Personal Touch, Crossroads PHI Ransomware Attack Class Action

Personal Touch Holding Corporation, a holding company for home health care entities, stores patient information, including Protected Health Information (PHI) and personally identifiable information (PII), in the cloud with Crossroads Technologies, Inc. Unfortunately, Crossroads was subjected to a ransomware attack in late 2019 which encrypted its files. The complaint for this class action alleges that the two companies failed to properly safeguard information, causing disruptions in treatment and the exposure of confidential information as a result of the attack.

The class for this action is all persons who used Personal Touch’s services and whose private information was kept on Crossroads’ cloud-based electronic health records system that was compromised in the ransomware attack and who were sent notice of the data breach.

Crossroads stored Personal Touch’s records in an electronic medical records system at its data center in Wyomissing, Pennsylvania. The complaint says, “At some time prior to December 1, 2019, ransomware was deployed on Defendant Crossroads’ hosted electronic medical records system which resulted in widespread file encryption of files…”

The compromised records included names and addresses, dates of birth, medical record information, health insurance card numbers, plan benefit numbers, Social Security numbers, and information on treatments. The information pertained to more than 150,000 patients.

Crossroads told Personal Touch about the attack on December 1. Letters were mailed to the affected patients starting January 28, 2020.

As a result of the attack, patients’ records were not available for several day, disrupting the patients’ medical care and treatment. During this time, the complaint says, “staff at Personal Touch were forced to use emergency protocols and employed pen and paper to record patient data.

The complaint says, “Indeed, ransomware attacks, such as the one experienced by Defendant Crossroads, have become so notorious that the Federal Bureau of Investigation (‘FBI’) and U.S. Secret Service have issued a warning to potential targets so they are aware of, and prepared for, a potential attack.” It quotes a report as saying, “Entities like smaller municipalities and hospitals are attractive to ransomware criminals … because they often have lesser IT defenses and a high incentive to regain access to their data quickly.”

The complaint alleges a number of failures on the part of Personal Touch and Crossroads, among them the following:

  • Failing to maintain adequate security against data breaches or cyberattacks.
  • Failing to properly monitor their systems for intrusions.
  • Failing to ensure that vendors with access to information have adequate security.
  • Failing to ensure compliance with HIPAA security standards.
  • Failing to properly encrypt the electronic PHI.
  • The counts in the complaint include negligence, breaches of contract, breach of physician-patient confidentiality, and violations of consumer protection laws, among other things.
Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

Personal Touch, Crossroads PHI Ransomware Attack Complaint

April 22, 2020

Personal Touch Holding Corporation, a holding company for home health care entities, stores patient information, including Protected Health Information (PHI) and personally identifiable information (PII), in the cloud with Crossroads Technologies, Inc. Unfortunately, Crossroads was subjected to a ransomware attack in late 2019 which encrypted its files. The complaint for this class action alleges that the two companies failed to properly safeguard information, causing disruptions in treatment and the exposure of confidential information as a result of the attack.

Personal Touch, Crossroads PHI Ransomware Attack Complaint

Case Event History

Personal Touch, Crossroads PHI Ransomware Attack Complaint

April 22, 2020

Personal Touch Holding Corporation, a holding company for home health care entities, stores patient information, including Protected Health Information (PHI) and personally identifiable information (PII), in the cloud with Crossroads Technologies, Inc. Unfortunately, Crossroads was subjected to a ransomware attack in late 2019 which encrypted its files. The complaint for this class action alleges that the two companies failed to properly safeguard information, causing disruptions in treatment and the exposure of confidential information as a result of the attack.

Personal Touch, Crossroads PHI Ransomware Attack Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Ransomware Attack, Stolen Medical Information, Your Privacy