The operator of a Delaware County hospital and nursing home will have to pay for a data breach.
New York Attorney General Letitia James on Monday announced she had secured $550,000 from HealthAlliance for failing to properly protect the personal and medical information of its patients.
According to a news release from James’ office, an investigation found that the health care facility did not address a weakness in its system that was raised by one of its vendors, leading to a cyber-attack that compromised the personal and medical information of HealthAlliance patients. As a result of an agreement, HealthAlliance is required to pay $550,000 in penalties and strengthen its data security practices, including by immediately addressing any weaknesses in its systems when it is notified of a vulnerability.
HealthAlliance operates healthcare facilities in Delaware and Ulster counties, including Margaretville Hospital in Margaretville, Mountainside Residential Care Center in Margaretville and HealthAlliance Hospital in Kingston.
“HealthAlliance provides essential health care services to New Yorkers, but it also has a responsibility to protect private medical information as part of its patient care,” James said. “No one should have to worry that when they seek medical care, they are putting their private information in the hands of scammers and hackers. Every company that is entrusted by New Yorkers with personal information, especially financial and medical data, must take necessary precautions to ensure their systems are not vulnerable to cyberattacks.”
In July 2023, a HealthAlliance vendor for its web applications released a cybersecurity alert and instructed its clients to take action to patch a vulnerability in its system, the release stated. While HealthAlliance was aware of the vulnerability, it was unable to apply the patch due to technical issues. Instead of taking the product offline, it continued to operate it with the vulnerability while it worked with support teams to diagnose and address the problem.
Between September and October 2023, cyber-attackers were able to infiltrate the vulnerability in HealthAlliance’s system and steal sensitive information, including patient records and employee information, according to the release. In response, HealthAlliance commenced a forensic investigation and replaced its devices with new ones that had been successfully patched for the vulnerability. The forensic investigation revealed that the cyber-attackers had exploited the vulnerability and stolen data that included the personal and medical information of 242,641 patients. The data stolen included patient names, addresses, dates of birth, Social Security numbers, diagnoses, lab results, medications and other treatment information, health insurance information, provider names, dates of treatment and/or financial information, the release stated.
As a result of Monday’s agreement, HealthAlliance agreed to pay a $1,400,000 penalty, of which $850,000 will be suspended “because of HealthAlliance’s financial condition and its role in providing essential health care services to New Yorkers in underserved areas,” the release stated. In addition, HealthAlliance agreed to adopt a series of procedures designed to strengthen its cybersecurity practices going forward, including:
• Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;
• Developing and maintaining data inventory to ensure all private information is stored in accordance with data security and privacy policies, including appropriate encryption;
• Maintaining and enforcing a patch management policy that requires that critical vulnerabilities are patched within 72 hours or that the associated vulnerability is neutralized; and
• Adopting a series of additional security measures to restrict and monitor network activity.
link