Aizer Health, a medical services facility in the mostly Satmar Hasidic village of Kiryas Joel in upstate New York, faced a cyberattack last month, according to a source with inside information who asked not to be named for fear of community retaliation. Shtetl also obtained audio from a robocall sent to Kiryas Joel residents informing them about the cyberattack.

The cyberattack was later described in an article in the Oct. 13 issue of Heimshtut, a Yiddish-language Kiryas Joel newspaper associated with Satmar’s Aaronite faction.

The cyberattack prevented health center employees from accessing the computers for two weeks. Employees lost access to the system on Sept. 18 and regained it in the first week of October, when Aizer paid a ransom to the hackers, according to Heimshtut.

At the time the Heimshtut story was written, the health center was still working to fully restore the system, since the hackers damaged it while penetrating it, according to the article.

The article also said that Aizer’s insurance company will conduct an investigation into how hackers were able to enter the system, and help the health center improve its cybersecurity to prevent future data breaches.

Shtetl was unable to verify whether the cyberattack included a breach of data. Aizer’s CEO, Joel Mittelman, did not respond to emails and phone calls from Shtetl.

Aizer Health, formerly Ezras Choilim Health Center, is a Federally Qualified Health Center, meaning that it is recognized by the federal government as providing care to underserved communities and therefore qualifies for certain public funding. Given this status, Aizer is subject to rules about who it must notify if there is a data breach. These health centers “must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media,” according to the website of Health and Human Services, a department of the federal government.

According to HHS, an FQHC must notify individuals whose data has been affected in a breach; if it doesn’t have contact information for 10 or more of those people, it must post a notice on its website’s homepage for 90 days. If more than 500 individuals who live in a certain state or jurisdiction are affected by the breach, the health center must notify prominent media outlets serving that state or jurisdiction. If more than 500 individuals overall are affected, the health center must notify HHS.

HHS did not tell Shtetl whether Aizer notified them, and there was no notice about it on Aizer’s website as of this writing. The Heimshtut article was the most detailed notification of the cyberattack. Shtetl also reviewed audio messages sent by Aizer to residents of Kiryas Joel saying the system was down but not explaining why.

When asked if Aizer had been hacked, a woman who answered the phone for the health center and gave her name only as Gitty said, “I’m not sure.”

The Heimshtut article did not disclose the amount paid for the ransom. According to the industry news site Healthcare Brew, ransomware attacks against health centers have become more common in recent years, and the average payment for healthcare-related ransoms is roughly $197,000. The cost of the ransom can vary based on the size of the health center.

Additional Shtetl staff contributed reporting to this article.

‍