To avoid paying an additional $100,000 as part of a $450,000 settlement, Refuah Health Center, in Spring Valley, New York, will invest $1.2 million between 2024 and 2028 following an investigation that uncovered numerous violations in the aftermath of a ransomware attack.

The provider, a federally qualified health center that manages three facilities and five mobile vans, was ordered to pay at least $350,000 by the New York attorney general for failing to employ up-to-date precautions that could have potentially prevented the 2021 attack, in which hackers stole files belonging to between approximately 195,000 and 234,000 patients and encrypted them to later use for extortion, reported GovInfoSecurity.

The attack occurred in May, and Refuah discovered it on June 1, by which time the hackers had stolen “approximately a terabyte of data,” according to the settlement.

The violations that contributed to the lack of defense in the wake of the attack were:

• Failure to decommission inactive user accounts. The hackers gained entry to the network through a video viewing system used by security cameras with the login credentials for a former IT vendor who had not worked with Refuah since 2014.


• Lack of multifactor authentication. The video viewing system was protected by a static four-digit code, and the administrative credentials the attackers used had not been updated in 11 years.


• Lack of logging for reviewing user activity. The last risk assessment was conducted in March 2017, with several safety issues identified back then still unresolved when the attack occurred. Refuah also failed to conduct an appropriate investigation following the breach to identify patients whose information was compromised.

Additionally, the thousands of files the hackers accessed were encrypted and stored on a shared network, employee emails, and a database. Refuah was unable to identify which were stolen because it lacked the necessary systems to log this activity.

"System artifacts that might have indicated the scope of the breach were also lost when systems were rebuilt to block the attackers' continued access and to restore systems and services supporting Refuah's medical operations and patient care,” said the settlement.

As part of the settlement, Refuah must appoint a “qualified employee” to implement, maintain, and monitor the information security program, and the designee must report, at a minimum, semiannually to Refuah's CEO, senior management, and board of directors.

According to privacy attorney David Holtzman, of consultancy HITprivacy LLC, the size of the fine is unusual for an FQHC, since they generally provide care to underserved communities.

"In the past, while not diminishing the importance of safeguarding patient health information by establishing and maintaining strong cybersecurity programs, fines involving these types of providers have been de minimus," he told GovInfoSecurity.

Health IT Homepage