Personal Touch Holding Corp. suffered a data breach affecting 753,000 patients, employees, and ex-workers due to a cloud service ransomware attack. It is the second attack in 15 months affecting the same service.
Personal Touch Home Care owns and operates roughly 30 offices throughout the country. On January 27, the company reported a cyberattack on their private cloud managed by its service provider. However, it is unclear as to which cloud vendor they are using.
Per regulations, Personal Touch Home Care filed 16 breach reports to the Department of Health and Human Services in six states, including one for Wyomissing, Pennsylvania-based Crossroads Technologies, that houses the company’s healthcare records and electronic cloud-based services.
What Information Was Breached?
The health care provider posted a message on its website stating that the data breach included private cloud-based records of “direct and indirect subsidiaries.”
Reports claim that patient information was exposed that includes medical record numbers, full names, home addresses, phone numbers, dates of birth, social security numbers, financial information including copies of checks, credit card numbers, bank account details, and health plan benefits and IDs. This puts these patients at severe risk of identity theft and bank takeover.
Along with patient data, employee information was also breached that includes their names, addresses, phone numbers, birthdates, social security numbers, dependent information (social security numbers), spouses’ information also including social security numbers, employees’ passport details, driver’s license numbers, birth certificates, credit reports and more.
Unfortunately, the damage does not stop there. According to InfoRisk Today, “Also potentially compromised were employee usernames and passwords, personal email addresses, fingerprints, insurance card, and health and welfare plan benefit numbers, retirement benefits information, medical treatment information, check copies and other financial information necessary for payroll.”
What Did PTHC Do About It?
As soon as the incident was discovered, Personal Touch Home Care (PTHC) contacted legal representation along with independent forensic experts to investigate the matter.
PTHC commented in their report.
“While the investigation is still ongoing, and we cannot confirm the extent to which employee and patient data was compromised, we are notifying our community that the breach occurred, in our effort to comply with the applicable state data breach notification laws,”
Officials also confirmed that the company contacted the FBI about the incident and has implemented new monitoring and security software to help prevent further attacks.
The Larger Picture
Over the past year, healthcare providers have become a significant target for threat actors. The reason why is they are often easy targets due to less secure infrastructure and reliance on third-party vendors and cloud services. That begs the question, how do healthcare organizations protect themselves?
Healthcare companies can protect themselves by becoming very familiar with third-party vendor services and their security measures. Vet new vendors thoroughly and ask pointed questions about security, privacy, and access. If you are storing your private information on their servers, you have the right to know how well it will be protected.
Set up periodic audits to verify the data’s integrity and access logs. Hire outside experts to perform penetration testing to ensure that where your data is stored cannot be accessed from outside your own network. Verify security certificates, and require frequent updates about security measures, updates in software, and any changes to the services provided.
If you cannot trust your third-party vendors, then consider migrating your data to an in-house server with on-site access only, to protect the privacy and security of patient, employee, and affiliate’s information. Avoiding further data breaches is well worth the initial cost of implementing better, more secure systems.