HealthAlliance Pays $550,000 for Failing to Address a Known Cybersecurity Vulnerability
A New York healthcare provider that experienced a breach of the personal and protected health information of 242,641 New Yorkers has been ordered to pay a financial penalty of $550,000 and take steps to strengthen its data security practices. HealthAlliance serves patients in Ulster and Delaware counties in New York State and operates HealthAlliance Hospital in Kingston, Margaretville Hospital in Margaretville, and Mountainside Residential Care Center in Margaretville.
In July 2023, HealthAlliance was notified by its vendor, Citrix, that three vulnerabilities had been identified in its NetScaler networking products, including the critical zero-day vulnerability CVE-2023-3519 that affected two of the NetScaler products deployed on the HealthAlliance network. The cybersecurity advisory explained that threat actors were actively exploiting the vulnerability to deploy a web shell, that gave them remote access to victims’ networks.
HealthAlliance attempted to patch the vulnerabilities but was unable to install the patch for the CVE-2023-3519 due to technical issues. HealthAllinace worked with Citrix to identify and address the technical issue but was unable to successfully patch the flaw. Cybersecurity professionals were engaged to resolve the issue and continued working on the problem throughout the summer. The vulnerable NetScaler products were used to support its telemedicine services, but rather than take the vulnerable products offline and disrupt those services, the vulnerable NetScaler products continued to be used. A threat actor exploited the vulnerability between September and October 2023 and exfiltrated the sensitive data of 242,641 individuals, including names, addresses, dates of birth, Social Security numbers, diagnoses, lab results, treatment information, health insurance information, provider names, dates of treatment, and financial information.
After the breach, HealthAlliance decommissioned the vulnerable devices and replaced them with devices fully patched against the vulnerabilities. Had those actions been taken when HealthAlliance learned that the patch could not be applied, the data breach would not have occurred. The Office of the New York Attorney General launched an investigation after being notified about the breach and determined that HealthAlliance failed to address a known vulnerability that put patient and employee data at risk.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
HealthAlliance was fined $1,400,000 for violating New York Executive Law and General Business Law; however, $850,000 of the penalty was suspended due to HealthAlliance’s financial position. HealthAlliance agreed to pay a penalty of $550,000 and must also pay the suspended $850,000 if the New York Attorney General learns that HealthAlliance misrepresented its financial position. In addition to the penalty, HealthAlliance has agreed to maintain a comprehensive information security program and adopt several measures to strengthen its cybersecurity practices.
“HealthAlliance provides essential health care services to New Yorkers, but it also has a responsibility to protect private medical information as part of its patient care,” said Attorney General James. “No one should have to worry that when they seek medical care, they are putting their private information in the hands of scammers and hackers. Every company that is entrusted by New Yorkers with personal information, especially financial and medical data, must take necessary precautions to ensure their systems are not vulnerable to cyberattacks.”
