Refuah Health Center has committed to investing $1.2 million in enhancing its cybersecurity measures and will also pay $450,000 in penalties and costs. This move comes as part of an agreement with the New York Attorney General Letitia James, resolving allegations against the health center.
The allegations claimed that Refuah Health Center had not maintained adequate cybersecurity controls. This lapse led to the Refuah data breach, which compromised sensitive patient details stored on its network.
This agreement marks a significant step towards ensuring the protection and privacy of patient information, especially at a time when the healthcare sector is experiencing a rise in cyberattacks.
Decoding the Refuah Data Breach
Following notification of a ransomware attack in May 2021 that compromised the protected health information of 260,740 people, including 175,077 New Yorkers, the NY AG opened an investigation into Refuah Health Center.
In late May 2021, a ransomware group managed to get access to internal systems. First, it compromised a system that was used to watch videos from internal cameras that were keeping an eye on the company’s facilities. The only security measure for that system was a four-digit authentication PIN.
The hackers gained remote access to the network by stealing administrator credentials used by a former IT vendor. Despite the fact that the IT provider had not used the credentials for seven years, they had not been disabled or altered in eleven years.
Moreover, it was reported that there was no multifactor authentication enabled on the account. According to HIPAA Journal, the access to numerous files containing patient data that had not been encrypted at the file level was made possible by the credentials.
Lorenz Ransomware Group Claimed Attack on Refuah
The Lorenz group, believed to be behind the attack, deployed ransomware to encrypt files and exfiltrate data. The threat actor contacted Refuah with demands for an undisclosed ransom amount. They also presented evidence of the data theft, such as a list of the files that were duplicated and a screenshot showing patient information that matched a database connected to Refuah’s dentist’s office.
Although the attackers supplied a screenshot of the database showing the records of 34 patients, Refuah did not look into whether the database had been accessed. Instead, the focus of the third-party forensic investigation was on the files that were kept on the shared network space.
On March 2, 2022, Refuah finished analyzing the incident, and on April 29, 2022, it mailed notification letters to the impacted individuals. The compromised data consisted of names, addresses, phone numbers, Social Security numbers, driver’s license numbers, state identification numbers, dates of birth, bank account information, credit/debit card information, medical treatment/diagnosis information, Medicare numbers, medical record numbers, patient account numbers, and health insurance policy numbers.
The terms of the agreement with the NY AG specify that Refuah Health must allocate $1.2 million for enhancing cybersecurity, information security, data retention guidelines, and incident response protocols.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
