From a press release from the NYS Attorney General’s Office today:
New York Attorney General Letitia James today secured $350,000 from a Long Island-based home health care company, Personal Touch Holding Corporation (Personal Touch), for failing to protect vulnerable New Yorkers’ personal information and health care data. Personal Touch’s poor data security made it vulnerable to a ransomware attack that compromised the personal and medical information of approximately 316,845 New Yorkers. Personal Touch’s data security failures violated both state law and the federal Health Insurance Portability and Accountability Act (HIPAA), which required Personal Touch to adhere to specific data protection practices. As a result of today’s agreement, Personal Touch has agreed to pay $350,000 in penalties to New York, update and improve their cybersecurity infrastructure, and offer free credit monitoring and identity theft services to affected individuals. In addition, Attorney General James secured $100,000 from an insurance software vendor for compromising Personal Touch employees’ data.
… In January 2021, a Personal Touch employee opened a malware-infected file attached to a phishing email that allowed a hacker to gain access to Personal Touch’s network and collect patient and employee records from an unencrypted server. These records dated back decades and included confidential personal and health information, including names, addresses, Social Security numbers, medical treatments, and financial information of thousands of people.
… The Office of the Attorney General’s (OAG) investigation determined that Personal Touch failed to maintain reasonable data security safeguards to protect patient and employee data. Personal Touch’s information security and risk management program was informal and immature. There was inadequate security training of its staff, poor access controls, a lack of a continuous monitoring system, and a failure to encrypt personal and medical data.
During the OAG’s investigation, Personal Touch was notified of a third-party breach that affected its employees’ personal information, including Social Security numbers. Personal Touch had provided this data to its insurance broker, who provided the data to an enrollment software vendor, Falcon Technologies, Inc. (Falcon), which placed the data on an unsecured site. Personal Touch did not have any agreements in place with its insurance broker concerning data security standards that applied to personal information not covered by HIPAA. The OAG secured a separate agreement with Falcon for failing to secure this information. Under the terms of Falcon’s agreement with the OAG, Falcon must pay $100,000 in penalties to New York and ensure the use of encryption and proper access controls in handling private information.
The 2021 breach was first revealed in a press release by the firm in March, 2021.
This is another example of a state attorney general litigating under both HIPAA and state law. HHS’s own closing comments from its own investigation did not suggest any penalty or that it had really imposed any specific requirements on the firm:
The covered entity (CE), Personal Touch Holding Corporation, reported that its business associate (BA) was the victim of a ransomware attack that affected the electronic protected health information (ePHI) of 753,107 individuals. The ePHI involved included names, addresses, dates of birth, Social Security numbers, claims and financial information, diagnoses, lab results, medications prescribed, and other treatment information. The CE notified HHS, affected individuals, and the media. Following the discovery of the incident, the CE implemented additional administrative, technical, and security safeguards to better protect its ePHI.
Read the state settlement’s Assurance of Discontinuance for more details about Personal Touch’s inadequate security prior to the ransomware attack and the steps they have agreed to take to improve their security.