Update:
- Personal Touch agreed to pay $350,000 for failing to protect the personal and health care information of 316,845 New Yorkers.
- The company will also update and improve its cybersecurity infrastructure and offer free credit monitoring and identity theft services to affected individuals, Letitia James, New York’s attorney general, says in a statement.
- James also secured $100,000 from an insurance software vendor for compromising Personal Touch employees’ data.
- “Health care institutions have a responsibility to safeguard New Yorkers’ wellbeing, but also to protect their confidential and private information,” James says in the statement. “The security failures by Personal Touch caused undue stress and financial problems for New Yorkers who simply wanted to have access to high-quality health care.”
(March 12, 2020)
A former patient says that home health provider Personal Touch failed to protect patients and customers from a ransomware attack on their computerized records.
The hospital ransomware class action lawsuit was filed by plaintiff Lugenia Booker, who says that her personal information was included in the computer records of Personal Touch Holding Corp. Personal Touch runs a group of subsidiaries nationwide that provide home health care services in a range of states. Co-defendant Crossroads Technologies manages Personal Touch’s sensitive information in cloud-based computer storage, the complaint says.
Booker says that at some point before Dec. 1, a third party deployed a type of malware known as a locker to block access to Personal Touch records that were stored in Crossroads’ system. A locker is a type of ransomware that locks the victim out of their computer system, rendering the system useless. She says the hackers sought to compel Personal Touch or Crossroads to pay to have access to their information returned. Crossroads informed Personal Touch about the attack on Dec. 1, Booker says.
She says the ransomware attack locked up patient records for multiple days. Allegedly, this impacted patients by disrupting their medical care and treatment plans — according to Booker, Personal Touch had to use emergency protocols to continue operations, and recorded patient information on paper.
She notes that Personal Touch collects a large amount of patient information in the course of their work, including name, address, phone number, email address, birthday, Social Security number, information relating to individual medical history, medical record information, insurance information, and information about treatment.
According to the complaint, Personal Touch owed it to patients to maintain the security of their health information, to follow the privacy practices set forth by the organization, and to inform customers of that policy. Additionally, Personal Touch allegedly has promised to not share patient information other than what is described in the privacy notice without the written consent of a patient, and to notify patients if a data breach has occurred that could compromise their information.
Booker asserts that both Crossroads and Personal Touch should have taken more effective steps to prevent the attack. She alleges the companies should have been aware that there have been a notable increase in attacks and data breaches in the healthcare industry before this same kind of attack was launched against Crossroads and Personal Touch.
Booker goes on to note that the Federal Bureau of Investigation and the U.S. Secret Service have issued warnings to businesses who might be vulnerable to attacks. The agencies note that “[e]ntities like smaller municipalities and hospitals are attractive to ransomware criminals … because they often have lesser IT defensive and a high incentive to regain access to their data quickly.”
She further claims that Personal Touch and Crossroads failed to apply necessary security updates to their systems, and that they have insufficient policies for dealing with ransomware emails and malware.
She argues she was injured by the attack because it prevented her from seeking medical care and accessing medical records. Additionally, she asserts that this attack has put her at an increased risk for fraud and identity theft, because her personal information was exposed.
Booker seeks to represent both herself and all other similarly affected patients whose information was involved in the Personal Touch ransomware attack.
The Personal Touch Ransomware Class Action Lawsuit is Case No. 1:20-cv-00583-CCC, in the U.S. District Court for the Middle District of Pennsylvania, Reading Division.
Don’t Miss Out!
Check out our list of Class Action Lawsuits and Class Action Settlements you may qualify to join!
Read About More Class Action Lawsuits & Class Action Settlements:
