Update:
- Personal Touch agreed to pay $350,000 for failing to protect the personal and health care information of 316,845 New Yorkers.
- The company will also update and improve its cybersecurity infrastructure and offer free credit monitoring and identity theft services to affected individuals, Letitia James, New York’s attorney general, says in a statement.
- James also secured $100,000 from an insurance software vendor for compromising Personal Touch employees’ data.
- “Health care institutions have a responsibility to safeguard New Yorkers’ wellbeing, but also to protect their confidential and private information,” James says in the statement. “The security failures by Personal Touch caused undue stress and financial problems for New Yorkers who simply wanted to have access to high-quality health care.”
(March 12, 2020)
A former patient says that home health provider Personal Touch failed to protect patients and customers from a ransomware attack on their computerized records.
The hospital ransomware class action lawsuit was filed by plaintiff Lugenia Booker, who says that her personal information was included in the computer records of Personal Touch Holding Corp. Personal Touch runs a group of subsidiaries nationwide that provide home health care services in a range of states. Co-defendant Crossroads Technologies manages Personal Touch’s sensitive information in cloud-based computer storage, the complaint says.
Booker says that at some point before Dec. 1, a third party deployed a type of malware known as a locker to block access to Personal Touch records that were stored in Crossroads’ system. A locker is a type of ransomware that locks the victim out of their computer system, rendering the system useless. She says the hackers sought to compel Personal Touch or Crossroads to pay to have access to their information returned. Crossroads informed Personal Touch about the attack on Dec. 1, Booker says.
She says the ransomware attack locked up patient records for multiple days. Allegedly, this impacted patients by disrupting their medical care and treatment plans — according to Booker, Personal Touch had to use emergency protocols to continue operations, and recorded patient information on paper.
She notes that Personal Touch collects a large amount of patient information in the course of their work, including name, address, phone number, email address, birthday, Social Security number, information relating to individual medical history, medical record information, insurance information, and information about treatment.
According to the complaint, Personal Touch owed it to patients to maintain the security of their health information, to follow the privacy practices set forth by the organization, and to inform customers of that policy. Additionally, Personal Touch allegedly has promised to not share patient information other than what is described in the privacy notice without the written consent of a patient, and to notify patients if a data breach has occurred that could compromise their information.
Booker asserts that both Crossroads and Personal Touch should have taken more effective steps to prevent the attack. She alleges the companies should have been aware that there have been a notable increase in attacks and data breaches in the healthcare industry before this same kind of attack was launched against Crossroads and Personal Touch.
Booker goes on to note that the Federal Bureau of Investigation and the U.S. Secret Service have issued warnings to businesses who might be vulnerable to attacks. The agencies note that “[e]ntities like smaller municipalities and hospitals are attractive to ransomware criminals … because they often have lesser IT defensive and a high incentive to regain access to their data quickly.”
She further claims that Personal Touch and Crossroads failed to apply necessary security updates to their systems, and that they have insufficient policies for dealing with ransomware emails and malware.
She argues she was injured by the attack because it prevented her from seeking medical care and accessing medical records. Additionally, she asserts that this attack has put her at an increased risk for fraud and identity theft, because her personal information was exposed.
Booker seeks to represent both herself and all other similarly affected patients whose information was involved in the Personal Touch ransomware attack.
The Personal Touch Ransomware Class Action Lawsuit is Case No. 1:20-cv-00583-CCC, in the U.S. District Court for the Middle District of Pennsylvania, Reading Division.
(March 02, 2020)
Personal Touch Home Care is reportedly being affected by a ransomware attack through its vendor Crossroads Technologies.
On Dec. 1, 2019, Crossroads Technologies reportedly informed Personal Touch Home Care that they had been the victim of a ransomware phishing attack. Because Personal Touch used Crossroads’ cloud based electronic health record systems, their customers reportedly had their information compromised by the attack.
A variety of information was potentially compromised in the Crossroads ransomware attack. This information reportedly includes names, addresses, telephone numbers, dates of birth, Social Security numbers, insurance information, and medical treatment information. Information for both patients and caregivers may have been exposed.
“We value your privacy and deeply regret that this incident occurred. We value you as a patient and appreciate the trust you place in Personal Touch Home Care,” the company’s data breach notice to consumers states. “Please know that we remain committed to your privacy.”
Patients and caregivers with Personal Touch are encouraged to be vigilant of their credit health in the wake of the ransomware attack.
The first warning signs of identity theft could appear on a credit report, which consumers can receive for free once a year from each of the main credit bureaus: Equifax, TransUnion, and Experian. In some states, consumers are able to put a security freeze on their credit report, making it more difficult for new accounts to be opened. This can be done by individually contacting each of the credit bureaus and requesting a freeze. There is no charge associated with these freezes.
Ransomware attack: Overview
According to the Cybersecurity and Infrastructure Security Agency (CISA), ransomware attacks include malware which denies access to an essential computer system or data. Ransomware perpetrators deny organizations, such as hospitals or healthcare systems, access to their essential information until they agree to pay a ransom – usually in Bitcoin. In 2019, a Kentucky health center paid $70,000 to regain access to patient records.
Unfortunately, paying a ransom doesn’t guarantee that a company will be able to recover their files or database. Recovery can reportedly be a “difficult” process that requires the services of specialists, and additional costs.
Hospitals and healthcare systems are becoming increasingly targeted by ransomware attacks. According to Cathie Brown, VP of Professional Services at privacy and security consultant Clearwater, healthcare companies “must be more vigilant than ever.” In fact, According to the U.S. Department of Health & Human Services (HHS), there has been an average of 4,000 ransomware attacks daily since 2016.
“Vendor risk management must be a priority for 2020 and beyond,” Brown states. “Cloud options offer great opportunities and efficiencies, but security must be managed over the life of the contract.”
In order to protect against the risk of ransomware attacks, the CISA recommends that individuals update their software and operating systems, avoid clicking on links or attachments in suspicious emails, backup data regularly, and follow safe internet browsing practices. Organizations are encouraged to follow similar guidelines in addition to restricting user permissions, whitelist approved programs, and prevent phishing emails.
Unfortunately, not all organizations follow these guidelines. Like with other data breaches, a ransomware attack may spark legal liability if organizations were negligent in failing to prevent ransomware attacks. An experienced ransomware attorney may be able determine your eligibility to recover compensation and other benefits in the face of potential identity theft.
Don’t Miss Out!
Check out our list of Class Action Lawsuits and Class Action Settlements you may qualify to join!
Read About More Class Action Lawsuits & Class Action Settlements:
One thought on Personal Touch to pay $350,000 to resolve data breach claims
Ok