On Jan. 5, 2024, the New York attorney general (NYAG) announced $450,000 in penalties and costs from Refuah Health Center Inc. for failing to safeguard the personal and private health information of its patients and an agreement to invest $1.2 million over four years in security upgrades.[1] Refuah, which did not admit to wrong-doing, is a health care provider that operates three facilities and five mobile medical vans in the Hudson Valley.
In May 2021, a cyberattacker gained access to Refuah’s systems as a target of an extortion scheme in which the attackers claimed to be the “Lorenz Ransomware Group.” The attackers used unchanged credentials from an 11-year-old administrative account that did not have multi-factor authentication enabled to remotely access Refuah’s private network. The attackers gained access to files containing patient names, addresses, phone numbers, Social Security numbers, driver’s license numbers, state identification numbers, dates of birth, bank/financial account information, credit/debit card information, medical treatment/diagnosis information, Medicare/Medicaid numbers, medical record numbers, patient account numbers and health insurance policy numbers. The breach affected 260,740 patients, including the data of 175,077 New Yorkers. Approximately 72,000 to 79,000 of those New York residents did not receive notice.