NY AG: Refuah Health Must Invest $1.2M In Security Following Ransomware Attack

January 10, 2024 - New York Attorney General Letitia James reached an agreement with Refuah Health Center over alleged failures to protect the private health information of patients, which led to a ransomware attack. Refuah Health agreed to pay $450,000 in penalties and to invest $1.2 million in strengthening its cybersecurity.

The Hudson Valley-based provider, which operates three facilities and five mobile medical vans, suffered a ransomware attack in May 2021. During the attack, cyber threat actors were able to access information pertaining to 250,000 New Yorkers. The impacted files contained names, phone numbers, addresses, Social Security numbers, dates of birth, financial account numbers, driver’s license numbers, medical insurance numbers, and various health information.

The Office of the Attorney General (OAG) launched an investigation into the attack and determined that the threat actors were successful in their attack because Refuah had failed to employ appropriate security safeguards to protect patient information.

“Refuah failed to decommission inactive user accounts, rotate user account credentials, restrict employees’ access to only those resources and data that were necessary for their business functions, use multi-factor authentication, and encrypt patient information,” the OAG stated.

Due to these alleged failures, the OAG’s agreement required Refuah to make significant investments in security going forward. Refuah agreed to devote $1.2 million to maintaining a comprehensive information security program, requiring multi-factor authentication, and regularly rotating credentials. Additionally, Refuah will conduct semi-annual audits to ensure users only have access to relevant resources, encrypt all consumer information and log security activity on the company’s network.

Of the $450,000 in penalties and costs that Refuah will pay to the state, $100,000 will be suspended when the company spends $1.2 million to maintain its information security program.

“New Yorkers should receive medical care and trust that their personal and health information is safe,” James said. 

“This agreement will ensure that Refuah is taking the appropriate steps to protect patient data while also providing affordable health care. Strong data security is critically necessary in today’s digital age and my office will continue to protect New Yorkers’ data from companies with inadequate cybersecurity.”

The Refuah Health settlement is the latest in a string of healthcare data breach settlements taken on by the New York OAG. The OAG recently fined NewYork-Presbyterian Hospital (NYP) $300,000 over its use of tracking tech, which resulted in private information being shared with third-party tech companies. NYP agreed to update its policies, implement enhanced privacy safeguards, and secure the deletion of protected health information.

The OAG also reached a $400,000 settlement with Healthplex, a large dental insurance provider, in relation to a phishing attack and subsequent data breach that occurred in November 2021.

These actions signify an increased focus on healthcare cybersecurity at the state level as cyberattacks continue to impact patients across the country. New York continues to be a leader in state-level healthcare cybersecurity enforcement. In November 2023, New York Governor Kathy Hochul proposed a set of cybersecurity regulations that would apply to hospitals across the state, in addition to $500 million in funding to help healthcare organizations upgrade their systems to meet the requirements of the proposed rule.

If passed, the regulations will require hospitals to implement defensive infrastructure to prevent cyberattacks, establish a chief information security officer (CISO) role if not already in place, and use multi-factor authentication.