Personal Touch Holding Corporation, a Long Island, NY-based home health company, has agreed to a settlement with the New York Attorney General to resolve allegations it violated state law and the federal Health Insurance Portability and Accountability Act (HIPAA).
The violations were uncovered by the state attorney general during an investigation into a data breach involving the personal and protected health information of 753,107 individuals, including 316,845 New York residents. A Personal Touch employee received a phishing email that contained malware. When the attached Excel file was opened on January 20, 2021, malware was executed and installed, which provided a cyber actor with access to the employee’s laptop and account.
The cyber actor used tools to escalate privileges and obtain domain administrator credentials, resulting in unauthorized access being gained to 5 Personal Touch accounts. The cyber actor used the administrator credentials to access and exfiltrate 4,383 unique files from a file share server that contained the data of patients and employees, including names, addresses, Social Security numbers, medical treatments, and financial information. Ransomware was deployed on the network on January 27, 2021, and encrypted files on 35 servers.
Attorney General Letitia James uncovered multiple violations of HIPAA and state laws. Personal Touch was alleged to have failed to implement reasonable and appropriate data security measures, as required by HIPAA and state laws, which left it vulnerable to cyberattacks. Personal Touch’s information security program was found to be informal and immature, there were poor access controls, no continuous monitoring system, no encryption of sensitive data, and inadequate security training of its staff. The alleged violations of HIPAA and state laws were settled for $350,000, and Personal Touch is required to implement a comprehensive information security program, update and improve its IT security infrastructure, and follow data security best practices. The affected individuals must also be provided with complimentary credit monitoring services.
During the investigation, Personal Touch was notified about a third-party data breach involving employee information. Personal Touch provided the information to its insurance broker, and the insurance broker provided that information to an enrolment software vendor, Falcon Technologies, but there was no agreement in place regarding data security standards for data not covered by HIPAA. Falcon Technologies stored the data it was provided with on an unsecured server. AG James entered into a separate settlement with Falcon Technologies over the data breach, which included a $100,000 financial penalty and the requirement to encrypt data and implement appropriate access controls.
“Health care institutions have a responsibility to safeguard New Yorkers’ wellbeing, but also to protect their confidential and private information,” said AG James. “The security failures by Personal Touch caused undue stress and financial problems for New Yorkers who simply wanted to have access to high-quality health care. My office will always step up and hold companies responsible if their negligence puts New Yorkers’ private information in jeopardy.”