Medical Records of 156,400 Personal Touch Home Care Patients Compromised in Ransomware Attack on EHR Hosting Company

The Lake Success, NY-based home health company, Personal Touch Home Care (PTHC), has started notifying patients that a recent ransomware attack on its Wyomissing, PA-based IT vendor, Crossroads Technologies Inc., has potentially seen some of their protected health information compromised.

Crossroads informed PTHC on December 1, 2019 that the ransomware attack affected its Pennsylvania data center where PTHC’s electronic medical records were hosted. The ransomware attack prevented patient records from being accessed for a few days. While the EHR system was down, staff at PTHC switched to emergency protocols and used pen and paper to record patient information.

The encrypted data has now been recovered. It is unclear whether Crossroads restored the data from backups or if the ransom was paid and if any other healthcare clients were affected.

The compromised medical records contained patient names, addresses, telephone numbers, dates of birth, medical record numbers, health insurance card numbers, plan benefit numbers, Social Security numbers, and treatment information.

PTHC is currently unaware of the extent to which PHI was compromised and whether the attackers obtained PHI prior to the encryption of data. At this stage of the investigation, no evidence has been found to suggest patient information was exfiltrated prior to the deployment of the ransomware. Crossroads is still investigating the attack.

The incident was reported to the Department of Health and Human Services’ Office for Civil Rights as 17 separate breach reports, one for each of the offices affected. The data breaches were reported separately as each office is a separate legal entity. In total, the PHI of 156,409 patients and caregivers across 6 states has been compromised. Affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The following offices were affected by the attack:

Breached Entity State Individuals Affected
Personal Touch Home Care of VA, Inc. VA 33,324
Personal Touch Home Care of W. VA, Inc. WV 1,169
Personal Touch Hospice of VA, Inc. VA 1,657
Personal Touch Home Care of Mass., Inc. NY 2,015
PT Home Services of San Antonio, Inc. TX 5,930
Personal Touch Home-Aides, Inc. NY 2,633
Personal Touch Home Services of Dallas, Inc. TX 1,700
Personal Touch Home Care of S.E. Mass., Inc. NY 2,863
Personal Touch Home Aides Inc. NY 1,890
Personal Touch Home Care of PA, Inc. NY 9,302
Personal Touch Home Care of Ohio, Inc. NY 15,808
Personal Touch Home Care of Greater Portsmouth, Inc. NY 1,957
Personal Touch Home Aides of Baltimore, Inc. NY 804
Personal Touch Home Care of Baltimore, Inc. NY 9,058
Personal Touch Home Care of KY, Inc. KY 24,013
Personal Touch Home Care of Indiana, Inc. IN 3,593
Personal Touch Home Aides of New York, Inc. NY 38,693

This is the third major business associate ransomware attack to be reported in the past few days. A ransomware attack on the Albany, NY-based accounting and tax firm BST & Co. CPAs LLC affected patients of the Community Care Physicians medical group, and NRC Health, a provider of patient survey services and software, experienced an attack that impacted some of its healthcare clients.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.