On January 5, 2024, the New York Attorney General (AG) published Assurance of Discontinuance No. 23-09 (the Assurance), in which it reached an agreement with Refuah Health Center, Inc. to invest $1.2M to develop and maintain its information security program after violations of the Health Insurance Portability and Accountability Act (HIPAA) and of the General Business Law (GBL), following a data breach.

Background to the settlement

The AG noted that, in May 2021, Refuah's system was targeted by a cyberattack that affected Refuah's private network. The attackers exfiltrated approximately one terabyte of data, some of which contained patient information, and deployed ransomware that encrypted several of Refuah's systems, rendering them inaccessible without the decryption key held by the attackers.

Findings of the AG

Following its investigation, the AG determined that Refuah's conduct violated HIPAA's provisions, including the obligation to:

• establish policies and procedures to prevent, detect, contain, and correct security violations;
• conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all protected health information in electronic form, and implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with HIPAA;
• conduct procedures to regularly review records of information system activity;
• put in place policies and procedures for authorizing access to protected health information in electronic form;
• implement policies and procedures for granting access to protected health information in electronic form, and establish, document, review, and modify user's right of access based on access authorization policies;
• establish procedures for monitoring log-in attempts and reporting discrepancies, and procedures for creating, changing, and safeguarding passwords; and
• maintain policies and procedures to address security incidents, and identify and respond to suspected or known security incidents.

Furthermore, the AG also found that Refuah failed to comply with the GBL's requirements to disclose a data breach in the most expedient time possible and without unreasonable delay, as well as to implement and maintain reasonable safeguards to protect consumer information.

Outcomes

In light of the above, the AG stated that Refuah must invest $1.2 million over the next four years to better protect the personal information of consumers, including to:

• maintain a comprehensive Information Security Program that is reasonably designed to protect the security, integrity, and confidentiality of consumer personal information that Refuah collects, stores, transmits, and/or maintains;
• appoint a qualified employee to be responsible for implementing, maintaining, and monitoring the Information Security Program;
• establish, implement, and maintain policies and procedures to appropriately limit access to consumer personal information;
• within one year of the effective date of the Assurance, obtain a comprehensive assessment of the information security of its network conducted by an independent third-party assessor, which shall be documented and provided to the AG within two weeks of completion;
• establish, implement, and maintain written policies and procedures that govern the retention of consumer personal information;
• establish, implement, and maintain a comprehensive incident response plan; and
• within 90 days of the effective date of the Assurance, provide notice of the 2021 security breach to all consumers whose information was contained within the database and who were not previously provided notice.

Additionally, Refuah must pay the State of New York $450,000 in penalties and costs, of which $100,000 will be suspended if Refuah spends $1.2 million to develop and maintain its information security program.

You can read the press release here and the Assurance here.