Penalty Amount
$1,000,000
Consumers Affected
213,935
New York Attorney General Letitia James reached a settlement with Albany ENT & Allergy Services (AENT) over two 2023 ransomware attacks that compromised the medical records of over 200,000 New Yorkers. The OAG found AENT failed to maintain reasonable data security safeguards, inadequately oversaw third-party security vendors, and initially failed to disclose all exposed consumer data to the state. AENT will pay $1 million in penalties (with $500,000 suspended pending $2.25 million in security investments) and implement comprehensive data security measures including encryption, multi-factor authentication, and vendor oversight.
AENT must pay $1 million in penalties to New York State, with $500,000 suspended provided the company invests $2.25 million over five years to upgrade and maintain its information security program. AENT is required to establish and maintain a comprehensive information security program including: an inventory of all private information on its networks; encryption of all private information stored or transmitted; multi-factor authentication for remote device access; controls to monitor and log security activity; a process for timely installation of critical security updates; an incident response plan; and oversight of third-party information security vendors. AENT must also offer affected consumers one year of free credit monitoring.
In-house legal teams should review all agreements with third-party security vendors to ensure they require timely installation of security updates, network activity logging, encryption of private information, and multi-factor authentication for remote access. Vendor contracts must include clear oversight provisions mandating that vendors maintain reasonable security safeguards and promptly report breaches. Companies should also update their internal information security program clauses to require private information inventories, incident response planning, and full compliance with state breach notification laws to prevent delayed or incomplete disclosures to regulators.
Entity
Albany ENT & Allergy Services, P.C.
Also known as: Albany ENT & Allergy Services
Industry
HealthcareOfficial Press Release
https://ag.ny.gov/press-release/2024/attorney-general-james-secures-225-million-capital-region-health-care-provider
FxJ0ZW4o7gU73uaNLCuYbaKlm7oyWp6YrNfSYre7FHg=377 ;JSUlJSUlJSU
https://urldefense.com/v3/__https:/links-1.govdelivery.com/CL0/https:*2F*2Fag.ny.gov*2Fsites*2Fdefault*2Ffiles*2Fsettlements-agreements*2Faent-final-aod-fully-executed.pdf/1/01000192d91d22b0-7dd89d9d-f202-4bbd-b3c3-17f05ec89ea7-000000/FxJ0ZW4o7gU73uaNLCuYbaKlm7oyWp6YrNfSYre7FHg=377__;JSUlJSUlJSUlJQ!!Ke5ujdWW74OM!9irw9YLOR2rAVD2KJ9xkok0A7hpb3hVA-EdXWbkuL6xHRvBR1hNG2DdmQCDs8-Zdr1XZRnnYVdbudtFZjGx7PFDLARfebkWUMTRZwASJSDix$
New York Attorney General Enforcement Page
https://ag.ny.gov/press-releases
"Albany ENT & Allergy Services, P.C. (AENT)"
"AENT is also required to pay $1 million in penalties and costs to the state"
"AENT suffered two cyberattacks that compromised the medical records of over 200,000 New Yorkers"
"AENT failed to adequately monitor the third-party vendors responsible for their cybersecurity functions. As a result, those vendors did not timely install critical security software updates, adequately log and monitor network activity, properly encrypt consumers’ private information before and after the attacks, utilize multi-factor authentication for all remote access, or otherwise maintain a reasonable information security program."
"compromised the medical records of over 200,000 New Yorkers"
"The OAG investigation determined that AENT had not initially disclosed to the state the exposure of over 80,000 New York resident driver’s license numbers"
New York Attorney General Letitia James issued a consumer alert on May 18, 2026, warning residents of potential price gouging by transportation service providers during the Long Island Rail Road strike. The alert reminds businesses that New York’s price gouging laws prohibit unconscionable price increases on essential services like transportation during market disruptions. No specific privacy violations or enforcement actions against individual entities were announced in the alert.
New York Attorney General Letitia James issued a consumer alert on May 18, 2026, warning businesses against engaging in price gouging on transportation services during the Long Island Rail Road strike. The alert reminds businesses that New York’s price gouging laws prohibit unconscionable price increases on essential goods and services during market disruptions, with potential penalties of up to $25,000 per violation. No specific enforcement action against a particular entity was announced, only a general warning for businesses and a call for consumers to report suspected price gouging.
This press release announces New York Attorney General Letitia James leading a coalition of 21 state attorneys general, the District of Columbia, and Pennsylvania’s Governor in filing an amicus brief with the U.S. Supreme Court to stay a Fifth Circuit ruling that would reinstate in-person dispensing requirements for mifepristone, a medication used for abortion. The coalition argues the ruling is scientifically unsupported, would restrict telehealth access to reproductive care, and undermines state sovereignty over abortion policy post-Dobbs. This is not a privacy-related enforcement action, as the content addresses reproductive health policy rather than data privacy violations.
$5.0M
New York Attorney General Letitia James secured a $5 million settlement from cryptocurrency platform Uphold HQ, Inc. for promoting Cred’s fraudulent CredEarn investment product as safe and reliable, when Cred was making risky loans to uncreditworthy borrowers in China. Uphold also falsely claimed Cred had comprehensive insurance and promoted the product without registering as a broker or commodity broker-dealer under New York law. As part of the settlement, Uphold will pay $5 million to harmed investors, remit $545,189 from Cred’s bankruptcy to customers, improve due diligence policies for third-party products, and register as a broker with the OAG.
$7.4B
New York Attorney General Letitia James announced the shutdown of opioid manufacturer Purdue Pharma as part of a $7.4 billion settlement with a bipartisan coalition of 54 other state attorneys general. The Sackler family, former owners of Purdue, are permanently barred from selling opioids in the U.S. and have no involvement in Knoa Pharma, the new public benefit corporation replacing Purdue. Purdue was sentenced on criminal charges related to its role in the opioid crisis on April 28, 2026, with the new entity operating under strict oversight and excess revenue funding opioid abatement efforts.
New York Attorney General Letitia James led a bipartisan coalition of 24 state attorneys general, Puerto Rico, and New York City in sending letters to nine major credit card companies and payment processors urging them to block transactions facilitating illegal vaping product sales. The coalition cites federal and state laws prohibiting unauthorized e-cigarette sales, particularly to youth, and requests collaboration to prevent payment networks from processing such transactions. No enforcement penalties or actions were imposed as part of this initiative.