Ransomware Attack on NY Medical Billing Firm Impacts Nearly a Million People

We keep hearing about major ransomware attacks and data breaches, but it never feels good when something is hit close to home. Unfortunately, that’s the case as a recent cyberattack hit a New York medical billing company that impacted more than 942,000 people and 26 healthcare organizations.

The NY-based billing company Practice Resources, LLC (PRL) had to reach out to nearly a million users to declare that they suffered a ransomware attack and that customer data may have been involved. 

If you are one of these customers, you have likely already received a letter about it, even if you don’t directly interact with PRL. Since the billing firm works with other healthcare organizations, the attack has a much broader reach.

PRL states that the attack happened on April 12, 2022, and claims they immediately took steps to secure their systems and scrambled to work with third-party cybersecurity experts to mitigate damage and prevent further chaos.

The data that was affected includes patient names, addresses, health plan numbers, medical record numbers, and dates of treatment.

At the time of writing this, at least 26 other healthcare organizations have been confirmed to be affected by the attack, including:

• Achieve Physical Therapy, PC
• CNY Obstetrics and Gynecology, P.C.
• Community Memorial Hospital, Inc
• Crouse Health Hospital, Inc
• Crouse Medical Practice PLLC
• Family Care Medical Group, PC
• Fitness Forum Physical Therapy, PC
• FLH Medical PC
• Greece Dermatological Associates, PC
• Guidone Physical Therapy, PC
• Hamilton Orthopedic Surgery & Sports Medicine
• Helendale Dermatological and Medical Spa, PLLC
• Kudos Medical, PLLC
• Laboratory Alliance of Central New York, LLC
• Liverpool Physical Therapy, PC • Michael J Paciorek, MD PC
• Nephrology Associates of Watertown, PC
• Nephrology Hypertension Associates of CNY, PC
• Orthopedics East, PC
• Salvation Army
• Soldiers & Sailors Memorial Hospital—Physician Practices
• St. Joseph’s Medical • Surgical Care West, PLLC
• Syracuse Endoscopy Associates, LLC
• Syracuse Gastroenterological Associates, PC
• Syracuse Pediatrics
• Tully Physical Therapy
• Upstate Community Medical, PC

Patients of these facilities should have received information advising them what actions to take, and PRL has had to offer resources and credit monitoring for all 942,138 individuals that may have been impacted. When you consider the costs per individual per month for a service like this, and multiply it by nearly a million, you start to see the impact here. We speculate that this ransomware attack could cost those targeted upwards of $25-30 million.

What Can Central NY Businesses Learn from This Cyberattack?

Things escalate quickly when it comes to cybersecurity.

Ransomware attacks are becoming increasingly common. From the perspective of the cybercriminal, they work. They make money. It’s a trusted tactic. It’s like selling popcorn at a movie theater—it’s fairly cheap, easy, and is a decent revenue source.

A 2021 report by CISCO revealed that 50% of all businesses have experienced some form of ransomware. 

Ransomware is a type of malware that quickly locks down all of your files on a device, and typically spreads across your network. It then holds your data at ransom, giving you a limited amount of time to pay to get your data back. The ransom could be anywhere from a couple hundred dollars to hundreds of thousands of dollars, and there is very little you can do to get around an attack unless you have thoroughly prepared for one.

Central NY businesses can’t be resting on their laurels when it comes to cybersecurity. Small businesses throughout Oneonta, Norwich, Cooperstown, Sidney, and the surrounding region might feel like they aren’t at risk, but a ransomware attack doesn’t care if you are a big operation or a small startup. Cybercriminals know most businesses would rather just pay the ransom in the hopes of getting back to normal, and they are banking on it.

The costs associated with these types of attacks are much more than the ransom. As a small business in upstate NY, it’s your responsibility to protect your customer information. The NY SHIELD Act requires business owners to maintain safeguards to protect the security of the customer information they hold. There are breach notification requirements too, that require a business to notify NY residents in the event of a breach, and larger attacks require the employer to submit documentation to the state’s attorney general within 10 days.

Even more significant, is that New York State has broadened the definition of a “breach” meaning it can account for unauthorized access, including that of an unauthorized employee or other entity. The data doesn’t need to be stolen, it just needs to be accessed for it to count as a breach.

Take Cybersecurity Seriously, Central New York!

You don’t want your business to have to go through the huge hassle of a data breach or ransomware attack. Fortunately, the majority of these types of attacks can be prevented by proper security policies, IT security solutions, employee training, and proactive monitoring and maintenance. 

Just having an IT company on call to fix computer issues isn’t going to cut it anymore—your business needs to treat IT security seriously.

We want to help get you there. To learn more, give us a call today at 607.433.2200.