An Amherst medical management company will pay $550,000 in penalties, bolster its data security practices and offer affected consumers free credit monitoring services after "failing to protect New Yorkers' personal information, including health records," New York Attorney General Letitia James said Tuesday.
Professional Business Systems, which does business as Practicefirst Medical Management Solutions and PBS Medcode Corp., did not update its software, conduct penetration tests or vulnerability scans after its firewall provider released a new version of its software in January 2019.
As a result, according to the attorney general, a hacker in November 2020 exploited the critical firewall vulnerability and gained access to Practicefirst's systems.
The hacker later deployed ransomware and pulled out files containing patients' personal information. Within days, screenshots containing personal information of 13 consumers were found on the dark web.
People are also reading…
Practicefirst's investigation, James' office said, showed that 79,000 files were taken by the attacker. The files contained personal information, including dates of birth, driver's license numbers, social security numbers, diagnoses, medication and financial information for more than 1.2 million patients of Practicefirst clients, including more than 428,000 New Yorkers.
Practicefirst, which did not respond to an email and call seeking comment, processes data for health care providers. The company was established in 1960 as a medical billing specialist firm, but has since grown into a provider of medical billing, coding, credentialing and full-service practice management services to health care organizations in the Northeast.
The attorney general said Practicefirst's data security failures violated state law and the federal Health Insurance Portability and Accountability Act, or HIPAA.
"When a person is seeking medical care, their last concern should be the security of their personal information," James said. "Each and every company charged with maintaining and handling patient data should take their responsibility to protect personal information, particularly health records, seriously. "
According to a notice at the top of Practicefirst's website, the company said that upon learning about the hack on Dec. 30, 2020, the firm immediately shut down its systems, changed passwords, alerted law enforcement and retained data security and privacy professionals.
The company said it mailed letters to affected people in June and July of 2021.
Jon Harris can be reached at 716-849-3482 or firstname.lastname@example.org. Follow him on Twitter at @ByJonHarris.