Personal Touch Holding Corporation, a New York-based home health organization, has recently decided to settle a class action lawsuit regarding a data breach.
The Big Picture
Personal Touch, a parent company of subsidiaries that operate Medicare-certified home health operations, including home care and hospice services, faced a data breach back in January of 2021.
Now, after a lengthy class action case, Personal Touch has received preliminary approval to move forward with a settlement. The settlement allows impacted individuals to submit claims of up to $7,500.
Unfortunately for Personal Touch, this isn’t the first lawsuit they faced following the data breach; in October of 2023, New York Attorney General Letitia James announced a $350,000 settlement, stating that Personal Touch had failed to protect patient and employee data.
Outside of the 2021 breach, Personal Touch faced a smaller breach in 2019, when their IT vendor, Crossroads Technologies was hit by a ransomware attack. Nearly 156,400 records were encrypted and eventually recovered.
How It Started
Personal Touch, which operates approximately 30 home care subsidiaries across the United States, discovered a large data breach on January 27th, 2021.
This breach, the largest the company faced, involved approximately 753,107 patients. The company discovered their private cloud, hosted by a third-party managed service provider, was attacked. Malicious actors were able to encrypt business records of Personal Touch and 29 of its subsidiaries.
Compromised information included names, addresses, telephone numbers, dates of birth, Social Security numbers, medical treatment information, health insurance information, and financial information, such as credit card numbers and bank account information.
Since the massive data breach, a class action lawsuit, Everetts v. Personal Touch Holding Corp. was filed in the U.S. District Court for the Eastern District of New York.
The plaintiff alleged that Personal Touch could have prevented the attack if the organization had implemented reasonable and appropriate cybersecurity measures.
Everetts v. Personal Touch is the second successful lawsuit filed regarding the incident. New York Attorney General Letitia James settled with Personal Touch for $350,000. That lawsuit noted that the breach had impacted approximately 316,845 New York Residents. Many other individuals were impacted outside of New York state.
The New York lawsuit argued that Personal Touch had poor security, which made it vulnerable to a ransomware attack. It further alleged that the security failures violated HIPAA. Aside from the monetary penalty, Personal Touch agreed to improve its cybersecurity infrastructure and offer free credit monitoring and identity theft services to impacted individuals.
Breach Details
In the Attorney General’s lawsuit, the plaintiff explained the Office’s official findings from their investigation.
The attack started with a phishing email; on January 20th, 2021, a Personal Touch employee opened a malicious Microsoft Excel file. Upon opening the file, software was embedded into the employee’s laptop and account.
Once the malware was embedded, the malicious actor was able to escalate privileges, ultimately obtaining domain administrator credentials that allowed the actor to navigate across the Personal Touch Network. In the process, five employee accounts were compromised.
Soon after, on January 27th, the actor used the administrator credentials to collect files from a file share containing both patient and employee information. None of this data was encrypted for security by Personal Touch.
The data was exfiltrated and the actor then deployed ransomware, encrypting 35 Personal Touch servers.
Personal Touch had two anti-virus products in use, Microsoft Windows Defender and Symantec Endpoint Protection. Both of these products detected and blocked tools used by the actor, but they did not log data to a central server, so no one was aware that the attack was occurring.
The breach was ultimately discovered by the managed service provider, who determined that the systems were unavailable and discovered a ransomware note.
In response, Personal Touch shut down all systems and worked to restore or replace impacted computers. The organization filed a notice to patients on March 24th, 2021. While systems were restored, Personal Touch did not share if they ever communicated with the ransomware organization.
The Newest Information
The settlement in the Everetts v. Personal Touch Holding Corp. class action suit is now available online.
Under the agreement, Personal Touch does not admit to any wrongdoing. Impacted individuals can submit a claim of up to $7,500 for reimbursement of documented expenses related to the breach, including lost time.
Individuals who were notified about the breach but did not have personally identifiable information or protected health information exposed are eligible to claim up to $125 for expenses related to the breach.
For individuals who had personally identifiable information or protected health information impacted, they will also be offered two years of Identity Defense Total Service. Unlike the Attorney General lawsuit, these offerings will be available to any impacted individual regardless of residence.
What the Experts Said
At the time of the New York settlement, Attorney General James said, “The security failures by Personal Touch caused undue stress and financial problems for New Yorkers who simply wanted to have high-quality health care.”
Personal Touch has not released a statement beyond their initial notice of the data breach.
How Cloudticity can help
The data breach is a reminder of what can happen when simple, yet vital security best practices are not enabled. While the breach began erroneously, it could’ve been prevented or stopped had basic security protocols been configured, like encryption, MFA, or identity and access management.
Ransomware breaches are skyrocketing, and so are the associated costs. Between 2020 and 2023, the cost associated with a data breach increased by 53%, rising to an average of $11 million per breach.
While these attacks can be devastating, they don’t have to be successful. Cloudticity has managed HIPAA workloads in the cloud for over 12 years, and we’ve never had a breach.
If you want to learn more about our ransomware solutions, reach out for a free consultation today.