A Ransomware Attack Affected Personal Touch Patients and Employees Across U.S.
Over 750.000 Personal Touch Patients and Employees Were Affected by the Ransomware Attack.
Personal Touch Holding Corp., the parent company of Personal Touch Home Care centers across the U.S. started notifying 753,107 patients and employees regarding a ransomware attack that targeted its cloud-stored business records at the beginning of this year.
The data breach that affected 29 subsidiaries of Personal Touch across the U.S. took place between the 20th and the 27th of January, with Lake Success, an N.Y.-based Personal Touch being the first to became aware that a cyberattack targeting the private cloud hosted by its service providers happened.
Personal Touch Holding Corp. (PTHC), the parent company to its direct and indirect subsidiaries, is notifying their current and former employees and patients of a breach that may have affected their personally identifiable information and protected health information.
On January 27, 2021, PTHC discovered that it experienced a cybersecurity attack on the private cloud hosted by its managed service providers. Upon discovery, PTHC retained outside counsel and independent forensic experts to begin an investigation. While the investigation is still ongoing, and we cannot confirm the extent to which employee and patient data was compromised, we are notifying our community that the breach occurred, in our effort to comply with the applicable state data breach notification laws.
At this time, Personal Touch declared that they are not yet able to confirm the extent to which employee and patient data was compromised because of the ransomware attack, but we know that it might include Social Security numbers, financial information, and medical records.
Upon discovering the breach, PTHC retained a team of third-party forensic technical experts to investigate the origins and scope of the breach. PTHC also notified the Federal Bureau of Investigations (“FBI”) of the breach. Pursuant to applicable law, we will be notifying the U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”), and state regulators as required by law.
Personal Touch is now retaining third-party forensic technical experts in an effort to investigate the origins and purpose of the breach, whilst also having notified the FBI and all other regulators required by law.