Cyber Incident Victim: Practice Resources

On April 12, 2022, New York-based medical billing and practice management company Practice Resources, LLC (PRL) experienced a ransomware attack that disrupted operations and compromised sensitive data. PRL immediately secured its systems following the attack and engaged third-party cybersecurity experts to assist with containment and investigation. The incident impacted 26 healthcare organization clients affiliated with PRL, exposing personal and health information of 942,138 individuals. Compromised data included names, addresses, health plan numbers, treatment dates, and medical record numbers. PRL initiated breach notifications through the California Attorney General’s Office, though the exact notification timeline was not specified in the disclosure. The company emphasized its confidential handling of sensitive information and proactive security measures in its public notice.

The attack affected healthcare providers across multiple specialties and regions, including Achieve Physical Therapy, Community Memorial Hospital, Crouse Health Hospital, Syracuse Pediatrics, and Upstate Community Medical among others. PRL implemented immediate cybersecurity enhancements following the incident and announced plans for additional security upgrades. As remediation, the company offered credit monitoring services to affected individuals. No ransomware group was identified in the disclosure, and PRL did not specify whether data was exfiltrated or encrypted. The incident caused operational disruptions for the impacted healthcare clients, though the notice did not detail the duration or specific clinical consequences. PRL’s response focused on system restoration, forensic investigation, and regulatory compliance through patient notifications coordinated with the affected healthcare organizations.