Medical Records of 156,400 Personal Touch Home Care Patients Compromised in Ransomware Attack on EHR Hosting Company
The Lake Success, NY-based home health company, Personal Touch Home Care (PTHC), has started notifying patients that a recent ransomware attack on its Wyomissing, PA-based IT vendor, Crossroads Technologies Inc., has potentially seen some of their protected health information compromised.
Crossroads informed PTHC on December 1, 2019 that the ransomware attack affected its Pennsylvania data center where PTHC’s electronic medical records were hosted. The ransomware attack prevented patient records from being accessed for a few days. While the EHR system was down, staff at PTHC switched to emergency protocols and used pen and paper to record patient information.
The encrypted data has now been recovered. It is unclear whether Crossroads restored the data from backups or if the ransom was paid and if any other healthcare clients were affected.
The compromised medical records contained patient names, addresses, telephone numbers, dates of birth, medical record numbers, health insurance card numbers, plan benefit numbers, Social Security numbers, and treatment information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
PTHC is currently unaware of the extent to which PHI was compromised and whether the attackers obtained PHI prior to the encryption of data. At this stage of the investigation, no evidence has been found to suggest patient information was exfiltrated prior to the deployment of the ransomware. Crossroads is still investigating the attack.
The incident was reported to the Department of Health and Human Services’ Office for Civil Rights as 17 separate breach reports, one for each of the offices affected. The data breaches were reported separately as each office is a separate legal entity. In total, the PHI of 156,409 patients and caregivers across 6 states has been compromised. Affected individuals have been offered complimentary credit monitoring and identity theft protection services.
The following offices were affected by the attack:
| Breached Entity | State | Individuals Affected |
| Personal Touch Home Care of VA, Inc. | VA | 33,324 |
| Personal Touch Home Care of W. VA, Inc. | WV | 1,169 |
| Personal Touch Hospice of VA, Inc. | VA | 1,657 |
| Personal Touch Home Care of Mass., Inc. | NY | 2,015 |
| PT Home Services of San Antonio, Inc. | TX | 5,930 |
| Personal Touch Home-Aides, Inc. | NY | 2,633 |
| Personal Touch Home Services of Dallas, Inc. | TX | 1,700 |
| Personal Touch Home Care of S.E. Mass., Inc. | NY | 2,863 |
| Personal Touch Home Aides Inc. | NY | 1,890 |
| Personal Touch Home Care of PA, Inc. | NY | 9,302 |
| Personal Touch Home Care of Ohio, Inc. | NY | 15,808 |
| Personal Touch Home Care of Greater Portsmouth, Inc. | NY | 1,957 |
| Personal Touch Home Aides of Baltimore, Inc. | NY | 804 |
| Personal Touch Home Care of Baltimore, Inc. | NY | 9,058 |
| Personal Touch Home Care of KY, Inc. | KY | 24,013 |
| Personal Touch Home Care of Indiana, Inc. | IN | 3,593 |
| Personal Touch Home Aides of New York, Inc. | NY | 38,693 |
This is the third major business associate ransomware attack to be reported in the past few days. A ransomware attack on the Albany, NY-based accounting and tax firm BST & Co. CPAs LLC affected patients of the Community Care Physicians medical group, and NRC Health, a provider of patient survey services and software, experienced an attack that impacted some of its healthcare clients.
