New York law firm gets fined $200k for failing to protect health data

A New York law firm has agreed to pay $200,000 in penalties to the state because it failed to protect the private and electronic health information of approximately 114,000 patients.

How did the data theft happen?

Heidell, Pittoni, Murphy and Bach (HPMB) represents New York City area hospitals in litigation and maintains sensitive private information from patients, including dates of birth, social security numbers, health insurance information, medical history, and/or health treatment information.

In November 2021, an attacker was able to exploit a vulnerability in HPMB’s Hybrid Exchange Management Server to gain access to the firm’s systems. In December, the attacker deployed the Lockbit ransomware variant on HPMB’s systems.

Patches for this vulnerability had been released by Microsoft several months earlier, but HPMB had not applied these patches in a timely manner, leaving this vulnerability exposed for potential exploitation.

In December 2021, an attacker deployed malware on HPMB’s systems which resulted in a disruption in the firm’s email system. In its subsequent investigation, HPMB found that tens of thousands of files had been potentially taken from its systems.

According to the findings by the Office of the Attorney General, the firm “paid $100,000 in ransom in exchange for the return and promised deletion of the exfiltrated data but was not provided evidence the data was deleted.”

In May 2022, HPMB began notifying affected consumers whose personal information was compromised during the incident.

Penalties

The Office of the New York Attorney General determined that HPMB had failed to adopt reasonable practices to protect consumers’ personal information in several areas.

HPMB’s data security failures violated not only state law, but also HIPAA. The firm failed to adopt several measures required by HIPAA, which HPMB is covered by due to its business relationship with hospitals and hospital, including conducting regular risk assessments of its systems, encrypting the private information on its servers, and adopting appropriate data minimization practices.

As a result of the agreement, HPMB must pay the state $200,000 in penalties, and adopt measures to better protect the personal and private health information of its clients’ patients going forward, including:

• Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats and reporting security risks to the firm’s leadership;
• Encrypting the private and health information it collects, uses, stores, and maintains;
• Implementing centralized logging and monitoring of network activity, including logs that are readily accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged;
• Establishing a reasonable patch management program, including appropriate monitoring of required updates, supervision of the program, and training for employees;
• Developing a penetration testing program that includes regular testing of HPMB’s network security; and,
• Updating its data collection and retention practices, including only collecting data to the minimum extent necessary to perform legitimate business functions and permanently deleting all such data when there is no longer a reasonable business or legal purpose to retain such information.

“Confidential patient information should be treated with care and secured online to protect New Yorkers from identity theft and fraud. The institutions charged with protecting this information have a responsibility to get it right, and to keep authorities and New Yorkers informed about breaches. Companies can, and should, strengthen their data security measures to safeguard consumers’ digital data, otherwise they can expect to hear from my office,” said New York Attorney General Letitia James.