Fraud Management & Cybercrime , Legislation & Litigation , Ransomware
NY AG Hits Law Firm With $200K Settlement in Health BreachLockBit Attack Exploited Microsoft Exchange Flaw; Firm Also Paid a Ransom
A New York medical malpractice law firm will pay $200,000 and implement data security improvements to settle a HIPAA enforcement action by the state attorney general's office following a 2021 ransomware attack by LockBit.
See Also: 2022 Unit 42 Incident Response Report
The incident affected personal information of nearly 115,000 individuals, including 61,400 New Yorkers.
Under the settlement, Heidell, Pittoni, Murphy & Bach, a law firm that represents New York City area hospitals in medical malpractice lawsuits, will also offer all individuals affected by the data breach two years of credit and identity monitoring.
The law firm obtains protected health information and other private information through litigation over patient claims. "HPMB's data security failures violated not only state law, but also HIPAA, which required HPMB to adhere to certain advanced data security practices," the attorney general's office said in a statement Monday.
In November 2021, an attacker exploited a well-known vulnerability in a Microsoft Exchange email server to gain access to the firm's systems. The computing giant had released patches several months earlier, "but HPMB had not applied these patches in a timely manner, leaving this vulnerability exposed for potential exploitation," the attorney general says.
The attacker deployed LockBit ransomware on or about Christmas Day 2021. The firm hired outside experts to negotiate with ransomware hackers and ultimately paid $100,000 in exchange for the return and promised deletion of exfiltrated data.
Hackers supplied a list of tens of thousands of files they claimed to have exfiltrated - including legal pleadings, patient lists and medical records. Forensics analysis concluded that the files had indeed been stolen.
HPMB's vendor concluded its analysis of the exfiltrated files on May 16, 2022, and the law firm began notifying affected individuals. HPMB reported the breach to the U.S. Department of Health and Human Services on May 16, 2022, as a hacking incident affecting nearly 115,000 individuals.
Patient information compromised in the incident included patient names, birthdates, Social Security numbers, health insurance information, medical history and health treatment information.
The New York attorney general's office says HPMB failed to comply with many requirements of the HIPAA privacy and security rules.
Those failures included not implementing procedures to guard against, detect and report malicious software and not implementing policies and procedures to comply with the "minimum necessary" requirements for storing personal health information, the attorney general said.
Under the settlement, HPMB has agreed to implement a variety of improvements to address the deficiencies identified during the attorney general's investigation.
They include HPMB maintaining a comprehensive information security program, encrypting the private and health information that it handles, implementing centralized logging and monitoring of network activity, and establishing a patch management program.
HPMB in an update to its statement Wednesday about the incident said it does not have evidence to indicate that any personal information has been or will be misused as a result of the 2021 breach.
"HPMB takes the security of sensitive information very seriously. It has taken numerous steps to prevent a similar event from occurring in the future, including security measures, policies, and procedures," the firm said.
HPMB did not immediately respond to Information Security Media Group's request for comment on the settlement.