The Lake Success, NY-located home health company, Personal Touch Home Care (PTHC), has begun contacting clients to advise them that a ransomware attack on its Wyomissing, PA-based IT vendor, Crossroads Technologies Inc. may have resulted in a portion of their protected health information compromised.
Crossroads advised PTHC on December 1, 2019 that the ransomware attack impacted its Pennsylvania data center where PTHC’s electronic medical records were held. The ransomware attack stopped patient records from being viewed for a number of days. While the EHR system was offline, staff at PTHC used to emergency protocols and employed pen and paper to record patient data.
The encrypted data has now been restored. It is not known whether Crossroads restored the data from backups or if the ransom was paid and if any other healthcare clients were impacted.
The compromised medical records included patient names, addresses, telephone numbers, dates of birth, medical record information, health insurance card numbers, plan benefit numbers, Social Security numbers, and treatment details.
PTHC is not yet certain in relation to the extent to which PHI was compromised and whether the hackers obtained PHI before the encryption of data. At this point in the investigation, no proof has been found to indicate patient information was stolen before the deployment of the ransomware. Crossroads is still looking into the attack.
The incident was made known to the Department of Health and Human Services’ Office for Civil Rights as 17 separate breach reports, one for each of the offices impacted. The data breaches were reported separately as each office is a different legal entity. Overall, the PHI of 156,409 patients and caregivers across 6 states has been impacted. Affected people have been given the chance to register for complimentary credit monitoring and identity theft protection services.
The following offices were impacted by the attack:
| Breached Entity | State | Individuals Impacted |
| Personal Touch Home Care of VA, Inc. | VA | 33,324 |
| Personal Touch Home Care of W. VA, Inc. | WV | 1,169 |
| Personal Touch Hospice of VA, Inc. | VA | 1,657 |
| Personal Touch Home Care of Mass., Inc. | NY | 2,015 |
| PT Home Services of San Antonio, Inc. | TX | 5,930 |
| Personal Touch Home-Aides, Inc. | NY | 2,633 |
| Personal Touch Home Services of Dallas, Inc. | TX | 1,700 |
| Personal Touch Home Care of S.E. Mass., Inc. | NY | 2,863 |
| Personal Touch Home Aides Inc. | NY | 1,890 |
| Personal Touch Home Care of PA, Inc. | NY | 9,302 |
| Personal Touch Home Care of Ohio, Inc. | NY | 15,808 |
| Personal Touch Home Care of Greater Portsmouth, Inc. | NY | 1,957 |
| Personal Touch Home Aides of Baltimore, Inc. | NY | 804 |
| Personal Touch Home Care of Baltimore, Inc. | NY | 9,058 |
| Personal Touch Home Care of KY, Inc. | KY | 24,013 |
| Personal Touch Home Care of Indiana, Inc. | IN | 3,593 |
| Personal Touch Home Aides of New York, Inc. | NY | 38,693 |
This is the third major business associate ransomware attack to be made known in recent weeks. A ransomware attack was reported by the Albany, NY-based accounting and tax firm BST & Co. CPAs LLC and affected patients of the Community Care Physicians medical network. NRC Health, a supplier of patient survey services and software, also suffered an attack.
