Law Firm Fined $200K for Data Breach Caused by Cybersecurity Lapses

The Heidell, Pittoni, Murphy & Bach law firm has agreed to pay $200,000 to the state of New York over data security lapses that led to a data breach in 2021. The breach exposed the private data of nearly 115,000 hospital patients, including over 61,000 New Yorkers, due to the firm’s failure to comply with health information privacy and security rules and state law. The breach was caused by the firm’s failure to patch a vulnerability in its Microsoft email server, which was exploited by an attacker. According to the lawsuite, Heidell Pittoni Murphy & Bach LLP failed to notify affected individuals of the breach until May 16, 2022

The data breach resulted in the exposure of private information such as names, birth dates, Social Security numbers, and health data, and the law firm paid $100,000 to retrieve and delete the data, but there is no proof that it was actually deleted. The firm did not accept or deny the allegations in the agreement. Law firms and other legal services providers that hold sensitive and confidential information have been subject to cybersecurity attacks that impact both their own business information and that of their clients.

This event emphasizes the significance of cybersecurity measures for law firms and other organizations that handle sensitive and confidential information. Neglecting security regulations and failing to apply essential updates can lead to data breaches, causing significant financial and reputational harm. It is critical for companies to establish strong cybersecurity protocols, consistently upgrade their systems and software, and develop incident response plans to minimize the impact in the event of a security breach.