New York Attorney General Letitia James today secured $2.25 million from a Capital Region health care provider, Albany ENT & Allergy Services, P.C. (AENT) for failing to protect the private information and medical data of New Yorkers.  In 2023, AENT suffered two cyberattacks that compromised the medical records of over 200,000 New York patients.  The Office of the Attorney General (OAG) found that AENT did not maintain reasonable safeguards to protect patient data and did not adequately respond to the cyberattacks on its systems.  Today’s agreement requires AENT to pay $500,000 in penalties and invest $2.25 million to strengthen its information security practices to protect patient data.

“No one should have to worry about having their data stolen simply because they visited a doctor,” said Attorney General James.  “Health care facilities need to take protecting patients’ private information seriously, and that means investing to protect data and responding quickly if breaches occur.  Today’s agreement with AENT will strengthen its cybersecurity and protect the private information of New Yorkers who rely on this Capital Region medical provider.  I urge all health care facilities and general companies to follow guidance from my office on how to have more secure systems to protect New Yorkers’ data.”

AENT operates specialized medical facilities in the Capital Region with expertise in medical and surgical needs involving the ears, nose, and throat.  In 2023, AENT suffered ransomware attacks from two different threat actors on two separate occasions, only 10 days apart.  After the second attack, AENT hired a different cybersecurity firm, which identified the vulnerability that allowed hackers to access its system and corrected those vulnerabilities before restoring the system.  AENT determined that the cyberattacks were able to access AENT data storage devices containing the patient records of 213,935 New Yorkers.  These patient records included information such as name, address, date of birth, driver’s license number, social security number, diagnosis, conditions, lab results, medications, and other treatment information.  AENT initially disclosed that the records included the social security numbers of over 120,000 New Yorkers.  The OAG investigation determined that AENT had not initially disclosed to the state the exposure of over 80,000 New York resident driver’s license numbers.  The investigation also discovered that AENT’s data storage devices continued to host unprotected private information months after the two ransomware incidents occurred.  AENT did not internally employ anyone with information security expertise and outsourced its information security program to two third-party vendors.  The OAG investigation concluded that AENT failed to adequately monitor the third-party vendors responsible for their cybersecurity functions.  As a result, those vendors did not timely install critical security software updates, adequately log and monitor network activity, properly encrypt consumers’ private information before and after the attacks, utilize multi-factor authentication for all remote access, or otherwise maintain a reasonable information security program.  As a result of today’s agreement, AENT will invest $2.25 million in its information security program over five years and offer affected consumers one year of free credit monitoring.  AENT is also required to establish and maintain:

• A comprehensive information security program to protect private information;
• An inventory of all the private information on its networks, systems, and devices;
• Encryption of all private information, whether stored or transmitted;
• Multi-factor authentication on devices that remotely access resources and data;
• Controls to monitor and log all security and operational activity;
• A process to confirm critical security updates are installed in a timely manner;
• An incident response plan for potential data security events; and
• Oversight of information security vendors.

AENT is also required to pay $1 million in penalties and costs to the state, of which $500,000 will be suspended so long as the company spends $2.25 million over the next five years to upgrade and maintain its information security program.

Attorney General James has taken major actions to hold companies accountable for having poor cybersecurity and to improve data security practices.  In August 2024, Attorney General James and a multistate coalition secured $4.5 million from a biotech company for failing to protect patient data.  In July 2024, Attorney General James launched two privacy guides, a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web, to help businesses and consumers protect themselves.  In July 2024, Attorney General James issued a consumer alert to raise awareness about free credit monitoring and identity theft protection services available for millions of consumers impacted by the Change Healthcare data breach.  In March 2024, Attorney General James led a bipartisan coalition of 41 attorneys general in sending a letter to Meta Platforms, Inc (Meta) addressing the recent rise of Facebook and Instagram account takeovers by scammers and frauds.  In January 2024, Attorney General James reached an agreement with a Hudson Valley health care provider to invest $1.2 million to protect patient data.