The Attorney General of New York has settled an enforcement action against a revenue cycle management company that will see the company pay $550,000 in fines and penalties after it was accused of failing to protect the personal information of individuals that lead to a ransomware cyberattack which affected more than 1.2 million consumers nationwide and 428,000 living in New York.
A copy of the Assurance of Discontinuance in the case against Professional Business Systems, doing business as Practicefirst Medical Management Solutions and PBS Medcode can be accessed by clicking here.
The company’s troubles began back in 2019 when the firewall software being used by the company released a new update that was designed to patch a critical vulnerability that had been uncovered. The company failed to update the software and in November 2020, a hacker was able to gain access to the company’s systems. The hacker installed ransomware software on the company’s system and extracted consumer information. An investigation found that the names, dates of birth, Social Security Numbers, financial information, and medical information had been compromised. Making matters worse for the company was that the data was not encrypted while it was on the company’s network.
Along with paying the fine, the company must also take steps to better protect customer information, including:
- Maintaining a comprehensive information security program that will be regularly reviewed and updated;
- Encrypting private and health information;
- Adopting appropriate account management and authentication procedures, such as multi-factor authentication;
- Implementing a patch management solution that will ensure security patches and updates are timely installed;
- Developing a vulnerability management program that includes regular vulnerability scanning and penetration testing as well as appropriate remediation of vulnerabilities revealed by such scanning and testing; and
- Updating its data collection, retention, and disposal practices to ensure that private health information is maintained only to the minimum extent necessary to accomplish legitimate business purposes.