Home Health & Hospice Week

You may have to worry about more than HHS if your patients’ data gets exposed.

If you think you’re safe from ransomware attacks because you’re in the relatively small home health and hospice industry, think again.

Personal Touch Holding Corp. has agreed to pay a whopping $350,000 after a ransomware attack in January 2021 led to a serious breach, reports New York state Attorney General Letitia James. “Personal Touch’s poor data security made it vulnerable to a ransomware attack that compromised the personal and medical information of approximately 316,845 New Yorkers,” the Office of the AG says in a release.

What happened: “A Personal Touch employee opened a malware-infected file attached to a phishing email that allowed a hacker to gain access to Personal Touch’s network and collect patient and employee records from an unencrypted server,” James relates. “These records dated back decades and included confidential personal and health information, including names, addresses, Social Security numbers, medical treatments, and financial information of thousands of people,” the release says.

The Long Island-based company “failed to maintain reasonable data security safeguards to protect patient and employee data. Personal Touch’s information security and risk management program was informal and immature. There was inadequate security training of its staff, poor access controls, a lack of a continuous monitoring system, and a failure to encrypt personal and medical data,” the AG lists.

It gets worse: Personal Touch provided employee data to its insurance broker, “who provided the data to an enrollment software vendor, Falcon Technologies, Inc. (Falcon), which placed the data on an unsecured site,” where it was breached, the AG reports. “Personal Touch did not have any agreements in place with its insurance broker concerning data security standards that applied to personal information not covered by HIPAA,” the release says.

Falcon has agreed to pay New York $100,000 for that transgression.

In addition to the settlement, Personal Touch has agreed to offer identity theft services to those affected and strengthen its information security processes. That extensive task list includes conducting regular risk assessments and updating its info security plan accordingly; implementing anti-malware and anti-phishing solutions; and undergoing regular penetration testing, the AG says.

Personal Touch announced this breach back in March 2021. It also announced another unrelated breach in January 2020, involving its “cloud-hosting provider, Crossroads Technologies Inc.,” it said.

“This is another example of a state attorney general litigating under both HIPAA and state law,” notes HIPAA news site databreaches.net. “[The Department of Health and Human Services’] own closing comments from its own investi­gation did not suggest any penalty or that it had really imposed any specific requirements on the firm,” the outlet says.