New York Attorney General Letitia James has reached an agreement with health care provider Refuah Health Center Inc., based in Spring Valley, under which Refuah agreed to pay $450,000 in penalties and costs and invest $1.2 million in improving cybersecurity to better protect customer data.
Refuah has two locations in Spring Valley and also operates in Nanuet, Liberty and South Fallsburg. It also operates mobile units at which health care services can be obtained.
U.S. Sen. Chuck Schumer and Rep. Mondaire Jones at ribbon-cutting in March 2022 for Refuah Health’s Acute Care location on its Main Street campus in Spring Valley.
An investigation by James found that Refuah failed to maintain appropriate controls to protect and limit access to sensitive data. This included failing to encrypt patient information and not using multi-factor authentication. James’ investigators found that as a result the poor data security, Refuah in May of 2021 experienced a ransomware attack that compromised the personal and private information of approximately 260,000 people. The attackers claimed to be from the Lorenz Ransomware group.
According to a document prepared by James’ office, Refuah ultimately determined that attackers had access to files containing the information of more than 260,740 patients, 175,077 of which were New York residents. These files contained a variety of sensitive patient information. The stolen information included patient names, addresses, phone numbers, Social Security numbers, credit card and debit card information, medical treatment and diagnosis information, Medicare and Medicaid numbers and health insurance policy numbers.
“This agreement will ensure that Refuah is taking the appropriate steps to protect patient data while also providing affordable health care,” James said. “Strong data security is critically necessary in today’s digital age and my office will continue to protect New Yorkers’ data from companies with inadequate cybersecurity.”
James said that Refuah has agreed to maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of consumer information. Steps Refuah is required to take include: limiting access to consumer information; regularly rotating credentials that are used to access resources and data; conducting audits at least semi-annually to ensure users only have access to resources and data necessary for their business functions; encrypting all consumer information, whether stored or transmitted.
James’ investigation found that it wasn’t until April 29, 2022, that Refuah began providing notice of the data breach to impacted patients. It offered credit monitoring services to those individuals whose Social Security numbers had been impacted.
Refuah Health Center was founded in 1992 and opened its first facility in 1993. Its mission dating from its founding was to provide high-quality, comprehensive medical, dental and supportive services to all patients, regardless of their ability to pay. In 2002, Refuah received section 330(e) Community Health Center funding from the federal government. It bills itself as “the area’s leading Federally-Qualified Community Health Center (FQHC) providing comprehensive safety-net services across the Hudson Valley.”
