Healthcare
,
HIPAA/HITECH
,
Industry Specific
NY AG Action and $1M Fine Follow Back-to-Back Hacks That Affected 224,500 in 2023
An upstate New York-based medical specialty practice must spend $2.25 million to improve and maintain its data security practices over the next five years, plus pay state regulators up to a $1 million penalty following an investigation into two ransomware attacks just days apart in 2023 that affected nearly 224,500 patients and employees.
See Also: Advancing Cyber Resiliency With Proactive Data Risk Reduction
Under the agreement with the New York State Attorney General Office, Albany ENT & Allergy Services P.C. must implement and maintain a long list of data security practices and improvements over the next five fiscal years, spending at least $450,000 annually.
In addition, AENT also must shell out a $1 million penalty in two $250,000 installments, with a final $500,000 payment suspended if the practice meets the requirement of spending at least $450,000 per year on its data security.
“Healthcare facilities need to take protecting patients’ private information seriously, and that means investing to protect data and responding quickly if breaches occur,” said Letitia James, New York State Attorney General in a statement Tuesday.
AENT, an ear, nose, throat and allergy practice with multiple sites around Albany, New York, does not have its own in-house IT or security teams, and outsources those functions to third-party vendors, state documents in the case said.
While the practice at the time of the 2023 ransomware incidents did have one employee who acted as a “liaison” to these third-party vendors “to implement recommended policies, procedures to ensure data quality, optimized system performance, and maintenance of security protocols,” that worker did not have IT or security experience or training, the attorney general office said.
Breach Details
Two different ransomware threat actors launched the 2023 attacks on AENT, both leaking data stolen from the practice on the dark web, settlement documents said.
While the state did not identify the two threat actors in the document, at least one of the cybercriminal groups – RansomHouse – on its dark web site still claims to have published 2 terabytes of exfiltrated AENT data (see: Medical Specialty Practice Says Recent Hack Affects 224,500).
The state said its investigation into the incident found that from around March 23, 2023, to April 4, 2023, AENT’s information systems were infiltrated by the two different threat actors.
“The first infiltration was discovered on March 27, 2023, when respondent’s systems first displayed messaging associated with a ransomware attack. Respondent’s IT vendor immediately restored AENT’s systems after implementing some additional security measures,” the state AG said.
But the IT vendor failed to identify the source of the breach before restoring external network access to AENT’s systems, the document said. The second infiltration was discovered just a few days later, on April 2, 2023, when AENT’s systems displayed messaging again, this time from a different ransomware attacker. “After the second incident, AENT hired a forensic cybersecurity firm which remediated any vulnerabilities before restoring it,” the state said.
The forensics investigation found that the two threat actors had been able to access AENT servers containing a variety of information, including 213,935 records of New York patients.
The information compromised during the two incidents included name, date of birth, Social Security number, address, driver’s license numbers, diagnosis, conditions, lab results, medications, and other treatment information.
“While the threat actors provided some evidence of exfiltrated data that include personal information, the ransoms were not paid,” the state said.
“AENT was unable to confirm the attack vector in part because it did not retain server logs for a reasonable period of time and AENT did not have security programs in place to monitor and analyze server traffic,” the state said. “However, the forensic cybersecurity consultant concluded that the threat actors likely gained access to AENT’s systems through exploitation of a vulnerability in AENT’s Cisco VPN firewall.”
The state attorney general office’s investigation into the incidents concluded, among other findings, that AENT failed to adequately monitor the third-party vendors responsible for their cybersecurity functions.
As a result, “those vendors did not timely install critical security software updates, adequately log and monitor network activity, properly encrypt consumers’ private information before and after the attacks, utilize multifactor authentication for all remote access, or otherwise maintain a reasonable information security program,” the attorney general office said.
5-Year Security Program Requirements
Under the agreement, AENT must implement and maintain a comprehensive information security program.
That includes keeping an inventory of all the private information on its networks, systems and devices; encrypting all private information, whether stored or transmitted; deploying multifactor authentication on devices that remotely access resources and data; implementing controls to monitor and log all security and operational activity; confirming that critical security updates are installed in a timely manner; maintaining a data security incident response plan; and providing oversight of information security vendors.
These requirements for strengthening the practice’s cybersecurity aim to better “protect the private information of New Yorkers who rely on the Capitol Region medical provider,” James said. “I urge all healthcare facilities and general companies to follow guidance from my office on how to have more secure systems to protect New Yorkers’ data.”
AENT did not immediately respond to Information Security Media Group’s request for comment on the New York State settlement.
State Action
New York State’s attorney general’s office has been among the most active in taking enforcement actions against entities for data security incidents and breaches, as well as cases involving HIPAA violations.
“The attorney general has made it a priority to enforce New York’s General Business Law section 99-bb that requires healthcare organizations that are subject to the HIPAA standards to safeguard all personally identifiable patient information,” said attorney David Holtzman of consulting firm HITprivacy LLC.
The state law requirement can be read as similar to the administrative, physical and technical security standards in the HIPAA Security Rule, he said. “In this case, the Office of the Attorney General is highlighting how the state’s investigation found that AENT had failed to implement an information security program to safeguard PII to the standards required in New York law,” he said.
Last month, New York State also enacted new cybersecurity requirements that currently pertain only to in-patient hospitals (see: New York State Enacts New Cyber Requirements for Hospitals).
“New York’s Department of Health has shown itself to be extremely competent in developing hospital surveys to ensure compliance with its regulations in other areas, especially those that impact patient safety,” Holtzman said. “I would fully expect that NY-DOH will find a way to supply its expertise enforcing the new cybersecurity safeguards regulations.”