NY AG Reaches $350K Settlement With Home Healthcare Company Over Data Breach

October 24, 2023 - New York Attorney General Letitia James announced a $350,000 settlement with Personal Touch Holding Corporation, a Long Island-based home healthcare company, to resolve allegations stemming from a data breach. Personal Touch will also be required to offer free identity theft protection services to impacted individuals and enhance its information security program.

Personal Touch suffered a ransomware attack in January 2021, resulting in a data breach that impacted more than 316,000 New Yorkers. The New York Attorney General’s Office alleged that Personal Touch’s data security failures resulted in the attack and violated state law and HIPAA in the process.

The breach occurred when a Personal Touch employee opened a malware-infected file hidden in a phishing email. Unauthorized actors were able to gain access to the Personal Touch network and acquire patient and employee records from an unencrypted server.

The records spanned decades and contained names, addresses, financial information, Social Security numbers, and medical information pertaining to thousands of individuals.

The New York Attorney General’s Office launched an investigation and found Personal Toch’s information security and risk management program to be “informal and immature.”

“There was inadequate security training of its staff, poor access controls, a lack of a continuous monitoring system, and a failure to encrypt personal and medical data,” the press release noted.

What’s more, Personal Touch was notified of a third-party data breach during the Attorney General’s investigation. The breach impacted employee information, including Social Security numbers. Personal Touch had provided this data to its insurance broker, who then sent the data to Falcon Technologies, an enrollment software vendor, which maintained the data on an unsecured site.

“Personal Touch did not have any agreements in place with its insurance broker concerning data security standards that applied to personal information not covered by HIPAA,” the investigation determined.

The New York Attorney General’s Office was able to settle on a separate agreement with Falcon Technologies for failing to secure this data. Falcon is required to pay $100,000 in penalties and take action to ensure the use of encryption and proper access controls in the future.

Under the settlement with Personal Touch, the company is also required to develop a vulnerability management program, update its data retention, collection, and disposal practices, and establish vendor management procedures.

“Health care institutions have a responsibility to safeguard New Yorkers’ wellbeing, but also to protect their confidential and private information,” said Attorney General James.

“The security failures by Personal Touch caused undue stress and financial problems for New Yorkers who simply wanted to have access to high-quality health care. My office will always step up and hold companies responsible if their negligence puts New Yorkers’ private information in jeopardy.”

Attorney General James has taken other actions to crack down on the mishandling of health data. In March 2023, James’ office announced a $200,000 settlement with law firm Heidell, Pittoni, Murphy, & Bach LLP (HPMB) for failing to implement proper healthcare data security measures.

In May 2023, James fined practice management vendor Practicefirst $550,000 to resolve data security failures stemming from a 2020 data breach.