1250 Broadway, 27th Floor New York, NY 10001

REFUAH REFUSED TO MAINTAIN AN ADEQUATE CYBER-SECURITY SYSTEM

HEALTH CARE PROVIDER HIT WITH $450,000 PENALTY

In a press release issued in early January of this year, the New York State Attorney General’s Office announced it had reached an agreement with Refuah Health Center (up in the Hudson Valley area) for its failure to adequately protect its patients’ personal data from cyber attackers and criminals.

Apparently, back in May of 2021, the company experienced a ransomware attack, where data for thousands of its patients were compromised.

In addition to paying a $450,000 penalty, the company has agree to expend some $1.2 million to improve its data protection systems and practices.

According to the press release, Refuah has agreed to:

  • Maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of consumer information;
  • Implement and maintain policies and procedures that limit access to consumer information;
  • Require the use of multi-factor authentication to remotely access resources and data;
  • Regularly rotate credentials that are used to access resources and data;
  • Conduct audits at least semi-annually to ensure users only have access to resources and data necessary for their business functions;
  • Encrypt all consumer information, whether stored or transmitted;
  • Implement controls to monitor and log all security and operational activity of the company’s networks and systems; and
  • Develop, implement, and maintain a comprehensive incident response plan.

In a written statement, Attorney General James noted that, “New Yorkers should receive medical care and trust that their personal and health information is safe …. This agreement will ensure that Refuah is taking the appropriate steps to protect patient data while also providing affordable health care. Strong data security is critically necessary in today’s digital age and my office will continue to protect New Yorkers’ data from companies with inadequate cybersecurity.”

Is that a form of data scrubbing?

# # #

NYAG PRESS RELEASE ~ 01.05.24

Categories: