New York State Attorney General Letitia James announced another data security enforcement settlement yesterday. HIPAA Journal writes:
A New York healthcare provider that experienced a breach of the personal and protected health information of 242,641 New Yorkers has been ordered to pay a financial penalty of $550,000 and take steps to strengthen its data security practices. HealthAlliance serves patients in Ulster and Delaware counties in New York State and operates HealthAlliance Hospital in Kingston, Margaretville Hospital in Margaretville, and Mountainside Residential Care Center in Margaretville.
In July 2023, HealthAlliance was notified by its vendor, Citrix, that three vulnerabilities had been identified in its NetScaler networking products, including the critical zero-day vulnerability CVE-2023-3519 that affected two of the NetScaler products deployed on the HealthAlliance network. The cybersecurity advisory explained that threat actors were actively exploiting the vulnerability to deploy a web shell, that gave them remote access to victims’ networks.
HealthAlliance attempted to patch the vulnerabilities but was unable to install the patch for the CVE-2023-3519 due to technical issues. HealthAlliance worked with Citrix to identify and address the technical issue but was unable to successfully patch the flaw.
HealthAlliance knew they had a problem and were working on it but couldn’t patch it. Their mistake was that they kept using the product when they couldn’t patch it. Months later, they were hacked and patient and employee data was stolen. When a vulnerability has been made publicly known, criminals often use search engines like Shodan to search for servers that are vulnerable to it.
The monetary penalty was $1.4 million, of which $850,000 has been suspended. There is also a corrective action plan.
Read more at HIPAA Journal.
Related: The state’s press release can be found here, or jump directly to the Assurance of Discontinuance.