A home healthcare company reported a data breach that impacted over 753,000 of its patients, employees, and former workers. The breach took place in a ransomware attack on its private cloud hosted by managed service providers. A similar incident happened to the company one and half years ago.
New York-based Personal Touch Holding Corp. is a home healthcare company that operates about 30 Personal Touch Home Care facilities in different US states.
The healthcare provider “experienced a cybersecurity attack on the private cloud hosted by its managed service providers” on January 27. The company didn’t say who the providers were.
In a breach report with the Maine attorney general’s office, PTHC revealed the incident involved ransomware and affected 753,107 individuals.
In a statement on its website, PTHC said the incident compromised business records of the company and its “direct and indirect subsidiaries.”
The leaked patient information included medical record numbers, health plan benefit numbers, names, addresses, telephone numbers, dates of birth, Social Security numbers, and such financial information as check copies, credit card numbers, and bank account information.
According to the company, leaked information of current and former employees may have included names, addresses, telephone numbers, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, birth certificates, background and credit reports, and demographic information.
Among other compromised information might have been employee usernames and passwords, email addresses, fingerprints, insurance card and health and welfare plan benefit numbers, retirement benefits information, medical treatment information, and more.
Upon discovery of the breach, PTHC engaged external security experts to begin an investigation.
“While the investigation is still ongoing, and we cannot confirm the extent to which employee and patient data was compromised, we are notifying our community that the breach occurred, in our effort to comply with the applicable state data breach notification laws.”
The company also reported the attack to the FBI and has implemented “enhanced monitoring and alerting software” service.
The previous incidents took place in January 2020, when PTHC reported 16 breachws on behalf of its subsidiaries, including a ransomware attack on Crossroads Technologies, which hosted the PTHC’s cloud-based electronic health records.