Health data and ransomware: Refuah's $1.2m agreement with New York Attorney General

Refuah Health Center Inc. suffered a ransomware attack in 2021. Nearly three years later, the company has reached an agreement with the New York Attorney General’s Office, agreeing to spend $1.2 million to bring its security program into compliance with the law.

Here’s a look at what went wrong, how far Refuah might be to blame for the incident, and what the company must do to satisfy the state Attorney General.

What happened to Refuah?

Refuah is a healthcare provider that operates three facilities and five mobile medical vans in the Hudson Valley area of New York.

In May 2021, Refuah was hit by a ransomware attack exposing data about thousands of patients. The attackers exfiltrated around a terabyte (1,000 gigabytes) of data, some of which was patient information. The group also used ransomware to encrypt several of Refuah’s systems.

The attackers gained remote access via admin credentials for a Refuah account used by a former IT vendor. The vendor hadn’t worked with Refuah since 2014, but Refuah failed to delete or disable its account. In fact, the credentials had not been changed for at least 11 years.

Once Refuah discovered the incident, the company conducted an investigation, which lasted until March of the following year. The company notified the affected individuals on 29 April 2022, stating that the attack had affected the following types of personal data:

• Full names
• Social Security numbers
• driver’s license numbers
• State ID numbers
• Dates of birth
• Financial account information
• Credit or debit card information
• Medical treatment and diagnosis information
• Medicare and Medicaid numbers
• Medical record numbers
• Patient account numbers
• Health insurance policy numbers

Was this incident Refuah’s fault?

Completely preventing the risk of cyberattacks is impossible. Cybercriminals can find and exploit basically any vulnerability in a company’s systems. But Refuah appears to have made the hack somewhat easy for these attackers.

In its investigation into Refuah, New York’s Attorney General (AG) found that Refuah had not assessed the risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic protected health information (ePHI) since March 2017.

And although Refeuah’s assessment found some vulnerabilities, the AG notes that the company had not addressed these vulnerabilities at the time of the attack, over four years later.

Once it discovered the incident, Refeuah’s allegedly poor data management meant it could not determine which files had been exfiltrated.

Did Refuah break the law?

The New York AG alleges that Refeuh’s poor handling of health data (or “ePHI”) was a violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which requires certain healthcare providers to put security measures in place.

Specifically, Refuah is alleged to have violated the following provisions, among others:

• Failing to regularly assess risks to ePHI: 45 CFR § 164.308 (a) (1) (ii) (A) and (B)
• Failing to mitigate risks: 45 CFR § 164.306 (a)1
• Lacking policies and procedures to manage security risks: 45 CFR § 164.308(a)(1)(i)
• Failing to implement access management policies: 45 CFR § 164.308(a)(4)(ii)(B) and (C)
• Poor password management procedures: 45 CFR § 164.308(a)(5)(ii)(C) and (D)

What’s in the settlement between Refeuh and the Attorney General?

Following the AG’s investigation, Refeuh will pay an initial $450,000 in costs and invest $1.2 million to improve its cybersecurity program, including by:

• Maintaining a comprehensive information security program to protect the security, confidentiality, and integrity of consumer information
• Implementing policies and procedures to limit access to consumer information
• Requiring multi-factor authentication (MFA) to remotely access data
• Regularly changing credentials
• Conducting semi-annual audits to monitor access permissions
• Encrypting all consumer information in storage and in transit
• Implementing controls security logging and monitoring controls
• Developing, implementing, and maintaining a comprehensive incident response plan

These measures constitute the fundamentals of a HIPAA compliance program. Implementing them earlier, as Refeuh was legally required to do, might have spared the company the reputational and financial damage associated with this ransomware attack.