DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

NYS settles charges against PracticeFirst stemming from 2020 ransomware incident

Posted on May 24, 2023 by Dissent

In July 2021, Professional Business Systems, Inc. d/b/a Practicefirst Medical Management Solutions and PBS Medcode Corp., a medical management company that processes data for health care providers, issued a press release about a hacking incident that occurred in December 2020.  As DataBreaches noted at the time, it appeared that they likely paid ransom because one line in their statement was, “The actor who took the copy has advised that the Information is destroyed and was not shared.”

The breach was reported to both the Maine Attorney General’s Office and HHS as affecting 1,210,688 people. The incident appears to be still under investigation by HHS, but the NYS Attorney General’s Office has settled charges against the upstate firm. In a press release issued yesterday, the AG’s office writes:

New York Attorney General Letitia James recouped $550,000 from a medical management company, Professional Business Systems, Inc. d/b/a Practicefirst Medical Management Solutions and PBS Medcode Corp. (Practicefirst), for failing to protect New Yorkers’ personal information, including health records. Practicefirst’s failure to make a timely software update made their networks susceptible to a cyberattack, which affected more than 1.2 million individuals nationwide, including over 428,000 New Yorkers. Practicefirst’s data security failures violated both state law and the federal Health Insurance Portability and Accountability Act (HIPAA). As a result of today’s agreement, Practicefirst has agreed to pay $550,000 in penalties to New York, strengthen its data security practices, and offer affected consumers free credit monitoring services.

According to the state’s investigation, Practicefirst failed to update its firewall in January 2019 when the firewall provider issued an updated version that was designed to patch a critical vulnerability. The OAG found:

Between May 2019 and August 2019, the firewall provider published an advisory for the vulnerability, the National Institute of Standards and Technology’s National Vulnerability Database (“NVD”) published an entry about the vulnerability, security researchers presented about the vulnerability at a Black Hat security conference, and a Metasploit module demonstrating the exploitation of the vulnerability was published online.

Between May 2019 and December 2020, Practicefirst and its managed service provider did not conduct any penetration tests, vulnerability scans, or other security testing that would have identified the vulnerability.

An attacker exploited that vulnerability in November 2020, gained access, and then deployed ransomware and exfiltrated unencrypted files with patient data.  “Days later, screenshots containing personal information of 13 consumers were discovered on the dark web,” the Attorney General’s Office notes.

As DataBreaches had suggested in 2021, PracticeFirst had paid ransom. The OAG noted that after the payment, Practicefirst obtained a written attestation that the unauthorized actor had destroyed the exfiltrated data. “The unauthorized actor
provided information indicating 80 gigabytes of data, containing 79,000 files, were exfiltrated,” the OAG noted.

The Assurance of Discontinuance identifies specific security protections PracticeFirst must implement.

 

Category: Commentaries and AnalysesHealth DataMalwareOf NoteState/LocalU.S.

Post navigation

← Apria Healthcare notifies 1.2 million patients of hacking incidents in 2019 and 2021
Microsoft: Notorious FIN7 hackers return in Clop ransomware attacks →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.