About

Important information

• Government Actions:

  Government Action: BBB reports on known government actions involving business’ marketplace conduct:

  NY AG Secures $350,000 from Long Island Home Health Care Company for Failing to Protect Patient and Employee Data
  

  The following describes a government action that has been resolved by either a settlement or a decision by a court or administrative agency. If the matter is being appealed, it will be noted below.

  On 10/18/2023, New York Attorney General Letitia James secured $350,000 from a Long Island-based home health care company, Personal Touch Holding Corporation (Personal Touch), for failing to protect vulnerable New Yorkers’ personal information and health care data. Personal Touch’s poor data security made it vulnerable to a ransomware attack that compromised the personal and medical information of approximately 316,845 New Yorkers. Personal Touch’s data security failures violated both state law and the federal Health Insurance Portability and Accountability Act (HIPAA), which required Personal Touch to adhere to specific data protection practices. As a result of today’s agreement, Personal Touch has agreed to pay $350,000 in penalties to New York, update and improve their cybersecurity infrastructure, and offer free credit monitoring and identity theft services to affected individuals. In addition, Attorney General James secured $100,000 from an insurance software vendor for compromising Personal Touch employees’ data.
  
  Personal Touch is the parent company of subsidiaries that operate Medicare-certified home health, home care, and hospice at home services throughout the country, including in New York City, Westchester, and Long Island. In January 2021, a Personal Touch employee opened a malware-infected file attached to a phishing email that allowed a hacker to gain access to Personal Touch’s network and collect patient and employee records from an unencrypted server. These records dated back decades and included confidential personal and health information, including names, addresses, Social Security numbers, medical treatments, and financial information of thousands of people.
  
  The Office of the Attorney General's (OAG) investigation determined that Personal Touch failed to maintain reasonable data security safeguards to protect patient and employee data. Personal Touch’s information security and risk management program was informal and immature. There was inadequate security training of its staff, poor access controls, a lack of a continuous monitoring system, and a failure to encrypt personal and medical data.During the OAG’s investigation, Personal Touch was notified of a third-party breach that affected its employees’ personal information, including Social Security numbers. Personal Touch had provided this data to its insurance broker, who provided the data to an enrollment software vendor, Falcon Technologies, Inc. (Falcon), which placed the data on an unsecured site. Personal Touch did not have any agreements in place with its insurance broker concerning data security standards that applied to personal information not covered by HIPAA. The OAG secured a separate agreement with Falcon for failing to secure this information. Under the terms of Falcon’s agreement with the OAG, Falcon must pay $100,000 in penalties to New York and ensure the use of encryption and proper access controls in handling private information. 
  
  As a result of today’s agreement, Personal Touch will pay $350,000 in penalties and offer affected consumers free identity theft protection and recovery services. In addition, Personal Touch will be required to enhance its information security program and implement safeguards to better protect its employees’ and patients’ personal and health information, including:
  
  -Maintaining a comprehensive information security program that includes regular risk assessments, regular testing and monitoring of existing safeguards, and regular updates to the information security program;
  -Maintaining reasonable access control and authentication procedures;
  -Encrypting personal and health information;
  -Implementing a continuous logging and monitoring system, anti-malware protections, an intrusion detection and prevention solution, and an email filtering and phishing solution; 
  -Developing a vulnerability management program that includes regular vulnerability scanning and penetration testing;
  -Updating its data collection, retention, and disposal practices to ensure that personal and health information is maintained only to the minimum extent necessary to accomplish legitimate business purposes;
  -Conducting annual employee security training; and
  -Establishing reasonable vendor management procedures. 

  Click here for details