Practice Resources, LLC Announces Data Breach Impacting the Information of 924,138 Patients

Console and Associates, P.C.

On August 4, 2022, Practice Resources, LLC confirmed that the company experienced a data breach following a ransomware attack. According to PRL, the breach resulted in the data of 924,138 patients being exposed. The compromised data reportedly includes patients’ names, home addresses, dates of treatment, health plan numbers, and medical record numbers. Recently, PRL sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Practice Resources data breach, please see our recent piece on the topic here.

What We Know About the Practice Resources Data Breach

According to an official notice filed by the company, on April 12, 2022, Practice Resources was the target of a data security incident impacting the security of patient information at a variety of healthcare facilities. Practice Resources provides billing and other related services to healthcare providers. It is in this role that PRL came into the possession of patient data which was ultimately subject to the breach.

While the company does not indicate when it learned of the incident, in subsequent statements, PRL explains that, in response, it secured its systems and then engaged third-party cybersecurity professionals to assist with the company’s investigation.

The company’s investigation confirmed that the incident stemmed from a ransomware attack and that sensitive patient information may have been compromised. Upon discovering that sensitive consumer data was accessible to an unauthorized party, Practice Resources then reviewed the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, home address, dates of treatment, health plan number, and medical record number.

On August 4, 2022, Practice Resources sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. These notices were sent to 942,138 patients of the following facilities:

  • Achieve Physical Therapy, PC

  • CNY Obstetrics and Gynecology, P.C.

  • Community Memorial Hospital, Inc

  • Crouse Health Hospital, Inc

  • Crouse Medical Practice PLLC

  • Family Care Medical Group, PC

  • Fitness Forum Physical Therapy, PC

  • FLH Medical PC

  • Greece Dermatological Associates, PC

  • Guidone Physical Therapy, PC

  • Hamilton Orthopedic Surgery & Sports Medicine

  • Helendale Dermatological and Medical Spa, PLLC

  • Kudos Medical, PLLC

  • Laboratory Alliance of Central New York, LLC

  • Liverpool Physical Therapy, PC

  • Michael J Paciorek, MD PC

  • Nephrology Associates of Watertown, PC

  • Nephrology Hypertension Associates of CNY, PC

  • Orthopedics East, PC

  • Salvation Army

  • Soldiers & Sailors Memorial Hospital—Physician Practices

  • St. Joseph’s Medical

  • Surgical Care West, PLLC

  • Syracuse Endoscopy Associates, LLC

  • Syracuse Gastroenterological Associates, PC

  • Syracuse Pediatrics

  • Tully Physical Therapy

  • Upstate Community Medical, PC

Founded in 1996, Practice Resources, LLC is a business services company based in Syracuse, New York, focusing exclusively on the healthcare industry. The company provides a wide range of services to healthcare providers, including revenue cycle management, information technology, financial services, practice consulting, provider services, remote scribing services, and human resources services. Practice Resources employs more than 191 people and generates approximately $35 million in annual revenue.

Practice Resources: Another Third-Party Data Breach

The Practice Resources, LLC data breach is what is known as a third-party data breach. A term third-party data breach is an incident where the breached company is not the one that received the leaked information from the consumer. Here, Practice Resources provided business services to several healthcare providers and, in this capacity, had access to sensitive patient information. Thus, when Practice Resources’ systems were breached, it impacted patients—most of which were entirely unfamiliar with Practice Resources and the fact that the company was in possession of their information.

Naturally, patients may first look to their own providers for answers, as this is the organization that they provided their information to. However, in these situations, determining which company is liable for a data breach can be complex, and consumers whose information was leaked may not know where to look for answers.

As a general rule, any company that maintains, stores, transmits or receives consumer data has a legal obligation to the consumer, regardless of whether the company that was breached received the information directly from a consumer. In fact, for the most part, it is irrelevant how an organization comes into possession of patient data. Instead, the question is whether the company that was hacked or otherwise leaked the information was negligent.

Turning to the Practice Resources data breach, based on the company’s description of the event, it would appear that, if any organization is liable, it would be Practice Resources. However, because the investigation into the recent breach is still in its infancy, it is too soon to tell if the breach was the result of the company’s negligence.

Generally speaking, a company may be financially responsible for victims’ harms if the victims can prove the following elements:

  • The organization owed the victim a duty of care;

  • The organization breached the duty it owed to the victim;

  • The organization’s negligence caused or contributed to the victim’s harms (i.e., identity theft); and

  • The victim suffered economic or non-economic injury as a result.

While this sounds straightforward, proving these elements can be difficult, especially in a third-party data breach. An experienced data breach lawyer can assist victims of the Practice Resources, LLC data breach in assessing their options and determining whether they may have a legal claim against either company.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Console and Associates, P.C. | Attorney Advertising

Written by:

Console and Associates, P.C.

Console and Associates, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide