New York AG Fines Health Care Provider $500K for Failing to Protect Patient Data
New York Attorney General Letitia James (D) said her office secured $500,000 in penalties from OrthopedicsNY, resolving allegations that the health care provider failed to protect the private information of more than 650,000 patients from cyberattacks.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The OAG said Friday it conducted an investigation that found cyberattackers were able to steal patient data from OrthopedicsNY in 2023, as it lacked the proper protections, such as encrypting sensitive data or using multifactor authentication for remote access, according to an emailed press release.
Bad actors used compromised login information and downloaded unencrypted files to access the files of about 656,000 patients. Social security numbers, passport numbers and driver’s license numbers of around 110,000 of those patients were also accessed.
In addition to the monetary penalty, the health care provider must maintain a comprehensive information security program, implement multifactor authentication, encrypt patient and employee data and conduct annual risk assessments, among other things.
“OrthopedicsNY failed to do its due diligence to protect patients’ private information. No patient deserves to have their information exposed, and my office will continue to enforce the law to protect New Yorkers’ personal data,” James said.
OrthopedicsNY did not respond to a request for comment.