New York City
AI Assisted Icon
Published on December 09, 2024
NY Attorney General Secures $550K Settlement with HealthAlliance for Deficient Data HandlingSource: Google Street View

New York's Attorney General Letitia James has taken action against Hudson Valley health care facility operator HealthAlliance, securing a $550,000 settlement for deficiencies in their handling of personal and medical data. According to a press release from the Attorney General's office, an investigation unveiled that HealthAlliance failed to patch a critical vulnerability in its system, despite warnings from a vendor. This oversight resulted in a cyber-attack that compromised the records of 242,641 patients.

"HealthAlliance provides essential health care services to New Yorkers, but it also has a responsibility to protect private medical information as part of its patient care," Attorney General James stated. The failure to address the reported vulnerability led HealthAlliance to become a victim of cybercrime, with fradulent actors infiltrating their systems to steal sensitive data, as detailed by Attorney General's Office. The settlement includes not only the fiscal penalty but also a series of measures HealthAlliance must now implement to significantly better secure patient data, such as a comprehensive information security program and stringent patch management policies which will require them to promptly act to patch vulnerabilities within 72 hours.

The cyber-attack against HealthAlliance occurred between September and October 2023, resulting in the theft of an extensive array of personal information. This included patient names, addresses, Social Security numbers, health insurance details, and more. In the wake of the attack, HealthAlliance took remedial actions, such as a forensic investigation and updating their devices to a more secure, patched version.

In addition to the monetary penalty, the agreement with the Attorney General’s office compels HealthAlliance to adopt a series of data security measures. These include maintaining a detailed inventory of data, ensuring encryption is up to standard, and restricting and monitoring network activity to prevent similar breaches. The measures are aimed to prevent HealthAlliance from ever again becoming an avenue for cyber attackers to gain the personal and medical information of unsuspecting New Yorkers.

The efforts of Attorney General James in this case continue her office’s aggressive stance on data protection and privacy. Previous actions taken this year by her office include a $2.25 million settlement with a Capital Region health care provider and a $4.5 million multi-state settlement with a biotech company, not to mention the release of privacy guides for businesses and consumers, and a consumer alert about free credit monitoring services. The HealthAlliance case was managed by Assistant Attorney General Marc Montgomery and Deputy Bureau Chief Clark Russell of the Bureau of Internet and Technology, demonstrating the ongoing engagement of the Attorney General’s office in keeping New Yorkers' data out of the hands of criminals.