On March 27, 2023, New York Attorney General Letitia James announced that a New York-based law firm (Heidell, Pittoni, Murphy & Bach LLP) had agreed to pay $200,000 in penalties and enhance its cybersecurity practices to settle charges stemming from a 2021 data breach.
The New York AG alleged that, in November 2021, the firm experienced a cybersecurity incident in which attackers acquired the private data of over 114,000 patients of hospitals who were clients of the firm, including names, Social Security numbers, dates of birth and health information. The cause of the breach was a software vulnerability for which a patches had been issued, but allegedly not implemented by the firm. The AG’s investigation determined that the firm failed to take reasonable measures to protect consumer personal information, such as conducting risk assessments or implementing encryption for the data, in violation of HIPAA and New York state law.
In addition to the monetary penalty and obligation to implement an enhanced information security program, the settlement also requires the firm to offer affected consumers two years of complimentary credit monitoring and identity theft protection services (if such services were not already offered). The firm neither admitted nor denied the AG’s allegations as part of the settlement.