We use cookies to give users the best content and online experience. By clicking “Accept All Cookies”, you agree to allow us to use all cookies. Visit our Privacy Policy to learn more.

Manage Cookies
Resources for Businesses My BBB
Share
Business Profile

Medical Billing

Practicefirst

This business is NOT BBB Accredited.

Find BBB Accredited Businesses in Medical Billing.

Information and Alerts

Service Area

Continental US
  • NY

Important Information

Government Actions

Government Action: BBB reports on known government actions involving business’ marketplace conduct:
Attorney General James Recoups $550,000 from Erie County Medical Management Company for Failing to Protect Patients’ Data

The following describes a government action that has been resolved by either a settlement or a decision by a court or administrative agency. If the matter is being appealed, it will be noted below.


May 23, 2023

NEW YORK – New York Attorney General Letitia James recouped $550,000 from a medical management company, Professional Business Systems, Inc. d/b/a Practicefirst Medical Management Solutions and PBS Medcode Corp. (Practicefirst), for failing to protect New Yorkers’ personal information, including health records. Practicefirst’s failure to make a timely software update made their networks susceptible to a cyberattack, which affected more than 1.2 million individuals nationwide, including over 428,000 New Yorkers. Practicefirst’s data security failures violated both state law and the federal Health Insurance Portability and Accountability Act (HIPAA). As a result of today’s agreement, Practicefirst has agreed to pay $550,000 in penalties to New York, strengthen its data security practices, and offer affected consumers free credit monitoring services.


Practicefirst is a medical management company that helps health care organizations with medical billing, coding, credentialing, and other services. In January 2019, Practicefirst’s firewall provider released a new version of its software that was designed to patch a critical vulnerability. Practicefirst failed to update its software and failed to conduct penetration tests, vulnerability scans, or other security testing that would have identified security problems. In November 2020, a hacker exploited the critical firewall vulnerability and successfully gained access to Practicefirst’s systems. The hacker later deployed ransomware and pulled out files containing patients’ personal information. Days later, screenshots containing personal information of 13 consumers were discovered on the dark web.


As a result of today’s agreement, Practicefirst will pay $550,000 in penalties and offer affected consumers free credit monitoring services. In addition, Practicefirst will be required to adopt measures to better protect personal information, including:



Maintaining a comprehensive information security program that will be regularly reviewed and updated;

Encrypting private and health information;

Adopting appropriate account management and authentication procedures, such as multi-factor authentication;

Implementing a patch management solution that will ensure security patches and updates are timely installed;

Developing a vulnerability management program that includes regular vulnerability scanning and penetration testing as well as appropriate remediation of vulnerabilities revealed by such scanning and testing; and

Updating its data collection, retention, and disposal practices to ensure that private health information is maintained only to the minimum extent necessary to accomplish legitimate business purposes.

Affected consumers can access their free credit monitoring services by following the instructions under the “What You Can Do” section on Practicefirst’s website.

Click here for details

BBB Business Profiles may not be reproduced for sales or promotional purposes.

BBB Business Profiles are provided solely to assist you in exercising your own best judgment. BBB asks third parties who publish complaints, reviews and/or responses on this website to affirm that the information provided is accurate. However, BBB does not verify the accuracy of information provided by third parties, and does not guarantee the accuracy of any information in Business Profiles.

When considering complaint information, please take into account the company's size and volume of transactions, and understand that the nature of complaints and a firm's responses to them are often more important than the number of complaints.

BBB Business Profiles generally cover a three-year reporting period, except for customer reviews. Customer reviews posted prior to July 5, 2024, will no longer be published when they reach three years from their submission date. Customer reviews posted on/after July 5, 2024, will be published indefinitely unless otherwise voluntarily retracted by the user who submitted the content, or BBB no longer believes the review is authentic. BBB Business Profiles are subject to change at any time. If you choose to do business with this company, please let them know that you checked their record with BBB.

As a matter of policy, BBB does not endorse any product, service or business. Businesses are under no obligation to seek BBB accreditation, and some businesses are not accredited because they have not sought BBB accreditation. BBB charges a fee for BBB Accreditation. This fee supports BBB's efforts to fulfill its mission of advancing marketplace trust.