DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Personal Touch Holding settles NY Attorney General’s lawsuit stemming from 2021 ransomware incident: will pay $350k, improve security

Posted on October 18, 2023 by Dissent

From a press release from the NYS Attorney General’s Office today:

New York Attorney General Letitia James today secured $350,000 from a Long Island-based home health care company, Personal Touch Holding Corporation (Personal Touch), for failing to protect vulnerable New Yorkers’ personal information and health care data. Personal Touch’s poor data security made it vulnerable to a ransomware attack that compromised the personal and medical information of approximately 316,845 New Yorkers. Personal Touch’s data security failures violated both state law and the federal Health Insurance Portability and Accountability Act (HIPAA), which required Personal Touch to adhere to specific data protection practices. As a result of today’s agreement, Personal Touch has agreed to pay $350,000 in penalties to New York, update and improve their cybersecurity infrastructure, and offer free credit monitoring and identity theft services to affected individuals. In addition, Attorney General James secured $100,000 from an insurance software vendor for compromising Personal Touch employees’ data.

…   In January 2021, a Personal Touch employee opened a malware-infected file attached to a phishing email that allowed a hacker to gain access to Personal Touch’s network and collect patient and employee records from an unencrypted server. These records dated back decades and included confidential personal and health information, including names, addresses, Social Security numbers, medical treatments, and financial information of thousands of people.

… The Office of the Attorney General’s (OAG) investigation determined that Personal Touch failed to maintain reasonable data security safeguards to protect patient and employee data. Personal Touch’s information security and risk management program was informal and immature. There was inadequate security training of its staff, poor access controls, a lack of a continuous monitoring system, and a failure to encrypt personal and medical data.

During the OAG’s investigation, Personal Touch was notified of a third-party breach that affected its employees’ personal information, including Social Security numbers. Personal Touch had provided this data to its insurance broker, who provided the data to an enrollment software vendor, Falcon Technologies, Inc. (Falcon), which placed the data on an unsecured site. Personal Touch did not have any agreements in place with its insurance broker concerning data security standards that applied to personal information not covered by HIPAA. The OAG secured a separate agreement with Falcon for failing to secure this information. Under the terms of Falcon’s agreement with the OAG, Falcon must pay $100,000 in penalties to New York and ensure the use of encryption and proper access controls in handling private information.

The 2021 breach was first revealed in a press release by the firm in March, 2021.

This is another example of a state attorney general litigating under both HIPAA and state law.  HHS’s own closing comments from its own investigation did not suggest any penalty or that it had really imposed any specific requirements on the firm:

The covered entity (CE), Personal Touch Holding Corporation, reported that its business associate (BA) was the victim of a ransomware attack that affected the electronic protected health information (ePHI) of 753,107 individuals. The ePHI involved included names, addresses, dates of birth, Social Security numbers, claims and financial information, diagnoses, lab results, medications prescribed, and other treatment information. The CE notified HHS, affected individuals, and the media. Following the discovery of the incident, the CE implemented additional administrative, technical, and security safeguards to better protect its ePHI.

Read the state settlement’s Assurance of Discontinuance for more details about Personal Touch’s inadequate security prior to the ransomware attack and the steps they have agreed to take to improve their security.

Category: FederalHealth DataLegislationState/LocalU.S.

Post navigation

← UPDATE: D.C. Board of Elections data breach contained fewer than 4,000 D.C. voters’ data
Cuba ransomware gang demands $1.9 million for decryption key; Rock County refuses →

1 thought on “Personal Touch Holding settles NY Attorney General’s lawsuit stemming from 2021 ransomware incident: will pay $350k, improve security”

  1. Isabella says:
    October 19, 2023 at 8:49 am

    This case is a reminder of how critical it is for businesses to invest in robust cybersecurity measures. Ransomware attacks can not only disrupt operations but also result in significant financial losses. With tax season around the corner, it’s worth noting that cybersecurity expenses can be deductible business expenses, and it might be a good idea for companies to consult their tax advisors about potential deductions. Ultimately, investing in security not only protects sensitive data but can also be a wise financial decision. It’s an investment in both protecting your business and potentially reducing your tax liability. It’s great to see that Personal Touch Holding is not only settling the lawsuit but also taking steps to enhance their security. This proactive approach is a positive sign for the company’s future and its commitment to safeguarding both its operations and client data.

    (Link deleted by moderator. Advertising or not allowed.)

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Banks Want SEC to Rescind Cyberattack Disclosure Requirements
  • MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Russian hospital programmer gets 14 years for leaking soldier data to Ukraine
  • MSCS board renews contract with PowerSchool while suing them
  • Iranian Man Pleaded Guilty to Role in Robbinhood Ransomware
  • Developments surrounding data breach at Dutch police
  • Estonia launches international search for Moroccan citizen wanted over data theft
  • Now it’s Tiffany: Another LVMH luxury brand hit by hackers
  • Dutch Government: More forms of espionage to be a criminal offence from 15 May onwards
  • B.C. health authority faces class-action lawsuit over 2009 data breach (1)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says
  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.