AG imposes $1.4M penalty on HV health care operator

New York Attorney General Letitia James’ office has come to a settlement with Hudson Valley health care facility operator HealthAlliance that failed to properly protect the personal and medical information of people who used its services. HealthAlliance operates facilities in Ulster and Delaware that include HealthAlliance Hospital in Kingston, Margaretville Hospital in Margaretville, and Mountainside Residential Care Center in Margaretville.

HeathAlliance Hospital in Kingston. Photo via Google Maps.

Under the agreement, HealthAlliance received a $1,400,000 penalty, of which $850,000 will be suspended because of HealthAlliance’s financial condition and its role in providing essential health care services to New Yorkers in underserved areas. The amount HealthAlliance will pay is $550,000.

An investigation by James’ office found that HealthAlliance did not address a weakness in its computer system that could have been fixed by a patch provided by a vendor. There was a subsequent attack that compromised the personal and medical information of 242,641 HealthAlliance patients.

The stolen data included patient names, addresses, dates of birth, Social Security numbers, diagnoses, lab results, medications, and other treatment information, health insurance information, provider names, dates of treatment, and more.

“HealthAlliance provides essential health care services to New Yorkers, but it also has a responsibility to protect private medical information as part of its patient care,” James said. “No one should have to worry that when they seek medical care, they are putting their private information in the hands of scammers and hackers. Every company that is entrusted by New Yorkers with personal information, especially financial and medical data, must take necessary precautions to ensure their systems are not vulnerable to cyberattacks.”

According to James’ office, in July 2023 a HealthAlliance vendor for its web applications released a cybersecurity alert along with instructions for clients to take action to patch a vulnerability in its system. While HealthAlliance was aware of the vulnerability, it was unable to apply the patch due to technical issues. Instead of taking the affected system offline, it continued to operate it with the vulnerability while it worked with support teams to diagnose and address the problem.

The attackers were able to infiltrate HealthAlliance’s system and steal sensitive information, including patient records and employee information in September and October of 2023.

As part of the agreement with James’ office, HealthAlliance agreed to adopt a series of procedures designed to strengthen its cybersecurity practices going forward, including:

  • Maintaining a comprehensive information security program designed to protect the security, confidentiality, and integrity of private information;
  • Developing and maintaining data inventory to ensure all private information is stored in accordance with data security and privacy policies, including appropriate encryption;
  • Maintaining and enforcing a patch management policy that requires that critical vulnerabilities are patched within 72 hours or that the associated vulnerability is neutralized; and
  • Adopting a series of additional security measures to restrict and monitor network activity.