New York Attorney General Letitia James has reached an agreement with Refuah Health Center, Inc. to address the health care provider’s failure to protect patient data. Refuah experienced a ransomware attack that compromised the personal and private information of around 250,000 New Yorkers. The investigation found that Refuah lacked appropriate controls, such as encryption and multi-factor authentication, to safeguard sensitive data. As part of the agreement, Refuah will invest $1.2 million to enhance its cybersecurity and pay $450,000 in penalties and costs.
Refuah operates three facilities and five mobile medical vans in the Hudson Valley. The cyber-attacker gained access to patient data, including names, addresses, social security numbers, and medical insurance numbers. The investigation revealed that Refuah had not implemented proper data security practices, such as decommissioning inactive user accounts and restricting employee access. The health care provider also failed to use multi-factor authentication and encrypt patient information.
To strengthen its information security, Refuah has agreed to develop and maintain a comprehensive information security program. This program will include measures such as limiting access to consumer information, implementing multi-factor authentication, regularly rotating credentials, and encrypting all consumer information. Refuah will also conduct audits, monitor security and operational activity, and establish an incident response plan. Additionally, Refuah will pay $450,000 in penalties and costs, with $100,000 suspended upon the completion of the information security program.