NY AG Fines Practice Management Firm $550K in 2020 BreachPracticefirst Failed to Patch Critical Firewall Flaw That Led to Breach, AG Says
A practice management software vendor has agreed to pay a $550,000 fine and implement a comprehensive data security program to settle an enforcement action by New York state regulators in the aftermath of a 2020 ransomware attack that affected 1.2 million individuals nationwide, including 428,000 New Yorkers.
Amherst, New York-based Professional Business Systems Inc., which does business as Practicefirst Medical Management Solutions, in January 2019 failed to apply a software update from its firewall provider to patch a critical vulnerability, said New York Attorney General Letitia James in a statement Tuesday.
The unpatched firewall left Practicefirst's networks susceptible to a November 2020 hack leading to the deployment of ransomware and exfiltration of patient data, including birthdates, driver's license numbers, Social Security numbers, diagnoses, medication information and financial information, the statement said. Screenshots containing personal information of 13 individuals also were found posted on the dark web.
In addition to failing to maintain a timely patch management process, the company also failed to conduct regular security testing of its systems and encrypt the personal information on its servers, violating both state laws and federal HIPAA regulations, the attorney general's investigation into the Practicefirst incident determined.
Under the agreement with state regulators, Practicefirst must maintain a comprehensive information security program that includes data encryption, multifactor authentication, timely patch management, vulnerability scanning and penetration testing, and updating its data collection, retention and disposal practices.
The settlement also calls for Practicefirst to offer two years of credit and identity monitoring to all individuals affected by the breach.
Practicefirst did not immediately respond to Information Security Media Group's request for comment on the settlement.
In February 2022, the U.S. District Court for the Western District of New York recommended the dismissal of a class action lawsuit filed against Practicefirst, saying the plaintiffs' risk of identity theft or other injury was too "speculative" and not imminent (see: Court Recommends Dismissal of Practicefirst Breach Lawsuit).
The New York attorney general's action against Practicefirst follows several recent similar settlements by other state attorneys general in health data breaches involving HIPAA and other violations.
Last week, the attorneys general of four states - New Jersey, Florida, Pennsylvania and Oregon - levied a $2.5 million fine on vision care provider EyeMed to settle an investigation into a 2020 email phishing incident that exposed the personal data of 2.1 million individuals in the United States (see: 4 State AGs Punch EyeMed with $25M Fine for 2020 Breach).