Refuah Health Center Pays $450K HIPAA Fine; Agrees to $1.2 Million Cybersecurity Investment
New York Attorney General Letitia James has announced that an agreement has been reached with Refuah Health Center Inc. to resolve allegations it failed to maintain reasonable and appropriate cybersecurity controls to protect and limit access to sensitive patient data stored on its network. Under the terms of the agreement, Refuah Health Center has agreed to invest $1.2 million in cybersecurity and will pay $450,000 in penalties and costs.
The NY AG launched an investigation of Refuah Health Center after being notified about a May 2021 ransomware attack that compromised the personal and protected health information of 260,740 individuals, including 175,077 New Yorkers. The Lorenz ransomware group gained access to internal systems in late May 2021, initially compromising a system that was used for viewing videos from internal cameras monitoring its facilities. That system was only protected with a four-digit code.
The attackers stole administrator credentials that were used by a former IT vendor to remotely access the network. The credentials had not been changed for 11 years and had not been deleted or disabled, even though they had not been used by the IT vendor in 7 years. The account did not have multifactor authentication enabled. The credentials allowed access to a large number of files containing patient information that had not been encrypted at the file level.
The Lorenz group exfiltrated data and encrypted files with ransomware. They contacted Refuah and issued a ransom demand and provided proof of data theft, including a list of files that were copied and a screenshot of patient data consistent with a database associated with Refuah’s dental practice. The third-party forensic investigation concentrated on the files that were stored on the shared network space but Refuah did not investigate to determine whether the database had been accessed, even though the attackers provided a screenshot of that database that displayed the records of 34 patients.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Refuah completed its analysis of the files on March 2, 2022, then mailed notification letters on April 29, 2022. The data compromised in the attack included patient names, addresses, phone numbers, Social Security numbers, driver’s license numbers, state identification numbers, dates of birth, bank account information, credit/debit card information, medical treatment/diagnosis information, Medicare/Medicaid numbers, medical record numbers, patient account numbers, and health insurance policy numbers.
Multiple HIPAA Security Rule Failures Identified
The NY AG looked at the administrative and technical safeguards that had been implemented and identified widespread noncompliance with the HIPAA Security Rule. Refuah Health Center had not conducted a risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information since March 2017 in violation of 45 C.F.R § 164.308(a)(1)(ii)(A) and (B) and had not addressed vulnerabilities that were identified in that risk analysis in the four years since it was conducted, in violation of § 164.306(a).
There were insufficient policies and procedures to prevent, detect, contain, and correct security violations, in violation of § 164.308(a)(1)(i), a lack of policies and procedures authorizing access to ePHI in violation of § 164.308(a)(4)(i), and no procedures for regularly reviewing logs of information system activity, in violation of § 164.308(a)(1)(ii)(D).
Policies and procedures for granting right of access based on access authorization policies were not present, in violation of § 164.308(a)(4)(ii)(B) and (C), there were no procedures for monitoring log-in attempts and reporting discrepancies nor procedures for creating, changing, and safeguarding passwords, in violation of § 164.308(a)(5)(ii)(C) and (D), and insufficient policies and procedures to address security incidents, and identifying and responding to suspected or known security incidents, in violation of § 164.308(a)(6)(i) and (ii).
Further, there were insufficient periodic technical and nontechnical evaluations of security policies and procedures (§ 164.308(a)(8)), insufficient technical policies and procedures for systems that maintain ePHI to allow access to persons granted access rights and no mechanism to encrypt ePHI (§ 164.312(a)(1) and (2)(iv)), insufficient controls for recording and examining activity in systems that contain or use ePHI (§ 164.312(b)), and insufficient verification of persons seeking access to ePHI to ensure they are who they claim to be (§ 164.312(d)).
The NY AG also determined there had been two violations of New York General Business Law, which requires the implementation and maintenance of reasonable safeguards to protect consumer information (§ 899-bb), and the disclosure of a data breach in the most expedient time possible and without unreasonable delay (§ 899-aa). The later was also determined to be a violation of the HIPAA Breach Notification Rule (§ 164.404).
The agreement with the NY AG includes the requirement to invest $1.2 million in cybersecurity and make substantial improvements to its information security program, data retention policies, and incident response policies and procedures. Refuah is also required to issue notifications to all individuals whose data was compromised within 90 days.
“New Yorkers should receive medical care and trust that their personal and health information is safe,” said Attorney General James. “This agreement will ensure that Refuah is taking the appropriate steps to protect patient data while also providing affordable health care. Strong data security is critically necessary in today’s digital age and my office will continue to protect New Yorkers’ data from companies with inadequate cybersecurity.”
