Cyberattack Settlement: AENT to Pay $500,000, Invest $2.25 Million to Strengthen Information Security Practices
ALBANY, N.Y. (NEWS10)– The New York Attorney General’s Office and Albany ENT & Allergy Services (AENT) have reached an agreement in a cyberattack settlement from incidents in 2023. AENT is required to pay $500,000 in penalties and invest $2.25 million to strengthen information security practices.
Background
AENT operates medical facilities throughout the Capital Region, specializing in medical and surgical needs for ears, noses, and throats. In 2023, AENT suffered two ransomware attacks, only 10 days apart. After the second attack, the company hired a cybersecurity firm, which identified the vulnerabilities that allowed hackers to access the system and corrected them.
Investigation Results
The investigation found that patient records of 213,935 New Yorkers were accessed during the attacks. The records included names, addresses, birth dates, driver’s licenses, social security numbers, and results and treatment information. Initially, AENT disclosed that over 120,000 social security numbers were exposed. However, the OAG investigation later revealed that over 80,000 additional license numbers were also exposed. The data storage devices continued to hold unprotected information for months after the attacks.
Failure to Monitor Third-Party Vendors
The investigation also found that AENT failed to monitor third-party vendors responsible for cybersecurity. As a result, these vendors did not install important security software updates, log and monitor network activity, and maintain a reasonable security program.
Settlement and Requirements
The settlement requires AENT to:
- Invest in its security program over five years
- Offer free credit monitoring to those affected for one year
- Establish and maintain a comprehensive information security program to protect private information
- Inventory all private information on its networks, systems, and devices
- Encrypt all private information, whether stored or transmitted
- Implement multi-factor authentication on devices that remotely access resources and data
- Monitor and log all security and operational activity
- Confirm critical security updates are installed in a timely manner
- Develop an incident response plan for potential data security events
- Oversee information security vendors
Conclusion
As Attorney General Letitia James stated, "No one should have to worry about having their data stolen simply because they visited a doctor. Health care facilities need to take protecting patients’ private information seriously, and that means investing to protect data and responding quickly if breaches occur. Today’s agreement with AENT will strengthen its cybersecurity and protect the private information of New Yorkers who rely on this Capital Region medical provider. I urge all health care facilities and general companies to follow guidance from my office on how to have more secure systems to protect New Yorkers’ data."
FAQs
Q: What is a ransomware attack?
A: A ransomware attack is a type of cyber-attack where hackers encrypt a target’s data and demand payment in exchange for the decryption key.
Q: How many people were affected in the AENT attacks?
A: 213,935 New Yorkers were affected in the attacks.
Q: What types of information were accessed in the attacks?
A: Names, addresses, birth dates, driver’s licenses, social security numbers, and results and treatment information were accessed.
Q: How much is AENT required to invest in its security program?
A: AENT is required to invest $2.25 million in its security program over five years.
Q: How long will those affected be provided with free credit monitoring?
A: Those affected will have one year of free credit monitoring provided by AENT.
