A Long Island-based healthcare company must pay a $350,000 penalty to New York for failing to protect patient and employee data of more than 300,000 people, New York Attorney General Letitia James said Wednesday.
Personal Touch, with offices in Hauppauge, had “poor data security” that “made it vulnerable to a ransomware attack,” comprising the data of New Yorkers, the AG’s office said in a news release.
“Healthcare institutions have a responsibility to safeguard New Yorkers’ wellbeing, but also to protect their confidential and private information,” James said in the news release.
“The security failures by Personal Touch caused undue stress and financial problems for New Yorkers who simply wanted to have access to high-quality healthcare,” James added. “My office will always step up and hold companies responsible if their negligence puts New Yorkers’ private information in jeopardy.”
James also secured $100,000 from Falcon Technologies, an insurance software vendor, for compromising Personal Touch employees’ data, officials said.
The company’s security failures violated both state law and the federal Health Insurance Portability and Accountability Act, which required the firm to adhere to specific data practices, according to James.
The AG’s office said that the company provided inadequate security training of its staff, poor access controls, a lack of a continuous monitoring system, and a failure to encrypt personal and medical data.
Personal Touch was notified of a third-party breach that affected its employees’ personal information, including Social Security numbers. Personal Touch had provided this data to its insurance broker, who provided the data to Falcon, an enrollment software vendor. Falcon placed the data on an unsecured site, James said.
Personal Touch did not have any agreements in place with its insurance broker concerning data security standards that applied to personal information not covered by HIPAA. In addition to the $100,000 penalty, Falcon must ensure the use of encryption and proper access controls in handling private information, the AG’s office said.
Personal Touch will be required to enhance its information security program and implement safeguards to better protect its employees’ and patients’ personal and health information, officials said.