New York AG Settles HIPAA Case with Home Health Company for $350,000
New York Attorney General Letitia James has announced that a settlement has been reached with Personal Touch Holding Corp. over a January 2021 ransomware attack and data breach in which the personal and protected health information (PHI) of 753,107 individuals was stolen, including the PHI of 316,845 New York residents.
Personal Touch Holding Corp (PTHC) is a Delaware corporation that primarily does business in Lake Success, NY. PTHC provides administrative services, such as human resources and other back-office services, for all its subsidiaries. On January 20, 2021, a PTHC employee received a phishing email that contained a malicious Microsoft Excel file. When that file was opened, malware was executed which provided the threat actor with access to the employee’s laptop computer and account. The threat actor escalated privileges, obtained domain administrator credentials, and compromised 5 accounts in total. The threat actor exfiltrated 4,383 files, then deployed ransomware and encrypted 35 PTHC servers. PTHC discovered the attack on January 27, 2023, and issued notifications to the affected individuals on March 24, 2023.
AG James launched an investigation into the attack to determine whether appropriate data security measures had been implemented and if PTHC was compliant with state laws and the Health Insurance Portability and Accountability Act (HIPAA). The investigation confirmed that PTHC had engaged a managed service provider (MSP) in 2016 to provide private cloud and network management services, and under the direction of PTHC, implemented and managed technical security requirements. The MSP also provided advice and recommendations on data security to PTHC.
At the time of the attack, PTHC had two antivirus solutions in place: Microsoft Windows Defender and Symantec Endpoint Protection. While these solutions detected several of the tools and activities of the threat actor and blocked certain actions, there was no central log of the activities which meant there was no visibility into the malicious activities beyond the local file system. The threat actor exfiltrated data from a PTHC file share server which contained records from all lines of business, including files that contained the personal information and ePHI of current and former patients and current and former employees of PTHC and its then-subsidiaries. The data on that server was not encrypted.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In the year leading up to the attack, PTHC’s MSP identified several data security deficiencies and recommended security measures to address these, including an endpoint detection and response (EDR) tool, a security information and event management (SIEM) solution, and IT governance improvements, including a risk analysis, vulnerability scans, and a learning management system for user training.
A risk analysis was conducted in March 2020 that identified a lack of continuous monitoring, an inadequate business continuity and disaster recovery plan, control gaps with its MSP, insufficient enforcement of data retention policies, a lack of multifactor authentication for email and remote and EMR access, and inadequate IT vendor management practices. AG James determined that PTHC only had an informal information security program, there were insufficient access controls, no continuous monitoring system, and inadequate HIPAA staff training.
Inadequate HIPAA Staff Training Highlighted in Settlement Agreement
AG James identified violations of 16 provisions of the HIPAA Privacy Rule and Security Rule and violations of New York General Business Law. PTHC was fined $350,000 and the settlement agreement requires PTHC to make several enhancements to its information security program to better protect employee and patient data. As well as the technical enhancements to security, PTHC is required to implement a comprehensive HIPAA training program which includes initial training, annual refresher training, and mock phishing exercises. Employees that fail the mock phishing exercises will be required to undergo further training and sit the exercises again.
“Health care institutions have a responsibility to safeguard New Yorkers’ wellbeing, but also to protect their confidential and private information,” said Attorney General James. “The security failures by Personal Touch caused undue stress and financial problems for New Yorkers who simply wanted to have access to high-quality health care. My office will always step up and hold companies responsible if their negligence puts New Yorkers’ private information in jeopardy.”
During the investigation, AG James discovered PTHC was notified of a third-party breach that affected its employees’ personal information, including Social Security numbers. PTHC had provided the data to its insurance broker, who disclosed that information to an enrollment software vendor, Falcon Technologies, Inc. Falcon was discovered to have stored the data on an unsecured site. PTHC did not have any agreements in place with its insurance broker concerning data security standards that applied to personal information not covered by HIPAA. AG James settled this separate case with Falcon, which must pay a penalty of $100,000 and make security improvements, including implementing encryption and proper access controls.