NY AG Slaps Medical Management Company with $550,000 HIPAA Penalty
New York Attorney General, Letitia James, has agreed to settle a compliance investigation with Professional Business Systems Inc, dba Practicefirst Medical Management Solutions for $550,000. The settlement resolves alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and state law that were discovered during the investigation of a 2020 cyberattack and data breach.
Practicefirst is a Buffalo, NY-based medical management company that helps healthcare organizations improve their revenue cycles, through its medical billing, coding, credentialing, and practice management solutions. In December 2020, Practicefirst discovered its network had been breached and ransomware was deployed to encrypt files. The forensic investigation confirmed the threat actor stole approximately 79,000 files from its systems in the attack. Those files contained the protected health information (PHI) of patients of its clients and a sample of those files were uploaded to the ransomware actorโs dark web data leak site, exposing the PHI of 13 individuals. The stolen files contained information such as names, dates of birth, driverโs license numbers, Social Security numbers, diagnoses, medication information, and financial information. 1.2 million individuals had their PHI exposed or stolen, including 428,000 New Yorkers.
Practicefirst is a business associate under HIPAA and is therefore required to comply with the HIPAA Security Rule and implement safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI). The Office of the Attorney General investigated the breach to determine if Practicefirst was compliant with HIPAA and state law with respect to data security and identified multiple security failures. Those failures were exploited by the ransomware actor to gain access to its network.
Practicefirst had a firewall in place, but the software had an unpatched critical vulnerability that was exploited by the threat actor to gain initial access to Practicefirstโs systems. The firewall vendor released an updated version of the solution in January 2019 which fixed the vulnerability, but Practicefirst did not update the software. 22 months later the vulnerability was exploited. Practicefirst did not conduct penetration tests or vulnerability scans, which would have identified the vulnerability before it could be exploited. The HIPAA Security Rule requires data to be encrypted, or an alternative, equivalent safeguard to be implemented. Practice first did not encrypt data or have an equivalent alternative in place, which allowed the threat actor to steal cleartext PHI.
These security failures were determined to violate HIPAA and state law and warranted a financial penalty. The settlement also requires Practicefirst to implement a comprehensive information security program, patch management program, and other recognized security practices such as data encryption, penetration tests, vulnerability scans, and update its data collection and retention policies to ensure that only the minimum amount of ePHI is collected, stored and maintained to allow it to perform its contracted duties.
โWhen a person is seeking medical care, their last concern should be the security of their personal information,โ saidย AG James. โEach and every company charged with maintaining and handling patient data should take their responsibility to protect personal information, particularly health records, seriously. New Yorkers can trust that when companies fail at their duty, my office will step in to hold them accountable.โ