Ride the Lightning

Breached Law Firm Late in Reporting the Breach

September 13, 2022

SC Magazine reported on September 9 that law firm Warner Norcross & Judge (WNJ) recently informed the Department of Health and Human Services of a Health Insurance Portability and Accountability Act data breach impacting 255,160 individuals. The firm provides employment and immigration services to healthcare entities, including three of the largest hospital systems in Michigan.

On Oct. 22, 2021, WNJ first discovered unauthorized activity on “some of its systems” and took steps to secure the network. A digital forensics firm was engaged to investigate and to perform a “data mining and manual review.”

WNJ found that personal and protected health information was contained in the protected systems, including names, dates of birth, Social Security numbers, driver’s licenses, passports, and government IDs, annual compensation amounts, benefit contribution details, credit or debit card numbers and PINs, financial accounts or routing numbers, and other sensitive data.

The notice gives reasons for the lengthy delay in notifying patients, tying the delay to its data mining to identify impacted information and individuals. However, as the article notes, under HIPAA, covered entities and business associates are required to report within 60 days of discovery, not at the close of an investigation.

WNJ has since “taken steps to help prevent a similar incident from occurring in the future.”

Currently, WNJ has a notice about the breach on its home page at https://www.wnj.com/

I cannot fathom why the firm chose to wait so long to report the breach.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson