AG James secures $550,000 settlement Over HealthAlliance data breach affecting more than 240,000 New Yorkers

New York Attorney General Letitia James today secured $550,000 from HealthAlliance, a Hudson Valley health care facility operator, for failing to adequately protect New Yorkers’ personal and medical information. The Office of the Attorney General (OAG) conducted an investigation and found that the health care facility neglected to address a system flaw that one of its vendors had identified, leading to a cyberattack that compromised the personal and medical information of 242,641 HealthAlliance patients. As a result of today’s agreement, HealthAlliance must pay $550,000 in penalties and improve its data security policies, including promptly correcting any holes in its systems when notified of a vulnerability.

“HealthAlliance provides essential health care services to New Yorkers, but it also has a responsibility to protect private medical information as part of its patient care,” said Attorney General James. “No one should have to worry that when they seek medical care, they are putting their private information in the hands of scammers and hackers. Every company that is entrusted by New Yorkers with personal information, especially financial and medical data, must take necessary precautions to ensure their systems are not vulnerable to cyberattacks.”

HealthAlliance operates healthcare institutions in Ulster and Delaware counties, such as HealthAlliance Hospital in Kingston, Margaretville Hospital in Margaretville, and Mountainside Residential Care Center in Margaretville. In July 2023, a HealthAlliance web application provider issued a cybersecurity notice, instructing its clients to take measures to repair a vulnerability in the system. HealthAlliance was aware of the vulnerability but was unable to install the patch owing to technical difficulties. Instead of taking the product offline due to the vulnerability, HealthAlliance continued to use it while working with support teams to diagnose and resolve the issue.

Between September and October 2023, cyber-attackers were able to exploit a vulnerability in HealthAlliance’s system and steal sensitive information such as patient records and employee data. HealthAlliance responded by initiating a forensic investigation and replacing its devices with new ones that had successfully patched against the vulnerability. The forensic examination indicated that the cyber-attackers used the vulnerability to exfiltrate data containing the personal and medical information of 242,641 New York citizens. The threat actors stole patient names, addresses, dates of birth, Social Security numbers, diagnoses, lab results, prescriptions, and other treatment information, health insurance information, provider names, treatment dates, and/or financial information.

Under today’s agreement, HealthAlliance has agreed to pay a $1,400,000 penalty, with a postponement of $850,000 due to the organization’s financial situation and its role in delivering important health care services to New Yorkers in underserved communities. Furthermore, HealthAlliance has committed to implementing a variety of processes aimed at tightening its cybersecurity policies in the future.

Implement a thorough information security program, maintain a data inventory, and enforce a patch management policy that mandates the 72-hour patching of critical vulnerabilities in order to protect private information.

We are putting in place several additional security measures to restrict and oversee network operations.

Today’s agreement builds on Attorney General James’ work to protect New Yorkers’ personal information and hold firms accountable for weak data security practices. In October 2024, Attorney General James obtained $2.25 million from AENT, a Capital Region health care provider, for failing to protect patients’ data. In August 2024, Attorney General James and a multistate coalition obtained $4.5 million from a biotech business for failing to protect patient data. Attorney General James published two privacy guides in July 2024, a Business Guide to Website Privacy Controls and a Consumer Guide to Web Tracking, to assist firms and consumers in protecting themselves. Attorney General James issued a consumer advisory in July 2024 to promote awareness of free credit monitoring and identity theft protection services available to millions of individuals affected by the Change Healthcare data breach. In March 2024, Attorney General James led a bipartisan coalition of 41 attorneys general in delivering a letter to Meta Platforms, Inc. (Meta) about the significant increase in Facebook and Instagram account takeovers by scammers and fraudsters. In January 2024, Attorney General James negotiated a deal with a Hudson Valley health care provider to invest $1.2 million in data protection.

The Bureau of Internet and Technology’s Assistant Attorney General Marc Montgomery and Deputy Bureau Chief Clark Russell handled this matter, under the supervision of Bureau Chief Kim Berger. Chief Deputy Attorney General Chris D’Angelo directs the Bureau of Internet and Technology, while First Deputy Attorney General Jennifer Levy controls it.

Reference Article