HealthAlliance Pays $550,000 Penalty for Failure to Protect Against Cybersecurity Vulnerability

by

New York healthcare company HealthAlliance encountered a breach of the personal data and protected health information (PHI) of 242,641 New York residents. It was instructed to pay a $550,000 financial penalty and take the appropriate steps to reinforce its data security techniques. The healthcare provider serves patients in Delaware and Ulster counties in New York State and manages Mountainside Residential Care Center in Margaretville, Margaretville Hospital in Margaretville, and HealthAlliance Hospital in Kingston.

In July 2023, Citrix notified HealthAlliance about three vulnerabilities discovered in its NetScaler networking products, which include the critical zero-day vulnerability CVE-2023-3519 that impacted two NetScaler products used on the HealthAlliance system. The cybersecurity alert mentioned that threat actors actively exploited the vulnerability to use a web shell, allowing them remote access to the network of victims.

HealthAlliance tried to patch the vulnerabilities yet could not use the patch for the CVE-2023-3519 because of technical problems. HealthAlliance and Citrix worked together to determine and deal with the technical problem yet did not patch the vulnerability successfully. Cybersecurity experts worked to fix the problem and continued working on the problem all through the summer. The unsecured NetScaler products were utilized to aid its telemedicine services. However, instead of taking down the vulnerable products from the web and disrupting those services, HealthAlliance continued to use vulnerable NetScaler products. A threat actor took advantage of the vulnerability from September to October 2023 and extracted the sensitive information of 242,641 patients, including names, birth dates, addresses, Social Security numbers, diagnoses, laboratory test data, treatment details, medical insurance data, names of providers, dates of treatment, and financial data.

Following the data breach, HealthAlliance removed the vulnerable devices and swapped them with patched devices. If HealthAlliance had taken those actions upon knowing that the patch would not work, the data breach would not have happened. The New York Attorney General’s Office started an investigation after receiving notification regarding the breach and confirmed that HealthAlliance did not handle an identified vulnerability that risks patient and employee information.

HealthAlliance was penalized $1,400,000 for violation of the New York Executive Law and General Business Law, but $850,000 of the penalty was revoked because of HealthAlliance’s financial status. HealthAlliance consented to pay the $550,000 penalty and the revoked $850,000 in case the New York Attorney General finds out that HealthAlliance falsified its financial status. Besides the penalty, HealthAlliance will maintain a detailed data security program and follow various measures to reinforce its cybersecurity procedures.

HealthAlliance delivers important healthcare services to New York residents, but it is also responsible for protecting private medical data as part of its patient services. Individuals should not be worried that whenever they get healthcare, they are risking their private data because of hackers and cybercriminals. Every organization that collects the personal information of New Yorkers, particularly financial and medical information, should be careful to make sure their systems are protected from cyberattacks.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone