Refuah Health Center
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
Refuah Health Center, a New York-based federally qualified health center, experienced a significant cybersecurity incident in May 2021 when it was targeted by a ransomware attack. The attackers, claiming to be part of the Lorenz Ransomware group, gained access to Refuah’s system used for viewing video from internal cameras monitoring facilities, leveraging a static four-digit code. From there, they were able to remotely access the network and exfiltrate approximately a terabyte of data, including sensitive patient information.
The compromised data included patient names, addresses, phone numbers, Social Security numbers, driver’s license numbers, dates of birth, financial account numbers, medical insurance numbers, and various health-related information
The breach affected the data of approximately 195,974 to 233,575 patients, with a significant number of those being New York residents
An investigation by the New York Attorney General’s Office found that Refuah had failed to maintain appropriate cybersecurity controls, such as decommissioning inactive user accounts, rotating user account credentials, using multi-factor authentication, restricting employee access to necessary data, and encrypting patient information
As a result of the breach and the subsequent investigation, Refuah Health Center has agreed to invest $1.2 million in cybersecurity measures and pay $450,000 in penalties and costs to the state of New York. The settlement also includes a requirement for Refuah to develop and maintain stronger information security programs, implement policies and procedures to limit access to consumer information, require multi-factor authentication, regularly change credentials, conduct semi-annual audits