Business ProfileforPracticefirst

The following describes a government action that has been resolved by either a settlement or a decision by a court or administrative agency. If the matter is being appealed, it will be noted below.

May 23, 2023
NEW YORK – New York Attorney General Letitia James recouped $550,000 from a medical management company, Professional Business Systems, Inc. d/b/a Practicefirst Medical Management Solutions and PBS Medcode Corp. (Practicefirst), for failing to protect New Yorkers’ personal information, including health records. Practicefirst’s failure to make a timely software update made their networks susceptible to a cyberattack, which affected more than 1.2 million individuals nationwide, including over 428,000 New Yorkers. Practicefirst’s data security failures violated both state law and the federal Health Insurance Portability and Accountability Act (HIPAA). As a result of today’s agreement, Practicefirst has agreed to pay $550,000 in penalties to New York, strengthen its data security practices, and offer affected consumers free credit monitoring services.

Practicefirst is a medical management company that helps health care organizations with medical billing, coding, credentialing, and other services. In January 2019, Practicefirst’s firewall provider released a new version of its software that was designed to patch a critical vulnerability. Practicefirst failed to update its software and failed to conduct penetration tests, vulnerability scans, or other security testing that would have identified security problems. In November 2020, a hacker exploited the critical firewall vulnerability and successfully gained access to Practicefirst’s systems. The hacker later deployed ransomware and pulled out files containing patients’ personal information. Days later, screenshots containing personal information of 13 consumers were discovered on the dark web.

As a result of today’s agreement, Practicefirst will pay $550,000 in penalties and offer affected consumers free credit monitoring services. In addition, Practicefirst will be required to adopt measures to better protect personal information, including:

Maintaining a comprehensive information security program that will be regularly reviewed and updated;
Encrypting private and health information;
Adopting appropriate account management and authentication procedures, such as multi-factor authentication;
Implementing a patch management solution that will ensure security patches and updates are timely installed;
Developing a vulnerability management program that includes regular vulnerability scanning and penetration testing as well as appropriate remediation of vulnerabilities revealed by such scanning and testing; and
Updating its data collection, retention, and disposal practices to ensure that private health information is maintained only to the minimum extent necessary to accomplish legitimate business purposes.
Affected consumers can access their free credit monitoring services by following the instructions under the “What You Can Do” section on Practicefirst’s website.