New York Attorney General Letitia James has secured a $2.25 million settlement with Albany ENT & Allergy Services, P.C. (AENT) following two cyberattacks that compromised the medical records of over 200,000 New York patients in 2023. The Office of the Attorney General (OAG) found that AENT lacked adequate safeguards to protect patient data and failed to respond effectively to the breaches.
Attorney General James stated, "No one should have to worry about having their data stolen simply because they visited a doctor." She emphasized the importance of healthcare facilities investing in data protection and responding swiftly to breaches.
AENT operates specialized medical facilities in the Capital Region focused on ear, nose, and throat care. In 2023, they experienced ransomware attacks from two different threat actors within ten days. Following these incidents, AENT hired a new cybersecurity firm that identified and corrected vulnerabilities before restoring their system.
The cyberattacks exposed patient records containing sensitive information such as names, addresses, social security numbers, and medical details. Initially, AENT disclosed that social security numbers for over 120,000 New Yorkers were compromised but did not report the exposure of more than 80,000 driver's license numbers until later.
The OAG investigation revealed that AENT's data storage devices still contained unprotected private information months after the attacks. Additionally, AENT outsourced its information security program without adequately monitoring third-party vendors responsible for cybersecurity functions.
As part of the agreement with Attorney General James' office, AENT will invest $2.25 million over five years into its information security program and offer affected consumers one year of free credit monitoring. They are also required to implement several measures including a comprehensive information security program and multi-factor authentication for remote access.
In addition to this settlement with AENT, Attorney General James has been active in holding companies accountable for cybersecurity failures. Recent actions include securing $4.5 million from a biotech company in August 2024 and launching privacy guides for businesses and consumers in July 2024.
This case was managed by Assistant Attorney General Gena Feist and Deputy Bureau Chief Clark Russell under Bureau Chief Kim Berger's supervision at the Bureau of Internet and Technology.