New York Attorney General Takes Action Against Law Firm Following Data Breach
Following an investigation of the New York/Connecticut law firm of Heidell, Pittoni, Murphy & Bach (the “Heidell firm”), on March 27, 2023 the New York Attorney General’s Office (“NY AG”) announced a settlement in the form of an Assurance of Discontinuance with the firm stemming from a data breach in 2021. According to the Assurance of Discontinuance, which contains the results of the NY AG’s investigation and the relief agreed by the NY AG and the Heidell firm, the firm has agreed to pay a $200,000 penalty and maintain a comprehensive information security program under the supervision of the NY AG’s office.
The NY AG reported a number of details based on its investigation, which the Heidell firm neither admitted or denied. Specifically, the NY AG reported that, prior to the breach, the Heidell firm stored private information from hospital patients in its role as counsel to New York City area hospitals. The information allegedly included names, dates of birth, social security numbers, health data, and biometric data. An estimated 115,000 individuals were affected, although the most sensitive information reportedly related to a small subset of the 115,000 individuals.
The NY AG found that the incident occurred in November 2021 when the attacker was able to exploit a vulnerability in the firm’s email server to gain access to Heidell’s network. The firm allegedly had not applied a Microsoft security patch which had been available for several months. According to the NY AG, in December 2021, the attacker deployed malware which disrupted the firm’s email system, leading the firm to take defensive steps, but not before thousands of files including patients’ private information, including electronic protected health information (“ePHI”), was accessed and/or exfiltrated by the threat actor. According to the Assurance of Discontinuance, the firm made a payment of $100,000 to the attacker in exchange for the return and promise of deletion of the exfiltrated data. Based upon a review of the exfiltrated files, the firm began notifying impacted individuals in May 2022.
The NY AG’s office commenced its investigation of potential violations under both NY state privacy law [i] and the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). [ii] Regarding the latter, the NY AG concluded that the firm qualified as a HIPAA Business Associate [iii], thus requiring it to comply with federal standards for the privacy and security of ePHI, namely the HIPAA Privacy Rule and HIPAA Security Rule. [iv] The NY AG listed no fewer than seventeen specific failures of the firm under HIPAA and two New York law violations, which the firm neither admitted nor denied inits settlement with the NY AG. The investigation concluded with the Heidell firm’s acceptance of a $200,000 penalty and its agreement to maintain a comprehensive information security program, including specific information security requirements, to mitigate the risk of future breaches. The firm agreed to implement detailed internal reporting requirements, obtain a comprehensive assessment of its network by a third-party assessor after one year, and provide a detailed report of the assessment to the NY AG. This program is to continue for five additional years, with subsequent reports to be provided to the NY AG upon its request.
This settlement, along with comments by New York Attorney General Letitia James, make it clear that entities which maintain sensitive data, including law firms, are under the eye of regulators: “Confidential patient information should be treated with care and secured online to protect New Yorkers from identity theft and fraud. The institutions charged with protecting this information have a responsibility to get it right, and to keep authorities and New Yorkers informed about breaches. Companies can, and should, strengthen their data security measures to safeguard consumers’ digital data, otherwise they can expect to hear from my office.”
The additional security measures required to be undertaken by the Heidell firm pursuant to its settlement with the NY AG may provide useful guidance for other firms seeking to mitigate data breach risks, including:
· Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats and reporting security risks to the firm’s leadership;
· Encrypting private information (and,if applicable, health information) collected, used, stored, and maintained;
· Implementing centralized logging and monitoring of network activity, including logs that are readily accessible fora period of at least 90 days and stored for at least one year from the date the activity was logged;
· Establishing a reasonable patch management program, including appropriate monitoring of required updates, supervision of the program, and training for employees;
· Developing a penetration testing program that includes regular testing of the firm’s network security; and,
· Updating data collection and retention practices, including only collecting data to the minimum extent necessary to perform legitimate business functions and permanently deleting all such data when there is no longer a reasonable business or legal purpose to retain such information.
The risks of government enforcement proceedings and private-party litigation stemming from data breaches should reinforce for law firms the importance of frequently assessing and refining their information security programs and being vigilant in ensuring programs are implemented and followed with diligence. For attorneys “whose legal services to a health plan involve access to protected health information,” the NY AG’s action against the Heidell firm is a reminder that law firms can be considered “Business Associates” under HIPAA rules and thus subject to the stiff requirements of HIPAA and legal liability for HIPAA violations.
Actions such as this one by the NY AG may have important implications for law firms and their insurers. Please reach out to us if you would like to discuss.
[i] Executive Law § 63(12) and General Business Law §§ 899-aa (Notification; Person Without Valid Authorization Has Acquired Private Information) and 899-bb (Data Security Protections)
[ii] Pub. L.No. 104-191, 110 Stat. 1936, as amended by the Health Information Technology for Economic and Clinical Health Act, Pub. L. No. 111-5, 123 Stat. 226.
[iii] 45 C.F.R. sec. 160.103.
[iv] 45 C.F.R. Part 160 and 45C.F.R. Part 164, Subparts A, C, and E.