2 min read
HealthAlliance fined $550K for cybersecurity oversight
Caitlin Anthoney Dec 12, 2024 7:31:14 AM
New York healthcare provider HealthAlliance was ordered to pay $550,000 for failing to address a known cybersecurity vulnerability, resulting in a data breach that exposed the personal and medical information of 242,641 patients.
What happened
In July 2023, HealthAlliance was notified by its vendor, Citrix, about major vulnerabilities in its NetScaler networking products, including CVE-2023-3519 (a zero-day vulnerability often exploited by threat actors). Despite attempts to patch the vulnerability, technical challenges delayed resolution. Rather than taking the vulnerable products offline, HealthAlliance continued to use them for its telemedicine services while troubleshooting the issue.
Between September and October 2023, attackers exploited the vulnerability to access and exfiltrate sensitive data, including patient records, Social Security numbers, medical diagnoses, lab results, financial information, and other protected health details. Following the breach, HealthAlliance decommissioned the compromised devices and replaced them with secured alternatives.
The New York Attorney General’s office concluded that HealthAlliance’s delay in mitigating the vulnerability directly contributed to the breach. HealthAlliance agreed to a settlement requiring a $1.4 million penalty, with $850,000 suspended due to financial hardship. The remaining $550,000 must be paid, and the organization must improve its data security practices.
What was said
“HealthAlliance provides essential health care services to New Yorkers, but it also has a responsibility to protect private medical information as part of its patient care,” said Attorney General Letitia James. “No one should have to worry that when they seek medical care, they are putting their private information in the hands of scammers and hackers.”
HealthAlliance stated, “While we neither admit nor deny the investigation's findings, we are pleased to have resolved this matter so we can continue to focus on providing healthcare services to all who need them.”
In the know
The CVE-2023-3519 vulnerability in Citrix NetScaler products was part of a widespread wave of attacks targeting healthcare systems. These vulnerabilities allowed hackers to execute remote code, access sensitive data, and compromise patient records.
The reliance on telemedicine services, which the affected devices supported, complicated efforts to take the systems offline, ultimately exposing HealthAlliance to these data risks.
Read also: Most common email server vulnerabilities
The bottom line
The $550,000 settlement and mandated reforms warn other providers about the consequences of inaction. With patient privacy at stake, healthcare organizations must address vulnerabilities immediately and improve their data security.
Related: How an incidence response plan supports HIPAA compliance
FAQs
What is a zero-day vulnerability?
A zero-day vulnerability is a security flaw unknown to the software or system vendor, leaving them with ‘zero days’ to prepare a response. These vulnerabilities can exist in any application, operating system, or connected device.
How does a patch for a vulnerability work?
A patch is a software update released by developers to fix vulnerabilities. It addresses the flaw by modifying or improving the affected code, preventing attackers from exploiting it.
How often should users update their browsers?
Users must enable automatic updates so that they always run the latest version. Regular updates protect users from known cyber vulnerabilities and improve browser performance.