The New York attorney general fined the Refuah Health Center up to $450,000 in a settlement regarding a 2021 ransomware attack, requiring the federally funded health center to invest over $1 million in enhancing its data security.
What happened?
The Refuah Health Center in Spring Valley, NY, faced a settlement fine of up to $450,000 from the New York attorney general following a 2021 ransomware attack. A forensic investigation disclosed that the attackers gained access through a security camera system with a static four-digit code, exploiting outdated administrative credentials linked to a former IT vendor. Despite the vendor's disassociation since 2014, the credentials had not been changed, and multifactor authentication was not enabled, allowing the attackers to exfiltrate patient data and encrypt files for extortion over two days. The attackers also used ransomware to encrypt several of Refuah's systems, which made them impossible to access without the decryption key.
The cyberattack, orchestrated by the Lorenz group, compromised patient information for an estimated 195,000 to 234,000 individuals. The settlement requires Refuah to pay a minimum of $350,000 and allows for the potential suspension of an additional $100,000 if the health center strengthens its cybersecurity program. The investigation revealed numerous violations of HIPAA Privacy, Security, and breach notification rules, including inactive user account oversight, a lack of multifactor authentication, and insufficient logging for user activity review. Refuah, a federally qualified health center serving medically underserved communities, must allocate $1.2 million from 2024 to 2028 to enhance its information security program.
What was said?
According to govinfo security, the agreement between Refuah Health Center and the attorney general said that the health center “must pay at least $350,000, with the possibility of the attorney general suspending an additional $100,000 payment so long as the center beefs up its cybersecurity program.” This agreement requires the center spend "$1.2 million between fiscal 2024 and 2028 in developing and maintaining an improved information security program.”
Privacy attorney David Holtzman of consultancy HITprivacy LLC said, "It is not unusual to see a financial settlement require the healthcare organization to invest resources towards strengthening its information security programs." However, he does find the large fine unusual as "FQHCs generally serve medically underserved communities and receive the majority of their support from federal and state funds," resulting in minimal fines.
Related: What are the penalties for HIPAA violations?
Why it matters
This story is significant in terms of HIPAA (Health Insurance Portability and Accountability Act) regulations and standards for several reasons:
- HIPAA violations: The investigation revealed multiple violations of HIPAA privacy, security, and breach notification rules. These included issues such as inactive user accounts, a lack of multifactor authentication, and insufficient logging for user activity review.
- Data breach impact: The ransomware attack resulted in the compromise of sensitive patient information for many individuals. This underscores the importance of maintaining robust security measures to protect patient data.
- Failure in risk assessment: The health center had not conducted a risk assessment since March 2017, and several identified issues had gone unresolved. Regular risk assessments are a fundamental component of HIPAA compliance, emphasizing the need for ongoing evaluation and mitigation of security risks.
- Delayed breach response: The settlement revealed that Refuah failed to conduct a timely and appropriate investigation to identify affected patients after the security incident. HIPAA requires covered entities to promptly respond to and mitigate the impact of breaches, emphasizing the importance of a swift and effective response.
- Importance of information security programs: The settlement mandates Refuah to invest over $1 million in developing and maintaining an improved information security program. This aligns with HIPAA's emphasis on implementing comprehensive security measures to safeguard patient health information.
Bottom line
The Refuah Health Center's ransomware incident underscores the need for cybersecurity measures in healthcare organizations to protect patient data and adhere to HIPAA regulations. This event highlights the evolving and persistent threats faced by healthcare providers.
The healthcare industry must prioritize cybersecurity efforts to safeguard sensitive patient information, urging organizations to regularly assess and enhance their security protocols in the face of evolving cyber threats.
Related: HIPAA Compliant Email: The Definitive Guide
Tshedimoso Makhene
