Albany ENT & Allergy Settles 2023 Data Breach for $550K, Offers Up to $7.5K Per Victim

Context: In March or April 2023, ransomware actors infiltrated Albany ENT & Allergy’s systems, allegedly exploiting relaxed security controls. The attackers accessed and exfiltrated patient and employee data, including Social Security numbers, birth dates, and medical records. The breach was discovered later in 2023, prompting a class‑action lawsuit alleging inadequate cybersecurity protections.

Key Facts: The settlement totals up to $550,000, with no admission of wrongdoing by the provider. Eligible class members may receive up to $7,500 in reimbursement for verifiable breach‑related expenses, or a flat $50 payment if they opt out of reimbursement. All claimants also qualify for two years of free three‑bureau credit monitoring and identity theft protection. To receive any benefit, a valid claim form must be submitted by the October 23, 2024 deadline.

What It Means: The case highlights how insufficient multi‑factor authentication, limited log retention, and absent incident response planning can enable ransomware groups to gain initial access (MITRE ATT&CK T1566.001 – Phishing) and move laterally (T1021 – Remote Services). Defenders should enforce MFA on all remote and privileged accounts, deploy managed detection and response (MDR) tools aligned with T1059 – Command and Scripting Interpreter monitoring, and retain logs for at least 90 days to support detection of T1041 – Exfiltration Over Command and Control Channel. Regular patching of exposed services and testing of incident response plans are also critical.

Watch for the final approval hearing on Oct. 16, 2024, and any subsequent guidance from regulators on healthcare sector ransomware defenses.