Preferred Home Care of New York’s 2021 potential REvil ransomware breach affects 92,000 persons, results in potential $1 million+ class action settlement

(Image source: Preferred Home Care of New York, 2022)

One-sentence summary:

Preferred Home Care of New York’s 2021 potential encounter with the infamous REvil ransomware group resulted in 92,283 data breach victims with an associated class-action lawsuit that recently settled for a $1 million capped settlement.

Who was involved?

AssistCare Home Health Services LLC, dba Preferred Home Care of New York, potentially REvil ransomware group, and 92,000+ persons (including patients and caregivers)

What was the timeline?

January 8, 2021: REvil allegedly gains access to Preferred Home Care of New York’s information systems.

January 9, 2021: Preferred Home Care of New York detects the intruder.

January 10, 2021: Attack ends

March 10, 2021: Data breach direct notification begins of affected parties.

Approx. March 16, 2021: Preferred Home Care of New York uploads “privacy incident” to their website (Preferred Home Care of New York, 2021).

May 14, 2021: Class-action lawsuit is filed against Preferred Home Care of New York.

November 3, 2022: Settlement is reached regarding class-action lawsuit.

What occurred?

REvil ransomware group allegedly breached Preferred Home Care of New York and briefly accessed the sensitive information of over 92,283 persons (Preferred Home Care of New York, 2021; HIPAA Journal, 2023; HackNotice, 2021; HIPAA Journal, 2021). No specific details of how the breach was conducted could be found. REvil appears to have posted leak samples online but has not been acknowledged by the home care agency as the threat actor (HackNotice, 2021). Breached data included: “name, contact and demographic information such as address, email, phone number, and date of birth; financial information such as bank account number; Social Security number; Medicaid number; and medical information, such as dates of service, incidents involving the patient’s care, and records of any complaints regarding the
patient’s services as well as information related to health assessments, physicals, drug screens,
vaccinations and TB tests, and FMLA and worker’s compensation claims” (Preferred Home Care of New York, 2021). A lawsuit ensued and recently settled, allowing a minimum of $400 compensation per victim (Simmons, et al. v. AssistCare Home Health Services LLC d/b/a Preferred Home Care of New York/Preferred Gold, 2021; HIPAA Journal, 2023, para. 3).

Estimated costs:

Engagement of a “leading computer forensics firm” (Preferred Home Care of New York, 2021, para. 2). Breach notification and identity and credit monitoring costs. 7-day/week breach notification hotline. Litigation defense. Potential $1 million+ class-action settlement (Simmons, et al. v. AssistCare Home Health Services LLC d/b/a Preferred Home Care of New York/Preferred Gold, 2023, pp. 13-14). HIPAA Journal reported that “the total value of the settlement was not disclosed,” however, an initial cap is available in official court documents on assistcaredatasettlement.com (HIPAA Journal, 2023, para. 3). Thank you to the law firms involved for revealing this information!

Involved laws:

Federal: the Federal Trade Commission Act (“FTCA”), 15 U.S.C. § 45, HIPAA, HITECH

State: N.Y. Gen. Bus. Law § 349(a), et seq., § 899-aa(2)

Root cause:

TBA or N/A (see disclaimer)

Lessons learned:

TBA or N/A (see disclaimer)

Sources:

HackNotice. (2021, January 26). HackNotice: Preferred Home Care hack. Retrieved March 4, 2023, from https://app.hacknotice.com/

HIPAA Journal. (2021, April 15). Ransomware Gangs Claim Three More Healthcare Victims. Retrieved March 4, 2023, from https://www.hipaajournal.com/ransomware-gangs-claim-three-more-healthcare-victims/

HIPAA Journal. (2023, March 3). Settlement Reached in Preferred Home Care Data Breach Lawsuit. Retrieved March 4, 2023, from https://www.hipaajournal.com/settlement-reached-in-preferred-home-care-data-breach-lawsuit/

Preferred Home Care of New York. (2021). Notice of a Data Security Incident. In Preferred Home Care of New York. preferredhcny.com. Retrieved March 4, 2023, from https://preferredhcny.com/wp-content/uploads/2021/03/Web-notice.pdf

Simmons, et al. v. AssistCare Home Health Services LLC d/b/a Preferred Home Care of New York/Preferred Gold, 2021 N.Y. Slip Op. 32966 (N.Y. Sup. Ct. 2021). https://www.assistcaredatasettlement.com/wp-content/uploads/2023/02/Class-Action-Complaint.pdf

Simmons, et al. v. AssistCare Home Health Services LLC d/b/a Preferred Home Care of New York/Preferred Gold, 2021 N.Y. Slip Op. 32966 (N.Y. Sup. Ct. 2023). https://www.assistcaredatasettlement.com/wp-content/uploads/2023/02/Settlement-Agreement.pdf

About Post Author

Kyler Kent CISSP

I am a Threat Hunting and Intelligence Specialist and am a progressive, aspiring cyber leader. I am currently based in Dallas, with a holistic and multidisciplinary background. I am a lifelong learner– constantly seeking education and training opportunities. I maintain several cybersecurity and IT certifications. I also maintain two Texas DPS private security licenses. Finally, I have a master’s degree from Georgetown University’s SCS Cybersecurity Risk Management program. https://linktr.ee/kentprotect.com Corrections: [email protected]

http://kylerkent.com