HealthAlliance Pays $550,000 Penalty for Cybersecurity Failure

RansomHub ransomware group

The failure to mitigate a known vulnerability has landed the New York healthcare provider, HealthAlliance, with a $550,000 financial penalty. The financial penalty proposed by the New York Attorney General (NYAG) was $1.4 million; however, $850,000 was suspended due to the financial position of the company but will need to be paid if the NYAG discovers the company misrepresented its financial position.

HealthAlliance was investigated over a breach of the personal and protected health information of 242,641 New Yorkers in 2023. In July of that year, HealthAlliance was notified by Citrix about vulnerabilities in its NetScaler products. Patches were released to fix the vulnerabilities, including a patch to address a critical zero-day flaw in two NetScaler products on the HealthAlliance network used to support its telemedicine program.

The zero-day vulnerability, CVE-2023-3519, was being actively exploited by threat actors to deploy a webshell that provided them with access to victims’ networks. HealthAlliance took prompt action to address the vulnerability; however, the patch could not be installed due to technical issues. HealthAlliance diligently worked with Citrix and third-party IT professionals to identify the issue to allow the patch to be applied; however, did not take the vulnerable products offline due to the disruption it would cause to its telemedicine services.

Threat actors exploited the vulnerability and gained access to the HealthAlliance network and sensitive data was exfiltrated between September and October 2023, including names, addresses, birth dates, Social Security numbers, health information, and health insurance information. When the security breach was discovered, HealthAlliance replaced the vulnerable devices with new devices that were fully patched against the vulnerability.

The NYAG investigation determined that while HealthAlliance was diligently working on addressing the vulnerability, the failure to remediate the vulnerability by taking the vulnerable devices offline violated New York Executive Law and General Business Law, and those failures warranted a financial penalty.

“HealthAlliance provides essential health care services to New Yorkers, but it also has a responsibility to protect private medical information as part of its patient care,” said Attorney General James. “No one should have to worry that when they seek medical care, they are putting their private information in the hands of scammers and hackers. Every company that is entrusted by New Yorkers with personal information, especially financial and medical data, must take necessary precautions to ensure their systems are not vulnerable to cyberattacks.”

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/