New York Attorney General Letitia James has reached a settlement with HealthAlliance, a health care facility operator in the Hudson Valley, for failing to adequately protect patient data. The agreement requires HealthAlliance to pay $550,000 in penalties and improve its data security measures.
The Office of the Attorney General (OAG) conducted an investigation that revealed HealthAlliance did not address a system vulnerability reported by one of its vendors. This oversight led to a cyber-attack compromising the personal and medical information of 242,641 patients. As part of the settlement, HealthAlliance is obligated to strengthen its cybersecurity practices and immediately rectify any identified system weaknesses.
Attorney General James emphasized the importance of safeguarding private medical information as part of patient care. "HealthAlliance provides essential health care services to New Yorkers, but it also has a responsibility to protect private medical information as part of its patient care," she stated. She further noted that companies must ensure their systems are secure against cyberattacks.
HealthAlliance operates several healthcare facilities in Ulster and Delaware counties. In July 2023, a vendor alerted them about a cybersecurity vulnerability requiring immediate action. However, due to technical difficulties, HealthAlliance was unable to apply the necessary patch and continued using the vulnerable product while seeking solutions.
Between September and October 2023, attackers exploited this vulnerability to access sensitive data including patient records and employee information. A forensic investigation confirmed that personal details such as names, Social Security numbers, diagnoses, lab results, medications, health insurance details, provider names, treatment dates, and financial information were stolen.
In addition to paying penalties totaling $1.4 million—with $850,000 suspended due to financial considerations—HealthAlliance agreed to implement several security enhancements. These include maintaining an information security program; developing data inventory policies; enforcing patch management protocols; and adopting additional network security measures.
This agreement is part of Attorney General James' ongoing efforts to hold companies accountable for inadequate data protection practices. Previous actions have included settlements with other healthcare providers for similar issues.
Assistant Attorney General Marc Montgomery and Deputy Bureau Chief Clark Russell handled this case under Bureau Chief Kim Berger's supervision within the Division for Economic Justice led by Chief Deputy Attorney General Chris D’Angelo.