The lack of HIPAA cybersecurity training at a NY-based home health company has contributed to the company being fined $350,000 by the NY State Attorney General as part of a wide-ranging settlement agreement that includes a thorough overhaul of the company’s security and cybersecurity training measures.
In January 2021, an employee of Personal Touch Holding Corporation (PTHC) – a Long Island, NY-based home health company – opened a malware-infested Excel file attached to a phishing email. The malware allowed a remote actor to take control of the employee’s unsecured laptop and unprotected email account.
With access to the laptop, the remote actor was able to escalate privileges and obtain administrator access to five PTHC accounts. From these accounts the remote actor was able to exfiltrate 4,383 files from a file share server that contained the Protected Health Information (PHI) of 753,107 individuals – of which 316,845 New York Residents.
Although the data breach was notified to HHS’ Office for Civil Rights, the federal agency took no further action following assurances that additional administrative, technical, and security safeguards were being implemented to better protect PHI. New York State Attorney General – Letitia James – was not satisfied and ordered an investigation into the data breach.
The investigation identified a series of security shortcomings in violation of HIPAA and state laws – central to which was a lack of HIPAA cybersecurity training. In addition, PTHC’s data security program was found to be informal. The program lacked effective access controls (despite a pen test two years earlier recommending the adoption of 2FA), did not monitor user activity, and staff were allowed to access PHI from unsecured personal devices.
Settlement includes a HIPAA Cybersecurity Training Program
Rather than contest the NY State Attorney general’s findings, PTHC agreed to settle the alleged violations of HIPAA and state laws for $350,000. The settlement is subject to PTHC implementing a comprehensive information security program which not only includes technical improvements to its IT security infrastructure, but also a HIPAA cybersecurity training program.
The HIPAA cybersecurity training program consist of retraining all existing employees and any new employees on PTHC’s revised information privacy and security policies – with refresher training to be provided at least annually. In addition, all members of the workforce will be required to undergo phishing susceptibility testing at least annually, with those who fail the testing required to undergo further HIPAA cybersecurity training before retaking the test.
When details of the settlement agreement were published, Attorney General James commented: “Health care institutions have a responsibility to safeguard New Yorkers’ wellbeing, but also to protect their confidential and private information. The security failures by Personal Touch caused undue stress and financial problems for New Yorkers who simply wanted to have access to high-quality health care. My office will always step up and hold companies responsible if their negligence puts New Yorkers’ private information in jeopardy.”