NYS settles charges against PracticeFirst stemming from 2020 ransomware incident
In July 2021, Professional Business Systems, Inc. d/b/a Practicefirst Medical Management Solutions and PBS Medcode Corp., a medical management company that processes data for health care providers, issued a press release about a hacking incident that occurred in December 2020. As DataBreaches noted at the time, it appeared that they likely paid ransom because one line in their statement was, “The actor who took the copy has advised that the Information is destroyed and was not shared.”
The breach was reported to both the Maine Attorney General’s Office and HHS as affecting 1,210,688 people. The incident appears to be still under investigation by HHS, but the NYS Attorney General’s Office has settled charges against the upstate firm. In a press release issued yesterday, the AG’s office writes:
New York Attorney General Letitia James recouped $550,000 from a medical management company, Professional Business Systems, Inc. d/b/a Practicefirst Medical Management Solutions and PBS Medcode Corp. (Practicefirst), for failing to protect New Yorkers’ personal information, including health records. Practicefirst’s failure to make a timely software update made their networks susceptible to a cyberattack, which affected more than 1.2 million individuals nationwide, including over 428,000 New Yorkers. Practicefirst’s data security failures violated both state law and the federal Health Insurance Portability and Accountability Act (HIPAA). As a result of today’s agreement, Practicefirst has agreed to pay $550,000 in penalties to New York, strengthen its data security practices, and offer affected consumers free credit monitoring services.
According to the state’s investigation, Practicefirst failed to update its firewall in January 2019 when the firewall provider issued an updated version that was designed to patch a critical vulnerability. The OAG found:
Between May 2019 and August 2019, the firewall provider published an advisory for the vulnerability, the National Institute of Standards and Technology’s National Vulnerability Database (“NVD”) published an entry about the vulnerability, security researchers presented about the vulnerability at a Black Hat security conference, and a Metasploit module demonstrating the exploitation of the vulnerability was published online.
Between May 2019 and December 2020, Practicefirst and its managed service provider did not conduct any penetration tests, vulnerability scans, or other security testing that would have identified the vulnerability.
An attacker exploited that vulnerability in November 2020, gained access, and then deployed ransomware and exfiltrated unencrypted files with patient data. “Days later, screenshots containing personal information of 13 consumers were discovered on the dark web,” the Attorney General’s Office notes.
As DataBreaches had suggested in 2021, PracticeFirst had paid ransom. The OAG noted that after the payment, Practicefirst obtained a written attestation that the unauthorized actor had destroyed the exfiltrated data. “The unauthorized actor
provided information indicating 80 gigabytes of data, containing 79,000 files, were exfiltrated,” the OAG noted.
The Assurance of Discontinuance identifies specific security protections PracticeFirst must implement.