NEW YORK – New York State Attorney General Letitia James has sued medical management firms Professional Business Systems, Inc. )) recovered $550,000. , including health records. PracticeFirst’s failure to update its software in a timely fashion made its network vulnerable to cyberattacks that affected more than 1.2 million people nationwide, including more than 428,000 New Yorkers. Practicefirst data her security failure violated both state law and the Federal Health Insurance Portability and Accountability Act (HIPAA). As a result of today’s agreement, PracticeFirst agreed to pay the state of New York a $550,000 penalty, strengthen its data security practices, and provide free credit monitoring services to affected consumers.
“When people seek medical care, their last concern should be the security of their personal information,” he said. Attorney General James. “All companies responsible for maintaining and handling patient data must take their responsibility to protect personal information, especially health records, seriously. can be trusted to intervene and hold accountable.”
Practicefirst is a medical administration company that assists medical institutions with services such as medical billing, coding, and certification. In January 2019, Practicefirst’s firewall provider released a new version of its software designed to patch critical vulnerabilities. Practicefirst failed to update its software, and failed to conduct penetration tests, vulnerability scans, and other security tests to identify security issues. In November 2020, hackers successfully gained access to Practicefirst’s systems by exploiting a critical firewall vulnerability. The hackers then deployed ransomware and pulled files containing the patient’s personal information. A few days later, screenshots containing the personal information of 13 consumers were found on the dark web.
Research by Practicefirst revealed that 79,000 files were stolen by the attackers. These files contain personal information such as birth dates, driver license numbers, Social Security numbers, diagnostic names, medication information, and financial information for more than 1.2 million patients from PracticeFirst customers, including more than 428,000 New Yorkers. Information was included. This information was maintained on Practicefirst’s network and was unencrypted.
The Office of the Attorney General (OAG) found that PracticeFirst’s failure to maintain proper patch management processes, conduct regular security testing of its systems, and encrypt personal information, among other things, resulted in the loss of personal and health information from patients. We have determined that we have failed to maintain reasonable data security practices to protect you. information on the server.
As a result of today’s agreement, PracticeFirst will pay a $550,000 penalty and provide free credit monitoring services to affected consumers. In addition, Practicefirst must adopt the following measures to better protect personal information:
- Maintain a comprehensive information security program that is regularly reviewed and updated.
- Encryption of personal and health information.
- Employ proper account management and authentication procedures such as multi-factor authentication.
- Implement a patch management solution that ensures security patches and updates are installed in a timely manner.
- Develop a vulnerability management program that includes regular vulnerability scans and penetration tests, and appropriate remediation of vulnerabilities revealed by such scans and tests.and
- Update data collection, storage and disposal practices to ensure that personal health information is maintained only to the minimum extent necessary to achieve legitimate business purposes.
Affected consumers can access the free credit monitoring service by following the instructions in the What You Can Do section of Practicefirst’s website.
Attorney General James last month released a comprehensive data security guide to help businesses and organizations strengthen their cybersecurity measures to protect New Yorkers’ personal information. Today’s agreement continues Attorney General James’ efforts to hold companies accountable for poor cybersecurity. In December 2022, Attorney General James secured $200,000 from Herb Jones, the maker of his school cap and gown, for failing to protect consumer personal information. In October 2022, Attorney General James signed a $1.2 million contract with SHEIN and Zoetop owners for failing to adequately address a data breach that compromised the personal information of millions of consumers nationwide. announced that it has tied In June 2022, Attorney General James secured $400,000 from Wegmans and demanded Wegmans improve its data storage security after a data breach exposed consumer personal information. In March 2022, Attorney General James issued a consumer alert advising T-Mobile customers to take appropriate steps to protect personal information following a data breach.
The issue was handled by Assistant Attorney General Gina Jung and Deputy Director Clark Russell, under the supervision of Internet Technology Director Kim Berger, with special assistance from Internet Technology Analyst Nishant Goswamy. The Internet Technologies Office is part of the Division of Economic Justice and is headed by Deputy Attorney General Chris D’Angelo and overseen by Deputy Attorney General Jennifer Levy.