Incident Details
The attorney general of New York, Letitia James, has reached a settlement today with Personal Touch Holding Corporation, a home health care company based in Long Island, for a sum of $350,000 due to their negligence in safeguarding the personal and health data of vulnerable New Yorkers. Personal Touch's inadequate data security measures left them susceptible to a ransomware attack, resulting in the exposure of personal and medical records belonging to approximately 316,845 individuals. This failure to maintain proper data security practices not only violated state laws but also the federal Health Insurance Portability and Accountability Act (HIPAA) regulations. Consequently, Personal Touch has agreed to pay the imposed penalties, enhance their cybersecurity infrastructure, and provide affected individuals with complimentary credit monitoring and identity theft protection services. Moreover, an additional $100,000 was obtained from an insurance software provider for its role in the compromise of Personal Touch employees' data during an incident in January 2021. This breach occurred when a Personal Touch staff member unknowingly opened a malware-infected file attached to a phishing email, granting unauthorized access to the company's network where sensitive records were extracted from an unencrypted server. The investigation by the Office of the Attorney General (OAG) revealed that Personal Touch had failed to implement adequate security protocols to safeguard patient and employee information. Their information security program was found to be disorganized and lacking in necessary components such as staff training on security measures, access controls, continuous monitoring system, and encryption of personal and medical data. Furthermore, Personal Touch's connection with an insurance broker led to a third-party breach affecting employees' personal data, including Social Security numbers. The broker had shared this information with an enrollment software vendor, Falcon Technologies, Inc., which stored the data on an unsecured platform. Lack of proper data security agreements between Personal Touch and their insurance broker resulted in the OAG securing a separate settlement with Falcon for their failure to protect the data. Falcon is now mandated to pay $100,000 in fines to New York and enforce the use of encryption and appropriate access controls in managing private information, as per the terms of the agreement with the OAG.
Incident
How Did the Breach Happen?
An incident occurred in January 2021 where a staff member of Personal Touch inadvertently opened a file containing malware from a fraudulent email. This action resulted in a hacker successfully breaching Personal Touch's network and retrieving sensitive records of both patients and employees from an inadequately secured server.
What Data has been Compromised?
Approximately 316,845 residents of New York had their personal and medical details exposed in the security breach. The compromised data encompassed individuals' names, addresses, Social Security numbers, medical procedures, and financial details.
Why Did the company's Security Measures Fail?
The examination conducted by the Attorney General's Office revealed that Personal Touch did not uphold acceptable standards in securing data. Their program for managing information security and risks was described as unstructured and underdeveloped. Specific issues included insufficient training of employees on security measures, deficient access controls, absence of a system for ongoing monitoring, and neglect in encrypting personal and medical information.
What Immediate Impact Did the Breach Have on the company?
Due to the security breach, Personal Touch has decided to settle paying $350,000 in fines, enhance and upgrade their cybersecurity systems, and provide complimentary credit monitoring and identity theft protection to those impacted. Moreover, the organization faced harm to its reputation and incurred financial setbacks.
How could this have been prevented?
To avoid the breach, it could have been averted through the establishment and upkeep of effective data security measures, consistent training for employees on security protocols, enforcing stringent access restrictions, applying encryption methods to safeguard personal and medical information, and setting up a system for ongoing monitoring.
What have we learned from this data breach?
The incident of data compromise underscores the significance of upholding robust data protection protocols, such as encryption and employee education, to safeguard confidential personal and medical data. Moreover, it underscores the potential legal and financial consequences of not complying with data privacy statutes and standards.
Summary of Coverage
During a cybersecurity breach in 2021, Personal Touch Holding Corporation was unable to safeguard the personal and medical data of around 316,845 individuals in New York. The incident occurred when a staff member inadvertently opened a malicious file contained in a phishing email. Consequently, the breach led to reputational harm, monetary fines, and a necessity to enhance cybersecurity protocols and data security procedures.