NY AG Fines Medical Management Company $550,000 for Patch Management Failures
A medical management company has been fined $550,000 by the New York Attorney General for failing to prevent a cyberattack that exposed the personal and protected health information of 1.2 million individuals, including 428,000 New Yorkers.
Professional Business Systems Inc, which does business as Practicefirst Medical Management Solutions and PBS Medcode Corp, had its systems hacked in November 2020. The threat actor exfiltrated sensitive data from its systems and then deployed ransomware to encrypt files. As proof of data theft and to pressure Practicefirst into paying the ransom, files were uploaded to the threat actor’s dark web data leak site. The leaked data included screenshots of 13 patients’ protected health information. Practicefirst’s investigation confirmed the threat actor exfiltrated approximately 79,000 files from its systems, which contained names, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, medication information, and financial information.
The investigation conducted by the Office of the New York Attorney General determined that the hacker gained initial access to Practicefirst’s systems by exploiting a critical vulnerability in its firewall. The firewall provider released an updated version of the firewall software in January 2019, but Practicefirst failed to apply the update. Practicefirst did not conduct penetration tests or vulnerability scans, or perform other security tests that would have highlighted the vulnerability before it was exploited. The protected health information stored on its systems was also not encrypted. The New York Attorney General determined that these failures violated state law and the federal Health Insurance Portability and Accountability Act (HIPAA).
Practicefirst agreed to settle the alleged violations of HIPAA and state law. In addition to the financial penalty, Practicefirst has agreed to strengthen its data security practices and will offer affected individuals complimentary credit monitoring services. The data security measures agreed upon as part of the settlement include the development, implementation, and maintenance of a comprehensive information security program, encryption for health information stored on its systems, implementation of a patch management system with timely patching of vulnerabilities, regular vulnerability scans and penetration tests, and updates to its data collection, retention, and disposal practices.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“When a person is seeking medical care, their last concern should be the security of their personal information,” said Attorney General Letitia James. “Each and every company charged with maintaining and handling patient data should take their responsibility to protect personal information, particularly health records, seriously. New Yorkers can trust that when companies fail at their duty, my office will step in to hold them accountable.
