Attorney General James Secures 225 Million from Capital Region Health Care Provider to Protect Patient Data

pNEW YORK New York Attorney General Letitia James today secured 225 million from a Capital Region health care provider Albany ENT Allergy Services PC AENT for failing to protect the private information and medical data of New Yorkers In 2023 AENT suffered two cyberattacks that compromised the medical records of over 200000 New York patients The Office of the Attorney General OAG found that AENT did not maintain reasonable safeguards to protect patient data and did not adequately respond to the cyberattacks on its systems Todays agreement requires AENT to pay 500000 in penalties and invest 225 million to strengthen its information security practices to protect patient data ppNo one should have to worry about having their data stolen simply because they visited a doctor said Attorney General James Health care facilities need to take protecting patients private information seriously and that means investing to protect data and responding quickly if breaches occur Todays agreement with AENT will strengthen its cybersecurity and protect the private information of New Yorkers who rely on this Capital Region medical provider I urge all health care facilities and general companies to follow guidance from my office on how to have more secure systems to protect New Yorkers datappAENT operates specialized medical facilities in the Capital Region with expertise in medical and surgical needs involving the ears nose and throat In 2023 AENT suffered ransomware attacks from two different threat actors on two separate occasions only 10 days apart After the second attack AENT hired a different cybersecurity firm which identified the vulnerability that allowed hackers to access its system and corrected those vulnerabilities before restoring the system ppAENT determined that the cyberattacks were able to access AENT data storage devices containing the patient records of 213935 New Yorkers These patient records included information such as name address date of birth drivers license number social security number diagnosis conditions lab results medications and other treatment information AENT initially disclosed that the records included the social security numbers of over 120000 New YorkersppThe OAG investigation determined that AENT had not initially disclosed to the state the exposure of over 80000 New York resident drivers license numbers The investigation also discovered that AENTs data storage devices continued to host unprotected private information months after the two ransomware incidents occurred ppAENT did not internally employ anyone with information security expertise and outsourced its information security program to two thirdparty vendors The OAG investigation concluded that AENT failed to adequately monitor the thirdparty vendors responsible for their cybersecurity functions As a result those vendors did not timely install critical security software updates adequately log and monitor network activity properly encrypt consumers private information before and after the attacks utilize multifactor authentication for all remote access or otherwise maintain a reasonable information security programppAs a result of todays agreement AENT will invest 225 million in its information security program over five years and offer affected consumers one year of free credit monitoring AENT is also required to establish and maintainppAENT is also required to pay 1 million in penalties and costs to the state of which 500000 will be suspended so long as the company spends 225 million over the next five years to upgrade and maintain its information security programppAttorney General James has taken major actions to hold companies accountable for having poor cybersecurity and to improve data security practices In August 2024 Attorney General James and a multistate coalition secured 45 million from a biotech company for failing to protect patient data In July 2024 Attorney General James launched two privacy guides a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web to help businesses and consumers protect themselves In July 2024 Attorney General James issued a consumer alert to raise awareness about free credit monitoring and identity theft protection services available for millions of consumers impacted by the Change Healthcare data breach In March 2024 Attorney General James led a bipartisan coalition of 41 attorneys general in sending a letter to Meta Platforms Inc Meta addressing the recent rise of Facebook and Instagram account takeovers by scammers and frauds In January 2024 Attorney General James reached an agreement with a Hudson Valley health care provider to invest 12 million to protect patient data ppThis matter was handled by Assistant Attorney General Gena Feist and Deputy Bureau Chief Clark Russell under the supervision of Bureau Chief Kim Berger of the Bureau of Internet and Technology The Bureau of Internet and Technology is a part of the Division for Economic Justice which is led by Chief Deputy Attorney General Chris DAngelo The Division of Economic Justice is overseen by First Deputy Attorney General Jennifer Levy  ppWe value your privacyWe use cookies to enhance your browsing experience improve our content delivery and analyze our traffic We do not use cookies for advertising or marketing purposes By using this website you consent to our use of cookies You can learn more about how we collect and use information by reviewing our privacy policyp