Personal Touch Holding Corp has reached a settlement with the New York Attorney General regarding a potential HIPAA violation case.
What happened
Personal Touch is the parent company of subsidiaries operating Medicare-certified home health, home care, and at-home hospice services throughout the country, including New York City and Long Island.
According to court documents, the company faced a ransomware attack in January 2021 via a phishing incident. The incident allowed an unauthorized user to access an employee's laptop and, eventually, administrator credentials. In total, the attacker accessed 5 accounts and encrypted 35 servers, resulting in a breach of personal and protected information of 753,107 individuals.
Out of those individuals, 316,845 were New York residents.
The breach was discovered by Personal Touch on January 27, 2023, and notifications were sent to affected individuals on March 24, 2023.
Going deeper
At the time, Personal Touch was utilizing two antivirus solutions, Microsoft Windows Defender and Symantec Endpoint, which detected and blocked some actions but did not keep a log of the activity.
Before the event, Personal Touch had identified security deficiencies and received recommended measures to improve security. These measures included the utilization of endpoint detection and response (EDR) tools and IT governance improvements.
In March 2020, a risk analysis was conducted to identify potential security vulnerabilities. They noted a lack of continuous monitoring, an inadequate business continuity and disaster recovery plan, a lack of multifactor authentication for email, and more that could lead to infiltration from malicious actors.
What's new
New York Attorney General Letitia James determined that Personal Health only had an "informal information security program," noting that there were insufficient access controls, no continuous monitoring system, and inadequate staff training.
As part of the agreement, Personal Touch was fined $350,000 and is required to improve its information security program. Components of the program include:
- Maintain a comprehensive information security program that includes regular risk assessment, testing, and monitoring.
- Maintain reasonable access control and authentication procedures.
- Encrypt personal and health information.
- Implement a continuous logging and monitoring system, anti-malware protection, intrusion detection, and email filtering.
- Developing a vulnerability management program.
- Updating data collection, retention, and disposal practices.
- Conduct annual employee security training.
- Establish reasonable vendor management procedures.
Further specifics in the requirements are outlined in the settlement agreement. In one year, a third party will conduct an assessment to ensure Personal Touch is meeting security standards. Third-party organizations will continue assessing Personal Touch for five years.
What was said
In a press release, Attorney General James said, "Healthcare institutions have a responsibility to safeguard new Yorkers' wellbeing, but also to protect their confidential and private information."
James added, "The security failures by Personal Touch caused undue stress and financial problems for New Yorkers who simply wanted to have access to high-quality health care. My office will always step up and hold companies responsible if their negligence puts New Yorkers' private information in jeopardy."
The big picture
Many organizations face repercussions for failing to follow proper standards for data protection and leaving known vulnerabilities unaddressed. Recently, CarePointe was sued by the Indiana Attorney General for allegedly failing to address known security issues, leading to a data breach affecting approximately 45,000 patients.
To avoid serious repercussions, companies should stay current on security trends and constantly monitor and evaluate their current processes.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
