DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Personal Touch Holding settles NY Attorney General’s lawsuit stemming from 2021 ransomware incident: will pay $350k, improve security

Posted on October 18, 2023 by Dissent

From a press release from the NYS Attorney General’s Office today:

New York Attorney General Letitia James today secured $350,000 from a Long Island-based home health care company, Personal Touch Holding Corporation (Personal Touch), for failing to protect vulnerable New Yorkers’ personal information and health care data. Personal Touch’s poor data security made it vulnerable to a ransomware attack that compromised the personal and medical information of approximately 316,845 New Yorkers. Personal Touch’s data security failures violated both state law and the federal Health Insurance Portability and Accountability Act (HIPAA), which required Personal Touch to adhere to specific data protection practices. As a result of today’s agreement, Personal Touch has agreed to pay $350,000 in penalties to New York, update and improve their cybersecurity infrastructure, and offer free credit monitoring and identity theft services to affected individuals. In addition, Attorney General James secured $100,000 from an insurance software vendor for compromising Personal Touch employees’ data.

…   In January 2021, a Personal Touch employee opened a malware-infected file attached to a phishing email that allowed a hacker to gain access to Personal Touch’s network and collect patient and employee records from an unencrypted server. These records dated back decades and included confidential personal and health information, including names, addresses, Social Security numbers, medical treatments, and financial information of thousands of people.

… The Office of the Attorney General’s (OAG) investigation determined that Personal Touch failed to maintain reasonable data security safeguards to protect patient and employee data. Personal Touch’s information security and risk management program was informal and immature. There was inadequate security training of its staff, poor access controls, a lack of a continuous monitoring system, and a failure to encrypt personal and medical data.

During the OAG’s investigation, Personal Touch was notified of a third-party breach that affected its employees’ personal information, including Social Security numbers. Personal Touch had provided this data to its insurance broker, who provided the data to an enrollment software vendor, Falcon Technologies, Inc. (Falcon), which placed the data on an unsecured site. Personal Touch did not have any agreements in place with its insurance broker concerning data security standards that applied to personal information not covered by HIPAA. The OAG secured a separate agreement with Falcon for failing to secure this information. Under the terms of Falcon’s agreement with the OAG, Falcon must pay $100,000 in penalties to New York and ensure the use of encryption and proper access controls in handling private information.

The 2021 breach was first revealed in a press release by the firm in March, 2021.

This is another example of a state attorney general litigating under both HIPAA and state law.  HHS’s own closing comments from its own investigation did not suggest any penalty or that it had really imposed any specific requirements on the firm:

The covered entity (CE), Personal Touch Holding Corporation, reported that its business associate (BA) was the victim of a ransomware attack that affected the electronic protected health information (ePHI) of 753,107 individuals. The ePHI involved included names, addresses, dates of birth, Social Security numbers, claims and financial information, diagnoses, lab results, medications prescribed, and other treatment information. The CE notified HHS, affected individuals, and the media. Following the discovery of the incident, the CE implemented additional administrative, technical, and security safeguards to better protect its ePHI.

Read the state settlement’s Assurance of Discontinuance for more details about Personal Touch’s inadequate security prior to the ransomware attack and the steps they have agreed to take to improve their security.

Category: FederalHealth DataLegislationState/LocalU.S.

Post navigation

← UPDATE: D.C. Board of Elections data breach contained fewer than 4,000 D.C. voters’ data
Cuba ransomware gang demands $1.9 million for decryption key; Rock County refuses →

1 thought on “Personal Touch Holding settles NY Attorney General’s lawsuit stemming from 2021 ransomware incident: will pay $350k, improve security”

  1. Isabella says:
    October 19, 2023 at 8:49 am

    This case is a reminder of how critical it is for businesses to invest in robust cybersecurity measures. Ransomware attacks can not only disrupt operations but also result in significant financial losses. With tax season around the corner, it’s worth noting that cybersecurity expenses can be deductible business expenses, and it might be a good idea for companies to consult their tax advisors about potential deductions. Ultimately, investing in security not only protects sensitive data but can also be a wise financial decision. It’s an investment in both protecting your business and potentially reducing your tax liability. It’s great to see that Personal Touch Holding is not only settling the lawsuit but also taking steps to enhance their security. This proactive approach is a positive sign for the company’s future and its commitment to safeguarding both its operations and client data.

    (Link deleted by moderator. Advertising or not allowed.)

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines
  • Call for Public Input: Essential Cybersecurity Protections for K-12 Schools (2025-26 SY)
  • Cyberattack puts healthcare on hold for hundreds in St. Louis metro
  • Europol: DDoS-for-hire empire brought down: Poland arrests 4 administrators, US seizes 9 domains

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information
  • Georgia hospital defeats data-tracking lawsuit
  • No Postal Service Data Sharing to Deport Immigrants
  • DOGE aims to pool federal data, putting personal information at risk
  • Privacy concerns swirl around HHS plan to build Medicare, Medicaid database on autism

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.