Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Law Firm Heidell Pittoni Fined $200K by New York AG for Poor Security

March 29, 2023

Legal IT Insider reported on March 27 that New York Attorney General Letitia James announced that she has secured $200,000 from New York/Connecticut law firm, Heidell, Pittoni, Murphy & Bach LLP (HPMB) for a 2021 data breach that compromised the private information of approximately 114,000 patients, including over 60,000 New Yorkers.

HPMB represents New York City area hospitals and maintains sensitive private information from patients, including dates of birth, social security numbers, health insurance information, medical history, and/or health treatment information.

James said that HPMB’s data security failures violated not only state law, but also HIPAA, which required HPMB to adhere to certain advanced data security practices. As a result of the agreement, HPMB must pay $200,000 in penalties to the state and strengthen its cybersecurity measures to protect consumers’ personal and private health information.

Attorney General James said:  “The institutions charged with protecting this information have a responsibility to get it right, and to keep authorities and New Yorkers informed about breaches. Companies can, and should, strengthen their data security measures to safeguard consumers’ digital data, otherwise they can expect to hear from my office.”

In November 2021, an attacker was able to exploit a vulnerability in HPMB’s Microsoft Exchange email server to gain access to HPMB’s systems. Patches for this vulnerability had been released by Microsoft several months earlier, but HPMB had not applied these patches in a timely manner, leaving this vulnerability exposed for potential exploitation. In December 2021, an attacker deployed malware on HPMB’s systems which resulted in a disruption in HPMB’s email system.

In its subsequent investigation, HPMB found that tens of thousands of files had been potentially taken from HPMB’s systems. An analysis of these files determined that electronic health information and/or private information — including names, dates of birth, social security numbers, and/or health data — of 114,979 individuals, including 61,438 New York residents, had likely been exposed because of the attack.

In May 2022, HPMB began notifying affected consumers whose personal information was compromised during the incident. The Office of the Attorney General determined that HPMB had failed to adopt reasonable practices to protect consumers’ personal information in several areas. HPMB failed to adopt several measures required by HIPAA, which HPMB is covered by due to its business relationship with hospitals, including conducting regular risk assessments of its systems, encrypting the private information on its servers and adopting appropriate data minimization practices.

The result of the March 27 agreement is that HPMB must pay the state $200,000 in penalties and adopt measures to better protect the personal and private health information of its clients’ patients going forward, including:

  • Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats and reporting security risks to the firm’s leadership;
  • Encrypting the private and health information it collects, uses, stores, and maintains.
  • Implementing centralized logging and monitoring of network activity, including logs that are readily accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged.
  • Establishing a reasonable patch management program, including appropriate monitoring of required updates, supervision of the program, and training for employees.
  • Developing a penetration testing program that includes regular testing of HPMB’s network security.
  • Updating its data collection and retention practices, including only collecting data to the minimum extent necessary to perform legitimate business functions and permanently deleting all such data when there is no longer a reasonable business or legal purpose to retain such information.

The above measures certainly suggest the reasonable efforts that law firms should take to prevent the compromise of client data, especially medical data.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson