Attorney General James Reaches Agreement with Hudson Valley Health Care Provider to Invest 12 Million to Protect Patient Data

pNEW YORK New York Attorney General Letitia James today announced an agreement with a Hudson Valleyarea health care provider Refuah Health Center Inc Refuah for failing to safeguard the personal and private health information of its patients The Office of the Attorney General OAG found that Refuah failed to maintain appropriate controls to protect and limit access to sensitive data including by failing to encrypt patient information and using multifactor authentication As a result of Refuahs poor data security the health care provider experienced a ransomware attack that compromised the personal and private information of approximately 250000 New Yorkers Todays agreement requires Refuah to invest 12 million to strengthen its cybersecurity and pay 450000 in penalties and costs  ppNew Yorkers should receive medical care and trust that their personal and health information is safe said Attorney General James This agreement will ensure that Refuah is taking the appropriate steps to protect patient data while also providing affordable health care Strong data security is critically necessary in todays digital age and my office will continue to protect New Yorkers data from companies with inadequate cybersecurityppRefuah is a health care provider that operates three facilities and five mobile medical vans in the Hudson Valley In May 2021 Refuah experienced a ransomware attack where the cyberattacker was able to access the data of thousands of patients Refuah determined that attackers gained access to files containing names addresses phone numbers social security numbers drivers license numbers dates of birth financial account numbers medical insurance numbers and various healthrelated information The OAGs investigation concluded that attackers were able to access this data because Refuah had failed to adopt appropriate data security practices to protect patients personal and health information Refuah failed to decommission inactive user accounts rotate user account credentials restrict employees access to only those resources and data that were necessary for their business functions use multifactor authentication and encrypt patient information  ppAs a result of todays agreement Refuah has agreed to invest 12 million to develop and maintain stronger information security programs to better protect patient data The agreement also requires the health care provider to ppRefuah is also required to pay 450000 in penalties and costs to the state of which 100000 will be suspended when the company spends 12 million to develop and maintain its information security program ppTodays agreement continues Attorney General James efforts to protect New Yorkers personal information and hold companies accountable for their poor data security practices In December Attorney General James secured 400000 from a dental insurance provider Healthplex Inc for failing to safeguard consumers private information In November Attorney General James secured 450000 from US Radiology for failing to protect patient data In October Attorney General James secured 350000 from Long Island health care company Personal Touch for failing to secure the data of 300000 New Yorkers Also in October Attorney General James and a multistate coalition secured 495 million from cloud company Blackbaud for a 2020 data breach exposing the data of thousands of users In September Attorney General James reached an agreement with Marymount Manhattan College to invest 35 million to protect students online data In May Attorney General James recouped 550000 from a medical management company for failing to protect patient data In April Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices  ppThis matter was handled by Senior Enforcement Counsel Jordan Adler and Deputy Bureau Chief Clark Russell of the Bureau of Internet and Technology under the supervision of Bureau Chief Kim Berger The Bureau of Internet and Technology is a part of the Division for Economic Justice which is led by Chief Deputy Attorney General Chris DAngelo The Division of Economic Justice is overseen by First Deputy Attorney General Jennifer Levy  ppWe Value Your Privacy
We use cookies to enhance your browsing experience serve personalized content and analyze our traffic By using this website you consent to our use of cookiesp