New York Attorney General Settles with Law Firm Over Data Breach

On
March
27,
2023,
New
York
Attorney
General
Letitia
James

announced
that
a
New
York-based
law
firm
(Heidell,
Pittoni,
Murphy
&
Bach
LLP)
had
agreed
to
pay
$200,000
in
penalties
and
enhance
its
cybersecurity
practices
to
settle
charges
stemming
from
a
2021
data
breach. 

The
New
York
AG
alleged
that,
in
November
2021,
the
firm
experienced
a
cybersecurity
incident
in
which
attackers
acquired
the
private
data
of
over
114,000
patients
of
hospitals
who
were
clients
of
the
firm,
including
names,
Social
Security
numbers,
dates
of
birth
and
health
information. The
cause
of
the
breach
was
a
software
vulnerability
for
which
a
patches
had
been
issued,
but
allegedly
not
implemented
by
the
firm. The
AG’s
investigation
determined
that
the
firm
failed
to
take
reasonable
measures
to
protect
consumer
personal
information,
such
as
conducting
risk
assessments
or
implementing
encryption
for
the
data,
in
violation
of
HIPAA
and
New
York
state
law. 

In
addition
to
the
monetary
penalty
and
obligation
to
implement
an
enhanced
information
security
program,
the
settlement
also
requires
the
firm
to
offer
affected
consumers
two
years
of
complimentary
credit
monitoring
and
identity
theft
protection
services
(if
such
services
were
not
already
offered). The
firm
neither
admitted
nor
denied
the
AG’s
allegations
as
part
of
the
settlement.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts