Attorney General James Recoups $550,000 from Erie County Medical Management Company for Failing to Protect Patients’ Data

NEW YORK – New York Attorney General Letitia James recouped $550,000 from a medical management company, Professional Business Systems, Inc. d/b/a Practicefirst Medical Management Solutions and PBS Medcode Corp. (Practicefirst), for failing to protect New Yorkers’ personal information, including health records. Practicefirst’s failure to make a timely software update made their networks susceptible to a cyberattack, which affected more than 1.2 million individuals nationwide, including over 428,000 New Yorkers. Practicefirst’s data security failures violated both state law and the federal Health Insurance Portability and Accountability Act (HIPAA). As a result of today’s agreement, Practicefirst has agreed to pay $550,000 in penalties to New York, strengthen its data security practices, and offer affected consumers free credit monitoring services.

“When a person is seeking medical care, their last concern should be the security of their personal information,” said Attorney General James. “Each and every company charged with maintaining and handling patient data should take their responsibility to protect personal information, particularly health records, seriously. New Yorkers can trust that when companies fail at their duty, my office will step in to hold them accountable.”

Practicefirst is a medical management company that helps health care organizations with medical billing, coding, credentialing, and other services. In January 2019, Practicefirst’s firewall provider released a new version of its software that was designed to patch a critical vulnerability. Practicefirst failed to update its software and failed to conduct penetration tests, vulnerability scans, or other security testing that would have identified security problems. In November 2020, a hacker exploited the critical firewall vulnerability and successfully gained access to Practicefirst’s systems. The hacker later deployed ransomware and pulled out files containing patients’ personal information. Days later, screenshots containing personal information of 13 consumers were discovered on the dark web.

Practicefirst’s investigation revealed that 79,000 files were taken by the attacker. These files contained personal information, including dates of birth, driver’s license numbers, social security numbers, diagnoses, medication information, and financial information for over 1.2 million patients of Practicefirst clients, including over 428,000 New Yorkers. This information, maintained on Practicefirst’s network, was not encrypted.

The Office of the Attorney General (OAG) determined that Practicefirst failed to maintain reasonable data security practices to protect patients’ private and health information, including by failing to maintain appropriate patch management processes, conduct regular security testing of its systems, and encrypt the personal information on its servers.

As a result of today’s agreement, Practicefirst will pay $550,000 in penalties and offer affected consumers free credit monitoring services. In addition, Practicefirst will be required to adopt measures to better protect personal information, including:

• Maintaining a comprehensive information security program that will be regularly reviewed and updated;
• Encrypting private and health information;
• Adopting appropriate account management and authentication procedures, such as multi-factor authentication;
• Implementing a patch management solution that will ensure security patches and updates are timely installed;
• Developing a vulnerability management program that includes regular vulnerability scanning and penetration testing as well as appropriate remediation of vulnerabilities revealed by such scanning and testing; and
• Updating its data collection, retention, and disposal practices to ensure that private health information is maintained only to the minimum extent necessary to accomplish legitimate business purposes.

Affected consumers can access their free credit monitoring services by following the instructions under the “What You Can Do” section on Practicefirst’s website.

Last month, Attorney General James released a comprehensive data security guide to help businesses and organizations strengthen their cybersecurity measures to protect New Yorker’s personal information. Today’s agreement continues Attorney General James’ work to hold companies accountable for having poor cybersecurity. In December 2022, Attorney General James secured $200,000 from a student cap and gown producer, Herff Jones, for failing to protect consumers’ personal information. In October 2022, Attorney General James announced a $1.2 million agreement with the owner of SHEIN and Zoetop for failing to properly handle a data breach that compromised the personal information of millions of consumers nationwide. In June 2022, Attorney General James secured $400,000 from Wegmans and required the retailer to improve data storage security after a data breach exposed consumers’ personal information. In March 2022, Attorney General James issued a consumer alert advising T-Mobile customers to take appropriate steps to protect their personal information following a data breach. 

This matter was handled by Assistant Attorney General Jina John and Deputy Bureau Chief Clark Russell, with special assistance from Internet and Technology Analyst Nishaant Goswamy, under the supervision of the Bureau of Internet and Technology’s Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.