March 25, 2021 /PRNewswire/ — Today, Personal Touch Holding Corp. (PTHC) announced it is addressing a data breach it discovered on January 27, 2021.
PTHC is the parent company of subsidiaries that operate Medicare-certified home health agencies, licensed home care service agencies, hospice at home services and Early Intervention Programs, as well as a managed care plan in New York. A complete list of these subsidiaries is available at www.pthomecare.com/protects.
PTHC is a business associate of its subsidiaries. In that capacity PTHC performs services that require it have access to personal information of patients and members of its subsidiaries.
Personal Touch Holding Corp. began notifying potentially affected individuals, including current and former patients, and members of its subsidiaries, on March 24, 2021.
- Patient’s information may include medical treatment information, insurance card and health plan benefit numbers, medical record numbers, first and last name, address, telephone numbers, date of birth, Social Security number, and financial information, including check copies, credit card numbers, and bank account information.
- Member information may include Medicaid ID number, ID number, provider name, clinical/medical information, first and last name, address, telephone number, date of birth, Social Security numbers, and credit card numbers and/or banking information, if members paid their Medicaid surplus through credit card or check.
Read the full press release on PRNewswire.
But what was the breach? And how did it occur? The press release provides no details, but a notice on their web site says that on January 27, they discovered that they experienced “a cybersecurity attack on the private cloud hosted by its managed service providers.” Was this a ransomware attack or something else? And who is the managed service provider? Did that MSP have other customers impacted, too? And will Personal Touch be offering any mitigation services to those impacted? This notification seems to omit a lot of information that might help those impacted gauge their risk and what steps they should take to protect themselves.
Ah, There’s the Answer!
DataBreaches.net subsequently located a notification to Maine by their external counsel, Ruskin Moscou Faltischek, P.C. Their notification indicated that the following entities were affected:
Personal Touch Holding Corp., business associate to its direct and indirect subsidiaries Personal Touch Home Care of Greater Portsmouth, Inc., Personal Touch Home Care of S.E. Mass., Inc., Personal-Touch Home Care of N.Y., Inc., Personal Touch Home Care of Baltimore, Inc., Personal Touch Home Care of VA, Inc. and Personal Touch Home –Aides, Inc. (MA)
Significantly, while notification letters remained silent on details, the mandated notification to the state indicated that this was a ransomware attack. And at least some, but seemingly not all of those impacted are being offered some mitigation services:
In addition, we are offering identity theft protection services through IDX, the data breach and recovery services expert.
IDX identity protection services include: 12 months of credit and CyberScan monitoring, a $1,000,000 insurance
reimbursement policy, and fully managed id theft recovery services. With this protection, IDX will help you resolve
issues if your identity is compromised.
The breach reportedly impacted 753,107 people. It is not clear what subset of these were patients as opposed to employees.
The notification to the state does not name the managed service providers.
History Repeats Itself?
January does not seem to be a good month for Personal Touch. One year ago, in January, 2020, Personal Touch revealed that they had been informed in December by Crossroads Technologies of a ransomware attack by Maze threat actors. That incident was reported to HHS as impacting more than 150,000 patients at multiple locations. And now they experienced another ransomware attack? Ouch.