How Much Does Failing to Install a Patch Cost? $550,000

The feds have upped the game and are going after companies that get breached that do not have effective cybersecurity programs.

In this case, practice management software vendor Professional Business Systems, Inc.

The company, who does business under the name Practicefirst Medical Management Solutions failed to install a firewall patch in January 2019. That failure left the company vulnerable to a breach in November 2020 – almost two years later. That breach lead to ransomware and the exfiltration of patient data.

Among the data stolen was birthdates, driver’s license number, social security numbers, diagnoses, medication information and financial information.

In addition to failing to patch their firewall, the also failed to conduct regular risk assessments.

Those failures cost them a half million bucks.

From one perspective, their failure to install a software patch exposed the fact that they were not doing other things.

BUT, if they had installed that patch and were no longer vulnerable to this attack, they likely would not have been breached and would not have to pay a half million dollars to the state.

That is only the beginning.

In addition to paying a $550,000 fine, they also have to maintain a comprehensive information security program, encrypt data, implement multifactor authentication, implement an effective patch management program, conduct regular vulnerability scanning and penetration testing and update its data collection, retention and disposal practices. They also have to provide two years of free credit monitoring to the million people affected.

This settlement follows other settlements from other state AGs – $2.5 million from Eyemed, for example.

So it appears that not installing a patch can be pretty expensive.

Need help building your cybersecurity program – contact us.

Credit: Data Breach Today

by