New York healthcare provider HealthAlliance was ordered to pay $550,000 for failing to address a known cybersecurity vulnerability, resulting in a data breach that exposed the personal and medical information of 242,641 patients.
In July 2023, HealthAlliance was notified by its vendor, Citrix, about major vulnerabilities in its NetScaler networking products, including CVE-2023-3519 (a zero-day vulnerability often exploited by threat actors). Despite attempts to patch the vulnerability, technical challenges delayed resolution. Rather than taking the vulnerable products offline, HealthAlliance continued to use them for its telemedicine services while troubleshooting the issue.
Between September and October 2023, attackers exploited the vulnerability to access and exfiltrate sensitive data, including patient records, Social Security numbers, medical diagnoses, lab results, financial information, and other protected health details. Following the breach, HealthAlliance decommissioned the compromised devices and replaced them with secured alternatives.
The New York Attorney General’s office concluded that HealthAlliance’s delay in mitigating the vulnerability directly contributed to the breach. HealthAlliance agreed to a settlement requiring a $1.4 million penalty, with $850,000 suspended due to financial hardship. The remaining $550,000 must be paid, and the organization must improve its data security practices.
“HealthAlliance provides essential health care services to New Yorkers, but it also has a responsibility to protect private medical information as part of its patient care,” said Attorney General Letitia James. “No one should have to worry that when they seek medical care, they are putting their private information in the hands of scammers and hackers.”
HealthAlliance stated, “While we neither admit nor deny the investigation's findings, we are pleased to have resolved this matter so we can continue to focus on providing healthcare services to all who need them.”
The CVE-2023-3519 vulnerability in Citrix NetScaler products was part of a widespread wave of attacks targeting healthcare systems. These vulnerabilities allowed hackers to execute remote code, access sensitive data, and compromise patient records.
The reliance on telemedicine services, which the affected devices supported, complicated efforts to take the systems offline, ultimately exposing HealthAlliance to these data risks.
Read also: Most common email server vulnerabilities
The $550,000 settlement and mandated reforms warn other providers about the consequences of inaction. With patient privacy at stake, healthcare organizations must address vulnerabilities immediately and improve their data security.
Related: How an incidence response plan supports HIPAA compliance
A zero-day vulnerability is a security flaw unknown to the software or system vendor, leaving them with ‘zero days’ to prepare a response. These vulnerabilities can exist in any application, operating system, or connected device.
A patch is a software update released by developers to fix vulnerabilities. It addresses the flaw by modifying or improving the affected code, preventing attackers from exploiting it.
Users must enable automatic updates so that they always run the latest version. Regular updates protect users from known cyber vulnerabilities and improve browser performance.