Heidell, Pittoni, Murphy & Bach, a midsize law firm representing hospitals and hospital networks in litigation, has agreed to pay $200,000 to the state of New York following a data breach that compromised the private data of almost 115,000 hospital patients. The breach, which occurred in 2021, affected over 61,000 New Yorkers, and an investigation found that the law firm had failed to comply with health information privacy and security rules and state law.
The law firm did not admit to or deny the allegations as part of the agreement. However, it did provide an update on the cybersecurity incident in response to a request for comment. The firm stated that it had no evidence to suggest that any personal information had been or would be misused due to the incident. It also claimed that less than one percent of individuals had their Social Security numbers exposed and that the affected data was primarily limited to names and birth dates.
Law firms and other legal services providers that hold sensitive and confidential data have increasingly become targets for cyberattacks involving their clients’ data and business information. Heidell, Pittoni, Murphy & Bach has 85 lawyers in four New York and Connecticut offices and primarily handle medical and products liability defense, healthcare law, civil rights, and general and commercial litigation.
The breach occurred when an attacker exploited vulnerabilities in the law firm’s Microsoft email server, gaining access to its systems and later deploying malware and taking files from the firm’s systems. According to the New York attorney general’s office, the firm had left its server exposed to an attack after failing to apply patches for the vulnerabilities, which Microsoft had released several months prior.
Don’t miss out on the best legal job opportunities in your area. Search BCG Attorney Search now!
The law firm hired a cybersecurity firm to conduct a forensic investigation and got a list of “tens of thousands” of files the attackers claimed to have taken. The files included legal pleadings, patient lists, and the firm’s medical records in connection with litigation. The office also stated that the law firm paid a $100,000 ransom in exchange for the return and deletion of the data but was not provided with evidence that the data was deleted.
An analysis revealed that information, including names, birth dates, Social Security numbers, and health data, might have been exposed. The law firm began notifying affected people in May 2022.
This incident highlights the need for law firms and other legal services providers to protect sensitive and confidential data proactively. This includes implementing regular security audits, applying security patches promptly, and providing security awareness training for employees. The consequences of failing to do so can be significant, as demonstrated by the $200,000 settlement that Heidell, Pittoni, Murphy & Bach reached with the state of New York.