Once again, we see a state attorney general taking data protection enforcement action against a healthcare entity when HHS hasn’t. The incident referred to below was reported to HHS’s public breach tool in December 2023, but there is no notation that any HHS investigation into it has been closed. From the NYS Attorney General’s Office, December 9:
NEW YORK – New York Attorney General Letitia James today secured $550,000 from a Hudson Valley health care facility operator, HealthAlliance, for failing to properly protect the personal and medical information of New Yorkers. An investigation by the Office of the Attorney General (OAG) found that the health care facility did not address a weakness in its system that was raised by one of its vendors, leading to a cyber-attack that compromised the personal and medical information of 242,641 HealthAlliance patients. As a result of today’s agreement, HealthAlliance is required to pay $550,000 in penalties and strengthen its data security practices, including by immediately addressing any weaknesses in its systems when it is notified of a vulnerability.
“HealthAlliance provides essential health care services to New Yorkers, but it also has a responsibility to protect private medical information as part of its patient care,” said Attorney General James. “No one should have to worry that when they seek medical care, they are putting their private information in the hands of scammers and hackers. Every company that is entrusted by New Yorkers with personal information, especially financial and medical data, must take necessary precautions to ensure their systems are not vulnerable to cyberattacks.”
HealthAlliance operates healthcare facilities in Ulster and Delaware counties, including HealthAlliance Hospital in Kingston, Margaretville Hospital in Margaretville, and Mountainside Residential Care Center in Margaretville. In July 2023, a HealthAlliance vendor for its web applications released a cybersecurity alert and instructed its clients to take action to patch a vulnerability in its system. While HealthAlliance was aware of the vulnerability, it was unable to apply the patch due to technical issues. Instead of taking the product offline, it continued to operate it with the vulnerability while it worked with support teams to diagnose and address the problem.
Between September and October 2023, cyber-attackers were able to infiltrate the vulnerability in HealthAlliance’s system and steal sensitive information, including patient records and employee information. In response, HealthAlliance commenced a forensic investigation and replaced its devices with new ones that had been successfully patched for the vulnerability. The forensic investigation revealed that the cyber-attackers had exploited the vulnerability and exfiltrated data that included the personal and medical information of 242,641 New York residents. The data stolen by the threat actors included patient names, addresses, dates of birth, Social Security numbers, diagnoses, lab results, medications, and other treatment information, health insurance information, provider names, dates of treatment, and/or financial information.
As a result of today’s agreement, HealthAlliance agreed to pay a $1,400,000 penalty, of which $850,000 will be suspended because of HealthAlliance’s financial condition and its role in providing essential health care services to New Yorkers in underserved areas. In addition, HealthAlliance agreed to adopt a series of procedures designed to strengthen its cybersecurity practices going forward, including:
- Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;
- Developing and maintaining data inventory to ensure all private information is stored in accordance with data security and privacy policies, including appropriate encryption;
- Maintaining and enforcing a patch management policy that requires that critical vulnerabilities are patched within 72 hours or that the associated vulnerability is neutralized; and
- Adopting a series of additional security measures to restrict and monitor network activity.
Today’s agreement continues Attorney General James’ efforts to protect New Yorkers’ personal information and hold companies accountable for inadequate data security practices. In October 2024, Attorney General James secured $2.25 million from a Capital Region health care provider, AENT, for failing to protect patients’ data. In August 2024, Attorney General James and a multistate coalition secured $4.5 million from a biotech company for failing to protect patient data. In July 2024, Attorney General James launched two privacy guides, a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web, to help businesses and consumers protect themselves. In July 2024, Attorney General James issued a consumer alert to raise awareness about free credit monitoring and identity theft protection services available for millions of consumers impacted by the Change Healthcare data breach. In March 2024, Attorney General James led a bipartisan coalition of 41 attorneys general in sending a letter to Meta Platforms, Inc (Meta) addressing the recent rise of Facebook and Instagram account takeovers by scammers and frauds. In January 2024, Attorney General James reached an agreement with a Hudson Valley health care provider to invest $1.2 million to protect patient data.
This matter was handled by Assistant Attorney General Marc Montgomery and Deputy Bureau Chief Clark Russell of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.