(WNY News Now) – NEW YORK – New York Attorney General Letitia James today announced an agreement with a Hudson Valley-area health care provider, Refuah Health Center, Inc. (Refuah), for failing to safeguard the personal and private health information of its patients. The Office of the Attorney General (OAG) found that Refuah failed to maintain appropriate controls to protect and limit access to sensitive data, including by failing to encrypt patient information and using multi-
“New Yorkers should receive medical care and trust that their personal and health information is safe,” said Attorney General James. “This agreement will ensure that Refuah is taking the appropriate steps to protect patient data while also providing affordable health care. Strong data security is critically necessary in today’s digital age and my office will continue to protect New Yorkers’ data from companies with inadequate cybersecurity.
Refuah is a health care provider that operates three facilities and five mobile medical vans in the Hudson Valley. In May 2021, Refuah experienced a ransomware attack where the cyber-attacker was able to access the data of thousands of patients. Refuah determined
As a result of today’s agreement, Refuah has agreed to invest $1.2 million to develop and maintain stronger
- Maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of consumer information;
- Implement and maintain policies and procedures that limit access to consumer information;
- Require the use of multi-factor authentication to remotely access resources and data;
- Regularly rotate credentials that are used to access resources and data;
- Conduct audits at least semi-annually to ensure users only have access to resources and data necessary for their business functions;
- Encrypt all consumer information, whether stored or transmitted;
- Implement controls to monitor and log all security and operational activity of the company’s networks and systems; and
- Develop, implement, and maintain a comprehensive incident response plan.
Refuah is also required to pay $450,000 in penalties and costs to the state, of which $100,000 will be suspended when the company spends $1.2 million to develop and maintain its information security program.
Today’s agreement continues Attorney General James’ efforts to protect New Yorkers’ personal information and hold companies accountable for their poor data security practices. In December, Attorney General James secured $400,000 from a dental insurance provider, Healthplex, Inc., for failing to safeguard consumers’ private information. In November, Attorney General James secured $450,000 from U.S. Radiology for failing to protect patient data. In October, Attorney General James secured $350,000 from Long Island health care company Personal Touch for failing to secure the data of 300,000 New Yorkers. Also in October, Attorney General James and a multistate coalition secured $49.5 million from cloud company Blackbaud for a 2020 data breach exposing the data of thousands of users. In September, Attorney General James reached an agreement with Marymount Manhattan College to invest $3.5 million to protect students’ online data. In May, Attorney General James recouped $550,000 from a medical management company for failing to protect patient data. In April, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices.
This matter was handled by Senior Enforcement Counsel Jordan Adler and Deputy Bureau Chief Clark Russell of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo. The Division of Economic Justice is overseen by First Deputy Attorney General Jennifer Levy.
Leave a Reply