Getty Images/iStockphoto

NY AG Fines Practicefirst $550K For Failure to Protect Health Records

Practice management vendor Practicefirst suffered a data breach in 2020 that impacted 1.2 million individuals and potentially exposed health records and other personal information.

New York Attorney General Letitia James fined practice management vendor Practicefirst $550,000 to resolve data security failures stemming from a 2020 data breach that impacted 1.2 million individuals.

As previously reported, New York-based Practicefirst suffered a data breach in November 2020 when a hacker exploited a critical firewall vulnerability and later deployed ransomware. The hacker successfully copied files from Practicefirst’s system that contained patient and employee information, including dates of birth, driver’s license numbers, social security numbers, diagnoses, medication information, and financial information.

“Days later, screenshots containing personal information of 13 consumers were discovered on the dark web,” the New York Attorney General’s Office stated. What’s more, the information was not encrypted.

“The Office of the Attorney General (OAG) determined that Practicefirst failed to maintain reasonable data security practices to protect patients’ private and health information, including by failing to maintain appropriate patch management processes, conduct regular security testing of its systems, and encrypt the personal information on its servers,” the notice continued.

Practicefirst will have to pay $550,000 in penalties and offer credit monitoring services to impacted consumers free of charge. In addition, the company will be required to implement a variety of measures to improve its security practices, including encrypting health information and adopting appropriate authentication procedures.

Practicefirst must implement a patch management solution, maintain and regularly update a comprehensive information security program, develop a vulnerability management program, and update its data collection, retention, and disposal practices.

“When a person is seeking medical care, their last concern should be the security of their personal information,” said James.

“Each and every company charged with maintaining and handling patient data should take their responsibility to protect personal information, particularly health records, seriously. New Yorkers can trust that when companies fail at their duty, my office will step in to hold them accountable.”

Next Steps

Dig Deeper on Cybersecurity strategies