Ransomware Attack on Home Healthcare Service Provider Affects 753,000 Individuals

Personal Touch Holding Corp, a Lake Success, NY-based provider of home health services, is alerting 753,107 patients about a breach of their protected health information.

Personal Touch Holding Corp operates around 30 Personal Touch Home Care subsidiaries in more than half a dozen U.S. states. On January 27, 2021, Personal Touch discovered it was the victim of a cyberattack involving its private cloud hosted by its managed service providers. The attackers encrypted the cloud-stored business records of Personal Touch and 29 of its direct and indirect subsidiaries.

The investigation into the ransomware attack is ongoing. At this stage it is unclear to what extent individual’s protected health information was compromised; however, it is possible that the attackers obtained data stored in its private cloud prior to the use of ransomware.

An analysis of its cloud environment revealed the following types of patient information may have been compromised in the attack: names, addresses, telephone numbers, dates of birth, Social Security numbers, financial information, including check copies, credit card numbers, bank account information, medical treatment information, health insurance card, health plan benefit numbers, and medical record numbers.

Employee information was also compromised, including names, contact information, dates of birth, Social Security numbers (including dependent and spouse Social Security numbers), driver’s license numbers, passport numbers, birth certificates, background and credit reports, demographic information, usernames and passwords used at the Company, personal email addresses, fingerprints, insurance cards, health and welfare plan benefit numbers, retirement benefits information, medical treatment information, check copies, and other financial information necessary for payroll.

Following the discovery of the breach, outside counsel and was retained and independent forensics experts were engaged to assist with the investigation. The FBI has been alerted, along with state attorneys general and the HHS’ Office for Civil Rights. Personal Touch said it has now implemented advanced monitoring and alerting software.

This is the second ransomware attack to affect Personal Touch subsidiaries in a little over a year. In January 2020, Personal Touch announced that the protected health information of patients of 16 of its subsidiaries had been compromised in a ransomware attack on its cloud vendor, Crossroads Technologies. Crossroads Technologies hosted the Personal Touch cloud-based electronic health records. 156,400 medical records were compromised in that ransomware attack.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.