New York AG Resolves HIPAA Case with Home Health Company Resolved for $350,000
New York Attorney General Letitia James reported a settlement it had with Personal Touch Holding Corp. about a ransomware attack and data breach in January 2021 wherein the personal data and protected health information (PHI) of 753,107 people were stolen, which include the PPH of 316,845 New York locals.
Personal Touch Holding Corp (PTHC) is a corporation in Delaware that mainly operates business in Lake Success, NY. PTHC offers its subsidiaries administrative services, like human resources as well as other back-office solutions. On January 20, 2021, a PTHC worker got a phishing email that included a malicious Microsoft Excel file. Upon opening that file, the malware allowed the threat actor to get access to the laptop computer and account of the employee. The threat actor acquired the credentials of the domain administrator and breached 5 accounts. The threat actor extracted 4,383 files, and then used ransomware to encrypt 35 PTHC servers. PTHC found out about the attack on January 27, 2023, and sent breach notifications to the impacted people on March 24, 2023.
AG James started an investigation into the ransomware attack to find out whether proper data security procedures were implemented and whether PTHC complied with state legislation and the Health Insurance Portability and Accountability Act (HIPAA). It was confirmed by the investigation that PTHC had employed a managed service provider (MSP) in 2016 to give private cloud and system management solutions, and with the guidance of PTHC, managed the requirements of technical security. The MSP additionally offered PTHC advice and tips about data security.
During the attack, PTHC set up two antivirus solutions: Symantec Endpoint Protection and Microsoft Windows Defender. Although these solutions discovered a number of the tools and the threat actor’s activities and stopped some of them, there was no main record of the activities meaning the malicious activities were not visible apart from the local files. The threat actor extracted information from a PTHC file share server that included data from all ranges of business, such as files that included the personal data and ePHI of present and past patients and present and previous workers of PTHC and its subsidiaries. The information on that device was not encrypted.
In the year that led to the ransomware attack, PTHC’s MSP discovered a number of data security problems and advised security steps to deal with these, which include an endpoint detection and response (EDR) program, a security information and event management (SIEM) tool, and IT governance enhancements, along with risk analysis, scanning vulnerability, and a learning management system for training users.
A risk analysis was carried out in March 2020 that discovered insufficient constant monitoring, control gaps with its MSP, an insufficient business continuity and disaster recovery plan, inadequate observance of data retention policies, not having multifactor authentication for email and remote and EMR access, and insufficient IT vendor management procedures.
AG James found out that PTHC just had an informal data security program, there were inadequate access controls, no constant monitoring system, and insufficient employee training. AG James discovered that 16 provisions of the HIPAA Privacy Rule and Security Rule and the New York General Business Law were violated. PTHC was penalized $350,000 and PTHC had to make a number of improvements to its data security program to better safeguard worker and patient information.
At the time of the investigation, AG James found out PTHC was informed of a third-party breach that impacted its workers’ personal data, which included Social Security numbers. PTHC had given the information to its insurance agent, who shared that data with Falcon Technologies, Inc., an enrollment software seller. Falcon was found to have kept the information on an unsecured site. PTHC didn’t sign any contracts with its insurance agent regarding data security requirements that applied to personal data not regulated by HIPAA. AG James resolved this separate case with Falcon, requiring a $100,000 penalty payment and making security enhancements, such as using encryption and appropriate access controls.
New York AG Resolves Data Breach Investigation of U.S. Radiology Specialists
New York Attorney General, Letitia James, reported that U.S. Radiology Specialists Inc. paid a $450,000 penalty to settle allegations that it did not protect patients’ personal and health data. U.S. Radiology Specialists is one of the country’s biggest private radiology groups and service providers for medical facilities all through the U.S. It likewise works with other radiology groups, such as the Windsong Radiology Group that manages 6 medical facilities in Western New York. Windsong, just like other partner organizations, depends on U.S. Radiology Specialists for many services, such as network management and security. The Office of the Attorney General of the State of New York investigated U.S. Radiology Specialists because of a big data breach in 2021 to find out if it was the result of a failure to adhere to the Health Insurance Portability and Accountability Act (HIPAA) and state legislation.
U.S. Radiology Specialists secured its partner networks using a SonicWall firewall. SonicWall notified its clients on January 22, 2021 about a synchronized cyberattack on its internal networks. Threat actors were believed to have taken advantage of a zero-day vulnerability identified in SonicWall products that are employed for remote access. On January 31, 2021, NCC Group researchers discovered the vulnerability and SonicWall released a patch after three days.
U.S. Radiology Specialists employed SonicWall components that are nearing end-of-life and, consequently, SonicWall didn’t offer a patch that can be used on its hardware. The hardware must be improved before the patch can be used to correct the vulnerability. Though the vulnerability was used in attacks on SonicWall clients, U.S. Radiology Specialists slated the hardware update for July 2021, and postponed the hardware replacement project because of contending priorities and resource limitations.
On December 8, 2021, an unauthorized person acquired access to US Radiology’s SonicWall gadget using legit credentials, used the VPN, and then used 101 more credentials to get into different system data folders the next week. Whilst the breach investigation did not determine how the theft of credentials occurred, the SQL injection vulnerability discovered by NCC Group and patched by SonicWall might have been taken advantage of to acquire the required credentials to get into the SonicWall VPN.
The third-party attack investigation was complex and needed considerable analysis and was completed in August 2022. The investigation proved that the threat actor acquired access to the PHI of 198,260 individuals, which include 92,540 patients of Windsong, residents of New York, and it was affirmed that sensitive information was extracted by the attackers. The exposed PHI contained names, birth dates, patient IDs, provider names, dates of service, types of radiology examinations, diagnoses, and medical insurance ID numbers, and the private data of 82,478 New York residents, including names, passport numbers, driver’s license numbers, and Social Security numbers.
The New York Attorney General’s Office confirmed that U.S. Radiology Specialists did not use reasonable and proper data security procedures to safeguard patient data when it did not deal with a known vulnerability in an acceptable time frame. The investigation was resolved without admitting liability and U.S. Radiology Specialists consented to pay $450,000 as a financial penalty, upgrade its IT structure, ensure the security of its networks, revise its data security guidelines, and use and keep an information security program.
The New York Attorney General has enforced financial penalties on several companies in the last couple of months for data security problems. Personal Touch lately resolved supposed HIPAA and state legislation violations for $350,000, the New York Attorney General took part in a multi-state investigation of Blackbaud and got a part of the $49.5 million settlement, and PracticeFirst Medical Management Solutions resolved the investigation with the New York AG by paying a $550,000 fine.