NYS: Clinic Must Pay $450K Fine, Spend $1.2M on SecurityState AG Settlement Comes After 2021 Lorenz Ransomware Attack on Health Center
The New York attorney general fined a federally funded health center that provides services to underserved communities up to $450,000 in a settlement ending an investigation into a 2021 ransomware attack that also requires the center to invest more than $1 million in improving its data security.
Under an agreement, the Refuah Health Center in Spring Valley, N.Y., must pay at least $350,000, with the possibility of the attorney general suspending an additional $100,000 payment so long as the center beefs up its cybersecurity program.
The settlement commits the center to spending $1.2 million between fiscal 2024 and 2028 in developing and maintaining an improved information security program. Refuah, a federally qualified health center, operates three healthcare facilities in New York and five mobile medical vans.
"It is not unusual to see a financial settlement require the healthcare organization to invest resources towards strengthening its information security programs," said privacy attorney David Holtzman of consultancy HITprivacy LLC.
Holtzman said he finds the large fine unusual. "FQHCs generally serve medically underserved communities and receive the majority of their support from federal and state funds," he said. "In the past, while not diminishing the importance of safeguarding patient health information by establishing and maintaining strong cybersecurity programs, fines involving these types of providers have been de minimus," he said.
The enforcement action comes after state regulators initiated an investigation into a May 2021 ransomware attack on the health center, which included encryption, exfiltration and extortion, by cybercriminal group Lorenz. Hackers stole files pertaining to somewhere between approximately 195,000 and 234,000 patients.
The investigation found multiple violations of the HIPAA privacy, security and breach notification rules, settlement documents say. The lapses included a failure to decommission inactive user accounts, a lack of multifactor authentication and a lack of logging for reviewing user activity. The last time the center had conducted a risk assessment was in March 2017, and several of the issues identified at the time had gone unresolved as of the day of the ransomware attack.
In the aftermath of the security incident, Refuah failed to conduct an appropriate investigation to identify patients whose information had been compromised in the data breach, the settlement document says.
The health center must appoint "a qualified employee" to be responsible for implementing, maintaining and monitoring the information security program. That individual must report at a minimum semi-annually to Refuah's CEO, senior management and board of directors.
Refuah did not immediately respond to Information Security Media Group's request for comment on the settlement.
A forensics investigation into the Refuah incident found that attackers had gained access to a system used for viewing video taken by security cameras. Access to this system was protected by a static four-digit code.
From the video viewing system, the hackers had remotely accessed Refuah's network using login credentials for an administrative account that were stolen during the attack.
“The administrative credentials the attackers exploited to gain remote access were associated with a Refuah account used by a former IT vendor. The credentials had not been changed for at least 11 years," the settlement document says.
Also, "despite the fact that the IT vendor had not worked with Refuah since 2014, the account used by the vendor had not been deleted or disabled. Multifactor authentication was not enabled for the account," regulators said.
Attackers gained access to a variety of Refuah systems and data that contained patient information, including thousands of unencrypted files stored on shared network space, employee emails and a database.
Over the course of two days, the attackers exfiltrated files and data that contained patient information and maliciously encrypted files for later extortion purposes.
Refuah discovered the attack on June 1, 2021. "By that time, the attackers had exfiltrated approximately a terabyte of data," the settlement document says.
Refuah was unable to identify the files that had been stolen because the health center did not have systems in place to log this activity. Also, "system artifacts that might have indicated the scope of the breach were lost when systems were rebuilt to block the attackers' continued access and to restore systems and services supporting Refuah's medical operations and patient care."