Albany ENT and Allergy Services (AENT) will pay a $500,000 penalty and invest $2.25 million in cybersecurity upgrades after failing to protect patient information during two ransomware attacks in 2023, New York Attorney General Letitia James announced.
What happened
Between March 23 and April 4, 2023, two ransomware attacks on Albany ENT and Allergy Services exposed sensitive information of 213,935 individuals, including Social Security numbers, medical records, and treatment histories. The breaches also compromised over 80,000 New York driver’s license numbers.
AENT initially relied on two third-party vendors for its information security, but their failure to update critical software and secure patient data contributed to the attacks.
A subsequent investigation revealed that AENT did not immediately disclose the full scope of the breach to the state and continued to store unprotected patient data for months.
In response, the organization has agreed to improve its cybersecurity practices, including encrypting all stored and transmitted data, implementing multi-factor authentication, and improving oversight of its third-party vendors.
What was said
“No one should have to worry about having their data stolen simply because they visited a doctor,” Attorney General Letitia James stated. “Health care facilities need to take protecting patients’ private information seriously...Today’s agreement with AENT will strengthen its cybersecurity and protect the private information of New Yorkers.”
The Attorney General’s office found that AENT failed to ensure its vendors adequately monitored network activity, installed timely security updates, and encrypted sensitive information.
Furthermore, AENT agreed to one year of free credit monitoring for affected patients and additional penalties if it does not comply with the settlement terms.
By the numbers
- 213,935 total patient records exposed.
- 120,000+ Social Security numbers compromised.
- $2.25 million required investment in cybersecurity improvements over five years.
- $500,000 initial penalty paid, with an additional $500,000 penalty if compliance terms are not met.
Why it matters
The breach parallels incidents like the ransomware attack on Lurie Children's Hospital, where stolen data was sold for $3.4 million, illustrating the dire financial and personal risks these breaches can create.
Healthcare organizations must use advanced security measures, as the consequences of inadequate cybersecurity go beyond financial penalties.
Read also: 3.8 million patients impacted by healthcare data breaches in June 2024
Learn more: HIPAA Compliant Email: The Definitive Guide
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
What should individuals do if their data has been compromised?
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
What are the penalties for violating HIPAA regulations?
Civil penalties for HIPAA violations can include fines ranging from $100 to $50,000 per violation, with an annual maximum of $1.5 million per violation. Criminal penalties are applied when HIPAA violations are knowingly committed, with increased fines and imprisonment.
