Home Health Company Pays $350,000 to Resolve Alleged HIPAA Violations


Personal Touch Holding Corporation, a Long Island, NY-based home health company, has agreed to a settlement with the New York Attorney General to resolve allegations it violated state law and the federal Health Insurance Portability and Accountability Act (HIPAA).

The violations were uncovered by the state attorney general during an investigation into a data breach involving the personal and protected health information of 753,107 individuals, including 316,845 New York residents. A Personal Touch employee received a phishing email that contained malware. When the attached Excel file was opened on January 20, 2021, malware was executed and installed, which provided a cyber actor with access to the employee’s laptop and account.

The cyber actor used tools to escalate privileges and obtain domain administrator credentials, resulting in unauthorized access being gained to 5 Personal Touch accounts. The cyber actor used the administrator credentials to access and exfiltrate 4,383 unique files from a file share server that contained the data of patients and employees, including names, addresses, Social Security numbers, medical treatments, and financial information. Ransomware was deployed on the network on January 27, 2021, and encrypted files on 35 servers.

Attorney General Letitia James uncovered multiple violations of HIPAA and state laws. Personal Touch was alleged to have failed to implement reasonable and appropriate data security measures, as required by HIPAA and state laws, which left it vulnerable to cyberattacks. Personal Touch’s information security program was found to be informal and immature, there were poor access controls, no continuous monitoring system, no encryption of sensitive data, and inadequate HIPAA security training of staff.

The Importance of HIPAA Security Training

Prior to the event that resulted in the data breach and ransomware attack, Personal Touch had been warned its security and training measures were inadequate. According to the Settlement Agreement, in 2018 a security company had conducted a penetration testing exercise and had recommended sensitive accounts were secured with multi-factor authentication due poor security practices such as password sharing and employees connecting to sensitive accounts from unprotected personal devices.

In 2019, Personal Touch’s managed service provider had recommended the implementation of a Learning Management System to assess users’ security knowledge and provide HIPAA security training where required. Neither of these recommendations were adopted – either of which could have prevented the data breach and ransomware attack. As part of the settlement, both these measures will be adopted plus Personal Touch will be required to conduct annual mock phishing tests and provide additional HIPAA security training to employees who fail the tests.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Further Details of the Personal Touch Settlement

The alleged violations of HIPAA and state laws were settled for $350,000, and – in addition to implementing a comprehensive HIPAA security and phishing training program – Personal Touch is required to implement a comprehensive information security program, update and improve its IT security infrastructure, and follow data security best practices. The affected individuals must also be provided with complimentary credit monitoring services.

During the investigation, Personal Touch was notified about a third-party data breach involving employee information. Personal Touch provided the information to its insurance broker, and the insurance broker provided that information to an enrolment software vendor, Falcon Technologies, but there was no agreement in place regarding data security standards for data not covered by HIPAA. Falcon Technologies stored the data it was provided with on an unsecured server. AG James entered into a separate settlement with Falcon Technologies over the data breach, which included a $100,000 financial penalty and the requirement to encrypt data and implement appropriate access controls.

“Health care institutions have a responsibility to safeguard New Yorkers’ wellbeing, but also to protect their confidential and private information,” said AG James. “The security failures by Personal Touch caused undue stress and financial problems for New Yorkers who simply wanted to have access to high-quality health care. My office will always step up and hold companies responsible if their negligence puts New Yorkers’ private information in jeopardy.”

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/