Law firm to pay $200K after sloppy data security exposed patients’ private info
STATEWIDE — Attorney General Letitia James has secured $200,000 from Heidell, Pittoni, Murphy & Bach LLP (HPMB) for its failure to protect the personal and health care data of New Yorkers, her office announced on Monday.
The law firm’s inadequate data security measures left it vulnerable to a 2021 breach, compromising the private information of around 114,000 patients, including over 60,000 New Yorkers. HPMB’s data security lapses not only broke state law but also violated HIPAA, which mandates strict data security practices for the firm.
“New Yorkers should not have to worry that their privacy is being violated and their sensitive information is being mishandled,” said Attorney General James. “Confidential patient information should be treated with care and secured online to protect New Yorkers from identity theft and fraud. The institutions charged with protecting this information have a responsibility to get it right, and to keep authorities and New Yorkers informed about breaches. Companies can, and should, strengthen their data security measures to safeguard consumers’ digital data, otherwise they can expect to hear from my office.”