Lack of HIPAA Cybersecurity Training Contributes Towards $350,000 Violation Settlement

by | Oct 27, 2023

The lack of HIPAA cybersecurity training at a NY-based home health company has contributed to the company being fined $350,000 by the NY State Attorney General as part of a wide-ranging settlement agreement that includes a thorough overhaul of the company’s security and cybersecurity training measures.

In January 2021, an employee of Personal Touch Holding Corporation (PTHC) – a Long Island, NY-based home health company – opened a malware-infested Excel file attached to a phishing email. The malware allowed a remote actor to take control of the employee’s unsecured laptop and unprotected email account.

With access to the laptop, the remote actor was able to escalate privileges and obtain administrator access to five PTHC accounts. From these accounts the remote actor was able to exfiltrate 4,383 files from a file share server that contained the Protected Health Information (PHI) of 753,107 individuals – of which 316,845 New York Residents.

Although the data breach was notified to HHS’ Office for Civil Rights, the federal agency took no further action following assurances that additional administrative, technical, and security safeguards were being implemented to better protect PHI. New York State Attorney General – Letitia James – was not satisfied and ordered an investigation into the data breach.

The investigation identified a series of security shortcomings in violation of HIPAA and state laws – central to which was a lack of HIPAA cybersecurity training. In addition, PTHC’s data security program was found to be informal. The program lacked effective access controls (despite a pen test two years earlier recommending the adoption of 2FA), did not monitor user activity, and staff were allowed to access PHI from unsecured personal devices.

Settlement includes a HIPAA Cybersecurity Training Program

Rather than contest the NY State Attorney general’s findings, PTHC agreed to settle the alleged violations of HIPAA and state laws for $350,000. The settlement is subject to PTHC implementing a comprehensive information security program which not only includes technical improvements to its IT security infrastructure, but also a HIPAA cybersecurity training program.

The HIPAA cybersecurity training program consist of retraining all existing employees and any new employees on PTHC’s revised information privacy and security policies – with refresher training to be provided at least annually. In addition, all members of the workforce will be required to undergo phishing susceptibility testing at least annually, with those who fail the testing required to undergo further HIPAA cybersecurity training before retaking the test.

When details of the settlement agreement were published, Attorney General James commented: “Health care institutions have a responsibility to safeguard New Yorkers’ wellbeing, but also to protect their confidential and private information. The security failures by Personal Touch caused undue stress and financial problems for New Yorkers who simply wanted to have access to high-quality health care. My office will always step up and hold companies responsible if their negligence puts New Yorkers’ private information in jeopardy.”

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy