New York Attorney General Letitia James today announced an agreement with a Hudson Valley-area healthcare provider, Refuah Health Center, Inc. (Refuah), for failing to safeguard the personal and private health information of its patients. The Office of the Attorney General (OAG) found that Refuah failed to maintain appropriate controls to protect and limit access to sensitive data, including by failing to encrypt patient information and using multi-factor authentication. As a result of Refuah’s poor data security, the healthcare provider experienced a ransomware attack that compromised the personal and private information of approximately 250,000 New Yorkers. Today’s agreement requires Refuah to invest $1.2 million to strengthen its cybersecurity and pay $450,000 in penalties and costs.