HIPAA Horror Stories

Refuah Health Center Ordered to Invest in Cybersecurity

one-minute read

The state of New York enforces HIPAA with investigations and settlements when healthcare providers fail to protect patient data. The recent investigation against Refuah Health Center resulted in the payment of $450,000 in penalties and a requirement to invest $1.2 million in stronger cybersecurity.

Refuah Health Center, based in Hudson Valley, experienced a ransomware attack in May 2021. The cyber attackers accessed the protected health information (PHI) of 250,000 New Yorkers. The affected files contained names, phone numbers, addresses, Social Security numbers, dates of birth, financial account numbers, driver’s license numbers, medical insurance numbers, and various health information.

During its investigation, the New York Office of the Attorney General (OAG) found that the hackers were successful because Refuah failed to use appropriate security safeguards to protect patient data. Refuah allegedly violated the HIPAA Security Rule, the HIPAA Breach Notification Rule, and New York’s General Business Law requiring data security and consumer protection.

According to the OAG:

“Refuah failed to decommission inactive user accounts, rotate user account credentials, restrict employees’ access to only those resources and data that were necessary for their business functions, use multi-factor authentication, and encrypt patient information.”

This is the only latest example of health privacy enforcement in New York. Two other recent examples include New York Presbyterian Hospital, which was ordered to pay $300,000 due to the unauthorized disclosure of PHI through the use of web trackers, and dental insurance provider Healthplex, which agreed to pay $400,000 to resolve an investigation related to a data breach resulting from a November 2021 phishing attack.

Prepare for HIPAA Enforcement

The HHS Office for Civil Rights (OCR) is only one source of HIPAA enforcement. Individual states and the Federal Trade Commission (FTC) can enforce HIPAA. Class action lawsuits are another way that privacy laws are enforced.

Prepare for enforcement by strengthening cybersecurity now. Follow the Security Rule, refresh your HIPAA Risk Analysis, and review your third-party vendors to ensure they are following HIPAA, too.

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU