Photo: Getty Images
HealthAlliance of the Hudson Valley has been fined $550,000 by the New York State Attorney General's office due to a cyberattack that compromised the personal and medical information of over 200,000 patients and employees. The breach occurred between September and October 2023, affecting the Kingston hospital and other facilities in Ulster and Delaware counties.
The cyberattack exploited a vulnerability in HealthAlliance's IT network, which was identified by a vendor in July 2023. Despite being aware of the issue, HealthAlliance was unable to apply the necessary patch due to technical difficulties and continued to operate the vulnerable system. This allowed attackers to access sensitive data, including Social Security numbers, medical records, and financial information.
Attorney General Letitia James emphasized the importance of protecting private medical information as part of patient care. She stated, "No one should have to worry that when they seek medical care, they are putting their private information in the hands of scammers and hackers." As part of the settlement, HealthAlliance must improve its data security practices and immediately address any system vulnerabilities.
The fine is part of a larger $1.4 million penalty, with $850,000 suspended due to HealthAlliance's financial condition and its role in providing essential healthcare services. The organization has since replaced its compromised devices and is working to enhance its cybersecurity measures.