Ransomware Attack on Home Healthcare Service Provider Affects 753,000 Individuals

753,107 patients of NY-based provider of home health services Personal Touch Holding Corp are being made aware that a breach of their protected health information may have occurred.

On January 27, 2021, Personal Touch was made aware that it had been impacted by a cyberattack that infiltrated its private cloud hosted by its managed service providers. The hackers encrypted the cloud-stored business files of Personal Touch and 29 of its direct and indirect subsidiaries. The group manages approximately thirty Personal Touch Home Care subsidiaries across around 25 U.S. states.

The breach review remains current and it is still not known to what extent individual’s protected health information was impacted; however, there is a chance that the hackers were able to exfiltrate data stored in its private cloud prior to the use of ransomware.

An investigation into the cloud environment found that patient information was compromised including names, addresses, telephone info, dates of birth, Social Security details, financial accounts, including check copies, credit card data, bank account information, medical treatment information, health insurance, health plan benefit numbers, and medical records.

Employee information was also accessed such as identity, contact details, birth dates, Social Security numbers (including dependent and spouse Social Security numbers), driver’s license numbers, passports, birth certificates, background and credit reports, demographic information, usernames and passwords created at the Company, personal email addresses, fingerprints, insurance cards, health and welfare plan benefit information, retirement benefits information, medical treatment information, check copies, and other financial information required for payroll.

After identification of the breach, external counsel and was retained and independent forensics experts were contracted to help with the investigation. The FBI has been made aware, along with state attorneys general and the HHS’ Office for Civil Rights (OCR). Personal Touch said it has now configured advanced monitoring and alerting solutions.

This is the second ransomware attack to impact Personal Touch subsidiaries in less than 12 months. During January 2020, Personal Touch revealed that the protected health information of patients of 16 of its subsidiaries had been impacted in a ransomware attack on its cloud supplier, Crossroads Technologies. Crossroads Technologies hosted the Personal Touch cloud-based electronic health records. 156,400 medical records were impacted in that HIPAA breach.

Author: Maria Perez