$2.25M cyberattack settlement reached with Albany ENT & Allergy Services

ALBANY, N.Y. (NEWS10)-- The N.Y. Attorney General's Office and Albany ENT & Allergy Services (AENT) have reached an agreement in a cyberattack settlement from incidents in 2023. AENT is required to pay $500,000 in penalties and invest $2.25 million to strengthen information security practices.

AENT operates medical facilities throughout the Capital Region specializing in medical and surgical needs for ears, noses and throats. In 2023, AENT suffered ransomware attacks from two different threats on two separate occasions, only 10 days apart.

After the second attack the company hired a cybersecurity firm, which identified what allowed hackers to access the system and then corrected those issues. It was determined that during the attacks, patient records of 213,935 New Yorkers were accessed.

The records included names, addresses, birth dates, driver's licenses, social security numbers, results and treatment information. AENT initially disclosed the records included social security numbers of over 120,000 New Yorkers.

Upon an investigation into the attacks, the OAG determined that the company didn't disclose the exposure of over 80,000 license numbers. It also discovered months after the attacks, the data storage devices continued to hold unprotected information.

According to the OAG, the investigation found that the company failed to monitor third parties responsible for cybersecurity. As a result, the third parties did not install important security software updates, log and monitor network activity and maintain a reasonable security program.

"No one should have to worry about having their data stolen simply because they visited a doctor," said Attorney General James. "Health care facilities need to take protecting patients’ private information seriously, and that means investing to protect data and responding quickly if breaches occur. Today’s (Tuesday's) agreement with AENT will strengthen its cybersecurity and protect the private information of New Yorkers who rely on this Capital Region medical provider. I urge all health care facilities and general companies to follow guidance from my office on how to have more secure systems to protect New Yorkers’ data."

The settlement will require AENT to invest in its security program over five years and offer those affected one year of free credit monitoring. They are also required to establish and maintain the following:

• A comprehensive information security program to protect private information;
• An inventory of all the private information on its networks, systems, and devices;
• Encryption of all private information, whether stored or transmitted;
• Multi-factor authentication on devices that remotely access resources and data;
• Controls to monitor and log all security and operational activity;
• A process to confirm critical security updates are installed in a timely manner; 
• An incident response plan for potential data security events;
• Oversight of information security vendors.

In January, the OAG reached an agreement with a Hudson Valley health care provider to invest in $1.2 million to protect patient data, as well. The AENT agreement was handled by Assistant Attorney General Gena Feist and Deputy Bureau Chief Clark Russell, under the supervision of Bureau Chief Kim Berger of the Bureau of Internet and Technology.