Kingston, N.Y.-based HealthAlliance of the Hudson Valley has agreed to pay $550,000 in penalties following a 2023 cyberattack, according to a Dec. 10 report from the Albany Times Union.
The system was penalized for allegedly failing to address IT vulnerabilities, which led to patients' personal and medical information being compromised.
The attack allowed hackers to access HealthAlliance's system for nearly two months, and was discovered on Oct. 12, 2023, according to the report.
Impacted computer systems included HealthAlliance Hospital in Kingston and partner facilities Margaretville Hospital and Mountainside Residential Care Center.
The breach forced the network to shut down its information technology systems and temporarily divert patients to other facilities.
An investigation by the state attorney general's office determined that HealthAlliance did not address a weakness in its system raised by one of its vendors before the attack.
During the attack, the information of 242,641 patients was compromised.
Westchester Medical Center Health Network said it does not "admit or deny the findings of the investigation."
HealthAlliance also agreed to strengthen its data security practices and has agreed to immediately address any weakness in its system when it is notified of a vulnerability, according to a copy of the agreement released by the attorney general’s office.
HealthAlliance had originally agreed to pay $1.4 million, but $850,000 was suspended due to the facility's financial condition.