Home health provider Personal Touch to pay $350,000 in data breach settlement
Personal Touch Holding Corp. had an “informal and immature” approach to securing data, New York Attorney General Letitia James said in a news release. Credit: Bloomberg/Jeenah Moon
A Lake Success-based home health care company reached a $350,000 settlement with the state after failing to protect the health care data of more than 316,800 New Yorkers, the state attorney general said Wednesday.
Personal Touch Holding Corp., which provides home health care and hospice services through subsidiary companies, had an “informal and immature” approach to securing data, New York Attorney General Letitia James’ office said in a news release.
A hacker accessed Personal Touch's network when an employee opened a file containing malware in 2021. The hacker collected 4,380 files from a server that contained Social Security numbers, medical treatments and other personal information on current and former patients and staff, according to a copy of the company’s agreement with the attorney general. The breach may have impacted more than 753,100 people, including about 316,800 New Yorkers, the agreement said.
“The security failures by Personal Touch caused undue stress and financial problems for New Yorkers who simply wanted to have access to high-quality health care,” James said in a statement. “My office will always step up and hold companies responsible if their negligence puts New Yorkers’ private information in jeopardy.”
Personal Touch shut down its systems, replaced affected computers and notified patients and employees, according to the agreement.
Then in 2022, a former Personal Touch employee googled him- or herself and discovered a spreadsheet full of Personal Touch employee data, the agreement said. Personal Touch’s insurance broker had shared information on more than 2,500 staff members and their dependents with Falcon Technologies Inc., an enrollment software firm, that placed the data on an unsecured site, James said. The spreadsheet has since been removed.
“We take the security of information entrusted with us seriously,” said Ronald J. Spielberger, vice president, general counsel and chief compliance officer at Personal Touch. “We are pleased to resolve this matter and will continue to work to serve our patients.”
As part of the settlement, Personal Touch will pay $350,000 to the state and provide identity theft protection and recovery services to any impacted patients and personnel. The firm will also enhance its data security program.
Falcon Technologies, which is based in Pennsylvania, will pay $100,000 in penalties to New York under a separate agreement, James said.
“A file was accidentally put in an insecure place, and it was removed when we were notified," said Falcon Technologies president Jordan Nadel. "Nobody was harmed, and we paid a fine for it."
Sarina Trangle covers affordability and cost of living issues and other business topics. She previously worked as an editor and reporter at amNewYork.
