Attorney General James Secures $350,000 from Long Island Home Health Care Company for Failing to Protect Patient and Employee Data

NEW YORK – New York Attorney General Letitia James today secured $350,000 from a Long Island-based home health care company, Personal Touch Holding Corporation (Personal Touch), for failing to protect vulnerable New Yorkers’ personal information and health care data. Personal Touch’s poor data security made it vulnerable to a ransomware attack that compromised the personal and medical information of approximately 316,845 New Yorkers. Personal Touch’s data security failures violated both state law and the federal Health Insurance Portability and Accountability Act (HIPAA), which required Personal Touch to adhere to specific data protection practices. As a result of today’s agreement, Personal Touch has agreed to pay $350,000 in penalties to New York, update and improve their cybersecurity infrastructure, and offer free credit monitoring and identity theft services to affected individuals. In addition, Attorney General James secured $100,000 from an insurance software vendor for compromising Personal Touch employees’ data.

“Health care institutions have a responsibility to safeguard New Yorkers’ wellbeing, but also to protect their confidential and private information,” said Attorney General James. “The security failures by Personal Touch caused undue stress and financial problems for New Yorkers who simply wanted to have access to high-quality health care. My office will always step up and hold companies responsible if their negligence puts New Yorkers’ private information in jeopardy.”

Personal Touch is the parent company of subsidiaries that operate Medicare-certified home health, home care, and hospice at home services throughout the country, including in New York City, Westchester, and Long Island. In January 2021, a Personal Touch employee opened a malware-infected file attached to a phishing email that allowed a hacker to gain access to Personal Touch’s network and collect patient and employee records from an unencrypted server. These records dated back decades and included confidential personal and health information, including names, addresses, Social Security numbers, medical treatments, and financial information of thousands of people.

The Office of the Attorney General's (OAG) investigation determined that Personal Touch failed to maintain reasonable data security safeguards to protect patient and employee data. Personal Touch’s information security and risk management program was informal and immature. There was inadequate security training of its staff, poor access controls, a lack of a continuous monitoring system, and a failure to encrypt personal and medical data.

During the OAG’s investigation, Personal Touch was notified of a third-party breach that affected its employees’ personal information, including Social Security numbers. Personal Touch had provided this data to its insurance broker, who provided the data to an enrollment software vendor, Falcon Technologies, Inc. (Falcon), which placed the data on an unsecured site. Personal Touch did not have any agreements in place with its insurance broker concerning data security standards that applied to personal information not covered by HIPAA. The OAG secured a separate agreement with Falcon for failing to secure this information. Under the terms of Falcon’s agreement with the OAG, Falcon must pay $100,000 in penalties to New York and ensure the use of encryption and proper access controls in handling private information. 

As a result of today’s agreement, Personal Touch will pay $350,000 in penalties and offer affected consumers free identity theft protection and recovery services. In addition, Personal Touch will be required to enhance its information security program and implement safeguards to better protect its employees’ and patients’ personal and health information, including:

• Maintaining a comprehensive information security program that includes regular risk assessments, regular testing and monitoring of existing safeguards, and regular updates to the information security program;
• Maintaining reasonable access control and authentication procedures;
• Encrypting personal and health information;
• Implementing a continuous logging and monitoring system, anti-malware protections, an intrusion detection and prevention solution, and an email filtering and phishing solution; 
• Developing a vulnerability management program that includes regular vulnerability scanning and penetration testing;
• Updating its data collection, retention, and disposal practices to ensure that personal and health information is maintained only to the minimum extent necessary to accomplish legitimate business purposes;
• Conducting annual employee security training; and
• Establishing reasonable vendor management procedures. 

Today’s agreement continues Attorney General James’ efforts to protect New Yorkers’ personal information and hold companies accountable for their poor data security practices. Last week, Attorney General James and a multistate coalition secured $49.5 million from a cloud company, Blackbaud, over a massive data breach that impacted thousands of nonprofits. In September, Attorney General James reached an agreement with Marymount Manhattan College to invest $3.5 million to protect students’ online data. This past May, Attorney General James secured $300,000 from Sports Warehouse for failing to protect the data of 2.5 million customers. Also in May, Attorney General James recouped $550,000 from a medical management company for failing to protect patient data. In April, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices. In December 2022, Attorney General James secured $200,000 from student cap and gown producer Herff Jones for failing to protect consumers’ personal information. In October 2022, Attorney General James announced a $1.9 million agreement with the owner of SHEIN and Zoetop for failing to properly handle a data breach that compromised the personal information of millions of consumers. In June 2022, Attorney General James secured $400,000 from Wegmans and required the retailer to improve data storage security after a data breach exposed consumers’ personal information. In March 2022, Attorney General James issued a consumer alert advising T-Mobile customers to take appropriate steps to protect their personal information following a data breach.

This matter was handled by Assistant Attorneys General Hanna Baek and Jina John, with special assistance from former Internet and Technology Analyst Joe Graham, under the supervision of Deputy Bureau Chief Clark Russell and Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.