The New York attorney general fined the Refuah Health Center up to $450,000 in a settlement regarding a 2021 ransomware attack, requiring the federally funded health center to invest over $1 million in enhancing its data security.
The Refuah Health Center in Spring Valley, NY, faced a settlement fine of up to $450,000 from the New York attorney general following a 2021 ransomware attack. A forensic investigation disclosed that the attackers gained access through a security camera system with a static four-digit code, exploiting outdated administrative credentials linked to a former IT vendor. Despite the vendor's disassociation since 2014, the credentials had not been changed, and multifactor authentication was not enabled, allowing the attackers to exfiltrate patient data and encrypt files for extortion over two days. The attackers also used ransomware to encrypt several of Refuah's systems, which made them impossible to access without the decryption key.
The cyberattack, orchestrated by the Lorenz group, compromised patient information for an estimated 195,000 to 234,000 individuals. The settlement requires Refuah to pay a minimum of $350,000 and allows for the potential suspension of an additional $100,000 if the health center strengthens its cybersecurity program. The investigation revealed numerous violations of HIPAA Privacy, Security, and breach notification rules, including inactive user account oversight, a lack of multifactor authentication, and insufficient logging for user activity review. Refuah, a federally qualified health center serving medically underserved communities, must allocate $1.2 million from 2024 to 2028 to enhance its information security program.
According to govinfo security, the agreement between Refuah Health Center and the attorney general said that the health center “must pay at least $350,000, with the possibility of the attorney general suspending an additional $100,000 payment so long as the center beefs up its cybersecurity program.” This agreement requires the center spend "$1.2 million between fiscal 2024 and 2028 in developing and maintaining an improved information security program.”
Privacy attorney David Holtzman of consultancy HITprivacy LLC said, "It is not unusual to see a financial settlement require the healthcare organization to invest resources towards strengthening its information security programs." However, he does find the large fine unusual as "FQHCs generally serve medically underserved communities and receive the majority of their support from federal and state funds," resulting in minimal fines.
Related: What are the penalties for HIPAA violations?
This story is significant in terms of HIPAA (Health Insurance Portability and Accountability Act) regulations and standards for several reasons:
The Refuah Health Center's ransomware incident underscores the need for cybersecurity measures in healthcare organizations to protect patient data and adhere to HIPAA regulations. This event highlights the evolving and persistent threats faced by healthcare providers.
The healthcare industry must prioritize cybersecurity efforts to safeguard sensitive patient information, urging organizations to regularly assess and enhance their security protocols in the face of evolving cyber threats.
Related: HIPAA Compliant Email: The Definitive Guide