Personal Touch Home Care (PTHC), a home health company based in Lake Success, NY, began informing patients about the latest ransomware attack on Crossroads Technologies Inc., its IT vendor based in Wyomissing, PA, that potentially compromised their protected health information (PHI).
On December 1, 2019, Crossroads advised PTHC that its Pennsylvania data center was attacked by ransomware. That data center hosted PTHC’s electronic medical records. Because of the ransomware attack, patient records were inaccessible for a couple of days. Although the EHR system was not accessible, PTHC employees followed emergency protocols and recorded patient data using pen and paper.
The encrypted information was recovered but it is uncertain if Crossroads retrieved the information using backups or paid the ransom demand. It is also uncertain if other healthcare customers were impacted.
The compromised healthcare records included patient names, addresses, phone numbers, birth dates, medical record numbers, plan benefit numbers, medical insurance card numbers, Social Security numbers, and treatment data.
PTHC is presently not aware of the magnitude of PHI compromise and if the attackers stole PHI before the data encryption. At this point in the investigation, there is no evidence found that indicates the exfiltration of patient data before deploying the ransomware. Crossroads’ investigation of the attack is still in progress.
The breach was reported to the Department of Health and Human Services’ OCR as 17 distinct breach reports, one report for every office impacted because each office is a distinct legal entity. From 6 states, 156,409 patients and caregivers were affected. They received offers of free credit monitoring and identity theft protection services.
The offices affected by the attack were the following:
1. Personal Touch Home Care of VA, Inc. in VA – 33,324 individuals affected
2. Personal Touch Home Care of S.E. Mass., Inc. in NY – 2,863 individuals affected
3. Personal Touch Home Care of W. VA, Inc. in WV – 1,169 individuals affected
4. Personal Touch Hospice of VA, Inc. in VA – 1,657 individuals affected
5. Personal Touch Home Care of Mass., Inc. in NY – 2,015 individuals affected
6. Personal Touch Home-Aides, Inc. in NY – 2,633 individuals affected
7. PT Home Services of San Antonio, Inc. in TX – 5,930 individuals affected
8. Personal Touch Home Services of Dallas, Inc. in TX – 1,700 individuals affected
9. Personal Touch Home Aides Inc. in NY – 1,890 individuals affected
10. Personal Touch Home Care of Ohio, Inc. in NY – 15,808 individuals affected
11. Personal Touch Home Care of PA, Inc. in NY – 9,302 individuals affected
12. Personal Touch Home Aides of Baltimore, Inc. in NY – 804 individuals affected
13. Personal Touch Home Care of Greater Portsmouth, Inc. in NY – 1,957 individuals affected
14. Personal Touch Home Care of Baltimore, Inc. in NY – 9,058 individuals affected
15. Personal Touch Home Care of Indiana, Inc. in IN – 3,593 individuals affected
16. Personal Touch Home Care of KY, Inc. in KY – 24,013 individuals affected
17. Personal Touch Home Aides of New York, Inc. in NY – 38,693 individuals affected
This is the third serious ransomware attack on a business associate that was reported in the last couple of days. The other two were: (1) on accounting and tax company BST & Co. CPAs LLC that impacted patients of the Community Care Physicians medical group; (2) on NRC Health, a patient survey services and software provider, that affected several of its healthcare customers.