Practicefirst Medical Management Solutions and PBS Medcode will pay the state of New York $550,000 after it failed to timely apply a patch to a known vulnerability, leading to a massive data breach impacting over 1.2 million individuals, 428,000 of whom reside in New York.
In addition to the fine, the settlement requires Practicefirst to bolster its data security practices and provide the affected consumers with free credit monitoring services.
PracticeFirst is tasked with data processing, billing and coding services for health providers and joins Meta, Google, fertility app Premom, EyeMed, and MedEvolve, which have all faced similar enforcement actions this month.
Ransomware was deployed on Dec. 25, 2020, but only after the threat actor accessed and stole troves of patient and employee files from the Practicefirst network. The company’s investigation found 79,000 files were taken by the hacker, which included patients’ Social Security numbers, driver’s licenses, diagnoses, medications, financial data, and dates of birth.
The reported cyberattack and subsequent data exfiltration against Practicefirst was the 10th-largest healthcare data breach reported in 2021.
Following the breach notice, the New York’s Office of the Attorney General (OAG) launched an investigation that found the stolen data was not encrypted on Practicefirst’s network.
Though not required by the Health Insurance Portability and Accountability Act, entities are required to implement comparable policies or explain why it’s not “reasonable or appropriate” if they chose not to encrypt.
Further, OAG found the hack was enabled by failing to patch a critical vulnerability in its firewall, for which the vendor provided a software update in January 2019 — nearly two years before the attack. Practicefirst also failed to conduct penetration tests, vulnerability scans, or other security testing that would have identified these prevalent security issues.
As a result, a threat actor “exploited the critical firewall vulnerability and successfully gained access to Practicefirst’s systems,” later deploying the ransomware and exfiltrating files that stored patient information. And “days later, screenshots containing personal information of 13 consumers were discovered on the dark web.”
The state’s audit confirmed Practicefirst did not “maintain reasonable data security practices,” including failure to maintain appropriate patch management processes, conduct regular testing of systems, and encrypt the personal data stored on its servers.
“Each and every company charged with maintaining and handling patient data should take their responsibility to protect personal information, particularly health records, seriously,” said New York Attorney General Leticia James, in a statement.
The state settlement requires Practicefirst to maintain a comprehensive information security program, encrypt private and health data, and Implement a patch management solution to ensure timely patches and updates, in addition to employing multi-factor authentication when appropriate, among other effective account management and authentication procedures.
Practicefirst must also develop of vulnerability management program, including routine scanning for security flaws and penetration testing and effective remediation of identified vulnerabilities.
The settlement also includes a requirement for an update to the company’s data retention program, ensuring “private health information is maintained only to the minimum extent necessary to accomplish legitimate business purposes.”
As SC Media has reported in-depth, healthcare struggles with data retention policies for a host of reasons. Legal and compliance teams, for example, will often take different stances on the retention, as some departments want to keep everything no matter the risk.
It’s the sixth enforcement action in the last week, the second levied by a third regulator, affirming a heightened era of enforcement for companies that fail to maintain adequate security controls. The Federal Trade Commission has also signaled it will tighten its Health Breach Notification Rule and scrutiny of biometrics data security.