Ransomware Attack on Home Healthcare Service Provider Impacts 753,000 People

Personal Touch Holding Corp based in Lake Success, NY is a home healthcare services provider. The company is notifying 753,107 patients concerning a potential breach of their protected health information (PHI).

Personal Touch Holding Corp manages approximately 30 Personal Touch Home Care subsidiaries in over six U.S. states. On January 27, 2021, Personal Touch learned it encountered a cyberattack that involved its private cloud. The attackers encrypted the business files of Personal Touch stored in the
cloud along with those of 29 of its indirect and direct subsidiaries.

The investigation into the incident is still in progress. At this time, it is uncertain how much PHI was affected; nevertheless, it is likely that the attackers acquired information kept in its private cloud before deploying the ransomware.

A review of its cloud storage showed that these patient data might have been breached during the attack: names, phone numbers, addresses, birth dates, Social Security numbers, financial data, such as credit card numbers, check copies, bank account details, health treatment data, medical record numbers, medical insurance card, and health plan benefit numbers.

Employee details were likewise affected, such as names, contact details, birth dates, Social Security numbers (like spouse and dependent Social Security numbers), passport numbers, driver’s license numbers, birth certificates, demographic details, background and credit reports, company usernames and passwords, individual email addresses, insurance cards, fingerprints, retirement benefits details, health, and welfare plan benefit numbers, health treatment details, check copies, and other financial data required for payroll.

Upon uncovering the breach, Personal Touch sought outside counsel and involved independent forensics professionals to help investigate the incident. The company has also alerted the FBI, the state attorneys general, and the HHS’ Office for Civil Rights. Advanced monitoring and detection software had been implemented as well.

This is Personal Touch subsidiaries’ second ransomware attack after a little over one year. The first attack was in January 2020 when Personal Touch reported the compromise of the PHI of patients of 16 subsidiaries due to a ransomware attack on Crossroads Technologies, its cloud vendor. Personal Touch used Crossroads Technologies’ cloud to host electronic health records. There were 156,400 breached medical records because of that ransomware attack.