BUFFALO, N.Y. — The New York Attorney General's office has announced that $550,000 has been recouped from a medical management company for failing to protect users personal information, including health records.
Professional Business Systems, Inc. d/b/a Practicefirst Medical Management Solutions and PBS Medcode Corp. (Practicefirst) did not update their software in a timely manner, which made them susceptible to a cyberattack, according to the Attorney General's Office. This compromised information for people across the country and more than 428,000 New Yorkers.
“When a person is seeking medical care, their last concern should be the security of their personal information,” said Attorney General Letitia James in a release.
“Each and every company charged with maintaining and handling patient data should take their responsibility to protect personal information, particularly health records, seriously. New Yorkers can trust that when companies fail at their duty, my office will step in to hold them accountable.”
The company's firewall provider issued an update in January of 2019, which Practicefirst failed to install. Furthermore, the company failed to conduct penetration tests, vulnerability scans, or other security testing that would have caught the problem.
Around 79,000 files that contained personal information like birthdays, driver’s license numbers, social security numbers, diagnoses, medication information, and financial information from more than 1.2 million patients. This information was not encrypted.
Practicefirst will pay $550,00 in penalties and offer credit monitoring services to those who were affected by the breach. The company will also have to adopt the following measures to keep data safe in the future:
- Maintaining a comprehensive information security program that will be regularly reviewed and updated;
- Encrypting private and health information;
- Adopting appropriate account management and authentication procedures, such as multi-factor authentication;
- Implementing a patch management solution that will ensure security patches and updates are timely installed;
- Developing a vulnerability management program that includes regular vulnerability scanning and penetration testing as well as appropriate remediation of vulnerabilities revealed by such scanning and testing; and
- Updating its data collection, retention, and disposal practices to ensure that private health information is maintained only to the minimum extent necessary to accomplish legitimate business purposes.
