Personal Touch Holding Corp. Settles Class Action Data Breach Lawsuit
Personal Touch Holding Corp. has received preliminary approval for a settlement to resolve a class action lawsuit that was filed following a January 2021 ransomware attack and data breach that affected 753,107 patients. The Lake Success, NY-based provider of home health services operates around 30 Personal Touch Home Care subsidiaries in more than half a dozen U.S. states. In January 2021, a ransomware group gained access to cloud-stored business records and the data of 29 of its subsidiaries. Initial access was gained when an employee responded to a phishing email and downloaded malware.
Individuals who had previously received services from Personal Touch or its subsidiaries had their names, addresses, telephone numbers, dates of birth, Social Security numbers, financial information, including check copies, credit card numbers, bank account information, medical treatment information, health insurance card, health plan benefit numbers, and medical record numbers compromised in the attack.
A class action lawsuit – Everetts v. Personal Touch Holding Corp. – was filed in the U.S. District Court for the Eastern District of New York that alleged Personal Touch failed to implement reasonable and appropriate cybersecurity measures prior to the attack, and had those measures been implemented the ransomware attack could have been prevented. Personal Touch chose to settle the lawsuit with no admission of wrongdoing or liability.
Under the terms of the settlement, class members who were notified about the breach by Personal Touch on or around March 24, 2021, whose personally identifiable information (PII) or protected health information (PHI) was not potentially exposed can submit a claim for up to $125 to cover out-of-pocket expenses related to the data breach, including communication costs, credit monitoring costs, and other costs incurred after January 20, 2021, in relation to the breach.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Individuals who received a notification from Personal Touch on or around March 24, 2021, informing them that their PII or PHI was exposed in the data breach can submit claims of up to $7,500 for reimbursement of documented out-of-pocket expenses and damages due to identity theft and fraud, including up to three hours of lost time at $25 per hour. The settlement also includes two years of Identity Defense Total Service for individuals whose PII and/or PHI were potentially exposed in the data breach.
Claims must be submitted by May 21, 2024, and the deadline for objecting to the settlement or asking to be excluded is also May 21, 2024. Individuals who do nothing will get no payment and will give up their rights in relation to the breach. The settlement has received preliminary approval from the court and the final settlement hearing is scheduled for July 22, 2024.
In October 2023, New York Attorney General Letitia James announced that a $350,000 settlement had been reached with Personal Touch to resolve allegations of violations of HIPAA and state laws related to data security. Personal Touch was alleged to have been aware of security vulnerabilities yet failed to address them in a reasonable time frame, only had an informal security program, and had not provided adequate HIPAA training to staff members.
