Attorney General James Reaches Agreement with Hudson Valley Health Care Provider to Invest $1.2 Million to Protect Patient Data

Ransomware Attack on Refuah Health Compromised the Data of 250,000 New Yorkers

NEW YORK – New York Attorney General Letitia James today announced an agreement with a Hudson Valley-area health care provider, Refuah Health Center, Inc. (Refuah), for failing to safeguard the personal and private health information of its patients. The Office of the Attorney General (OAG) found that Refuah failed to maintain appropriate controls to protect and limit access to sensitive data, including by failing to encrypt patient information and using multi-factor authentication. As a result of Refuah’s poor data security, the health care provider experienced a ransomware attack that compromised the personal and private information of approximately 250,000 New Yorkers. Today’s agreement requires Refuah to invest $1.2 million to strengthen its cybersecurity and pay $450,000 in penalties and costs.  

“New Yorkers should receive medical care and trust that their personal and health information is safe,” said Attorney General James. “This agreement will ensure that Refuah is taking the appropriate steps to protect patient data while also providing affordable health care. Strong data security is critically necessary in today’s digital age and my office will continue to protect New Yorkers’ data from companies with inadequate cybersecurity.”

Refuah is a health care provider that operates three facilities and five mobile medical vans in the Hudson Valley. In May 2021, Refuah experienced a ransomware attack where the cyber-attacker was able to access the data of thousands of patients. Refuah determined that attackers gained access to files containing names, addresses, phone numbers, social security numbers, driver’s license numbers, dates of birth, financial account numbers, medical insurance numbers, and various health-related information. The OAG’s investigation concluded that attackers were able to access this data because Refuah had failed to adopt appropriate data security practices to protect patients’ personal and health information. Refuah failed to decommission inactive user accounts, rotate user account credentials, restrict employees’ access to only those resources and data that were necessary for their business functions, use multi-factor authentication, and encrypt patient information.  

As a result of today’s agreement, Refuah has agreed to invest $1.2 million to develop and maintain stronger information security programs to better protect patient data. The agreement also requires the health care provider to: 

  • Maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of consumer information;  
  • Implement and maintain policies and procedures that limit access to consumer information;  
  • Require the use of multi-factor authentication to remotely access resources and data; 
  • Regularly rotate credentials that are used to access resources and data; 
  • Conduct audits at least semi-annually to ensure users only have access to resources and data necessary for their business functions;  
  • Encrypt all consumer information, whether stored or transmitted;  
  • Implement controls to monitor and log all security and operational activity of the company’s networks and systems; and  
  • Develop, implement, and maintain a comprehensive incident response plan.   

Refuah is also required to pay $450,000 in penalties and costs to the state, of which $100,000 will be suspended when the company spends $1.2 million to develop and maintain its information security program. 

Today’s agreement continues Attorney General James’ efforts to protect New Yorkers’ personal information and hold companies accountable for their poor data security practices. In December, Attorney General James secured $400,000 from a dental insurance provider, Healthplex, Inc., for failing to safeguard consumers’ private information. In November, Attorney General James secured $450,000 from U.S. Radiology for failing to protect patient data. In October, Attorney General James secured $350,000 from Long Island health care company Personal Touch for failing to secure the data of 300,000 New Yorkers. Also in October, Attorney General James and a multistate coalition secured $49.5 million from cloud company Blackbaud for a 2020 data breach exposing the data of thousands of users. In September, Attorney General James reached an agreement with Marymount Manhattan College to invest $3.5 million to protect students’ online data. In May, Attorney General James recouped $550,000 from a medical management company for failing to protect patient data. In April, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices.  

This matter was handled by Senior Enforcement Counsel Jordan Adler and Deputy Bureau Chief Clark Russell of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo. The Division of Economic Justice is overseen by First Deputy Attorney General Jennifer Levy.