156,400 People Have PHI Breached in Personal Touch Home Care Patients Ransomware Attack

The Lake Success, NY-located home health company, Personal Touch Home Care (PTHC), has begun contacting to advise them that a ransomware attack on its Wyomissing, PA-based IT vendor, Crossroads Technologies Inc. may have resulted in a portion of their protected health information compromised.

Crossroads advised PTHC on December 1, 2019 that the ransomware attack impacted its Pennsylvania data center where PTHC’s electronic medical records were held. The ransomware attack stopped patient records from being viewed for a number of days. While the EHR system was offline, staff at PTHC used to emergency protocols and employed pen and paper to record patient data.

The encrypted data has now been rescued. It is not known whether Crossroads restored the data from backups or if the ransom was paid and if any other healthcare clients were impacted.

The compromised medical records included patient names, addresses, telephone numbers, dates of birth, medical record information, health insurance card numbers, plan benefit numbers, Social Security numbers, and treatment details.

PTHC is not yet certain in relation to the extent to which PHI was compromised and whether the hackers obtained PHI before to the encryption of data. At this point in the investigation, no proof has been found to indicate patient information was stolen before the deployment of the ransomware. Crossroads is still looking into the attack.

The incident was made known to the Department of Health and Human Services’ Office for Civil Rights as 17 separate breach reports, one for each of the offices impacted. The data breaches were reported separately as each office is a different legal entity. Overall, the PHI of 156,409 patients and caregivers across 6 states has been impacted. Affected people have been given the chance to avail of complimentary credit monitoring and identity theft protection services.

The following offices were impacted by the attack:

Breached Entity State Individuals Impacted
Personal Touch Home Care of VA, Inc. VA 33,324
Personal Touch Home Care of W. VA, Inc. WV 1,169
Personal Touch Hospice of VA, Inc. VA 1,657
Personal Touch Home Care of Mass., Inc. NY 2,015
PT Home Services of San Antonio, Inc. TX 5,930
Personal Touch Home-Aides, Inc. NY 2,633
Personal Touch Home Services of Dallas, Inc. TX 1,700
Personal Touch Home Care of S.E. Mass., Inc. NY 2,863
Personal Touch Home Aides Inc. NY 1,890
Personal Touch Home Care of PA, Inc. NY 9,302
Personal Touch Home Care of Ohio, Inc. NY 15,808
Personal Touch Home Care of Greater Portsmouth, Inc. NY 1,957
Personal Touch Home Aides of Baltimore, Inc. NY 804
Personal Touch Home Care of Baltimore, Inc. NY 9,058
Personal Touch Home Care of KY, Inc. KY 24,013
Personal Touch Home Care of Indiana, Inc. IN 3,593
Personal Touch Home Aides of New York, Inc. NY 38,693

This is the third major business associate ransomware attack to be made known in recent weeks. A ransomware attack that was focused on the Albany, NY-based accounting and tax firm BST & Co. CPAs LLC affected patients of the Community Care Physicians medical network, and NRC Health, a supplier of patient survey services and software, suffered an attack.