One contributing factor that OAG identified was that there was only a single AENT employee who acted as a “liaison” to the third-party vendors “to implement recommended policies, procedures to ensure data quality, optimized system performance, and maintenance of security protocols.”

“This AENT employee has no IT or InfoSec experience or training,” the Assurance of Discontinuation noted.

The Assurance of Discontinuation includes a litany of security failures by the outsource vendors and AENT. The settlement imposes a number of security measures and protections plus a monetary penalty.

Under the terms, AENT is to pay the state $1 million in costs and penalties, of which $500,000 is suspended as long as AENT spends $2.25 million over the next five years to upgrade and maintain its information security program. Details of that program and requirements are specified in the Assurance of Discontinuance.

As of publication, there has been no closing statement from HHS OCR about any investigation of theirs into AENT.  Although state attorneys general can enforce HIPAA, NYS often ignores its ability to enforce under HIPAA and just enforces under state business laws.

Whatever it takes.

aent-final-aod-fully-executed
Category: Commentaries and AnalysesHealth DataOf NoteU.S.

Post navigation

← Russia arrests hacker accused of preventing electronic voting during local election
FBI investigated Disney World cyberattack after restaurant menus were changed →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.
  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements
  • Pro-Ukraine hacker group Black Owl poses ‘major threat’ to Russia, Kaspersky says
  • Vanta bug exposed customers’ data to other customers

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.