Albany, New York; December 31st, 2025.
The Office of the New York State Attorney General announced that Attorney General Letitia James has secured $500,000 from a Capital Region health care provider after an investigation found the provider failed to properly protect the private and sensitive information of patients and employees, according to an official statement issued directly by the Office of the New York State Attorney General.
The enforcement action follows a cybersecurity incident in which unauthorized actors gained access to the provider’s internal computer network, allowing unencrypted files containing personal and health related information to be accessed and downloaded. The Attorney General’s Office stated that the exposed data included highly sensitive identifiers entrusted to the provider in the course of medical care and employment.
According to the Attorney General’s Office, the investigation determined that the breach was made possible by insufficient data security practices, including failures to implement basic safeguards that are widely recognized as necessary to protect confidential medical and personal records. The Office stated that these shortcomings left patient and employee information vulnerable to misuse and exposure.
Attorney General James stated in the official release that health care providers hold a special responsibility to safeguard the personal information of those they serve; when individuals seek medical care, they must be able to trust that their most private details will be protected with diligence and care. The Attorney General emphasized that failure to meet this responsibility places patients at risk and undermines public confidence in health care institutions.
As part of the settlement, the provider is required to pay $500,000 in penalties and costs. In addition to the financial penalty, the settlement mandates corrective action aimed at preventing similar incidents in the future. The Attorney General’s Office confirmed that these requirements are binding and subject to enforcement.
The settlement requires the provider to strengthen its data security program by implementing multifactor authentication for remote access, encrypting sensitive patient and employee data, and conducting regular risk assessments designed to identify vulnerabilities before they can be exploited. These measures, as outlined by the Attorney General’s Office, are intended to address the specific failures identified during the investigation.
The agreement also requires the provider to offer 1 year of free credit monitoring services to all affected patients and employees. The Attorney General’s Office stated that this provision recognizes the ongoing risk that follows a data breach, as exposed personal information can be misused long after the initial incident.
The Office of the Attorney General noted that this enforcement action is part of a broader effort to hold organizations accountable for failures to protect personal information. The statement emphasized that data security obligations apply to all entities handling sensitive information, particularly those in the health care sector, where the potential consequences of exposure are significant.
The Attorney General’s Office further stated that protecting patient information is not optional and is not secondary to providing care; it is a fundamental obligation of operating in the health care system. Institutions that fail to meet this obligation, according to the Office, will be subject to investigation and enforcement when warranted.
The settlement concludes the Attorney General’s investigation into this incident and establishes enforceable requirements designed to improve data protection practices moving forward. The Office confirmed that compliance with the settlement terms will be monitored as required.
Sources
Primary First Hand Sources
• OFFICE OF THE NEW YORK STATE ATTORNEY GENERAL, official announcement titled “Attorney General James Secures $500,000 from Capital Region Health Care Provider for Failing to Protect Patients’ Information”
Appalachian Post 
Leave a comment