Law firm to pay $200K after sloppy data security exposed patients’ private info

March 28, 2023 Robert Abruzzese

The law firm Heidell, Pittoni, Murphy & Bach LLP had to pay $200,000 after it failed to protect client data, Attorney General Letitia James’ office announced on Monday. Photo: Hans Penink/AP.

Share this:

STATEWIDE — Attorney General Letitia James has secured $200,000 from Heidell, Pittoni, Murphy & Bach LLP (HPMB) for its failure to protect the personal and health care data of New Yorkers, her office announced on Monday.

The law firm’s inadequate data security measures left it vulnerable to a 2021 breach, compromising the private information of around 114,000 patients, including over 60,000 New Yorkers. HPMB’s data security lapses not only broke state law but also violated HIPAA, which mandates strict data security practices for the firm.

“New Yorkers should not have to worry that their privacy is being violated and their sensitive information is being mishandled,” said Attorney General James. “Confidential patient information should be treated with care and secured online to protect New Yorkers from identity theft and fraud. The institutions charged with protecting this information have a responsibility to get it right, and to keep authorities and New Yorkers informed about breaches. Companies can, and should, strengthen their data security measures to safeguard consumers’ digital data, otherwise they can expect to hear from my office.”

As a result of the agreement, HPMB must pay $200,000 in penalties to the state and bolster its cybersecurity measures to protect consumers’ personal and private health information. The law firm is also required to maintain a comprehensive information security program, encrypt private and health information, implement centralized logging and monitoring of network activity, establish a reasonable patch management program, develop a penetration testing program, and update its data collection and retention practices.

The consequences of HPMB’s lax data security practices were far-reaching, with tens of thousands of files potentially taken from the firm’s systems. An analysis of these files determined that electronic health information and private information, such as names, dates of birth, social security numbers, and health data of 114,979 individuals, including 61,438 New York residents, had likely been exposed as a result of the attack.

New York lawyers must remain vigilant in protecting their clients’ sensitive information to avoid potential legal repercussions. Given the increasing number of cyberattacks and data breaches, it’s crucial for legal professionals to implement strong cybersecurity measures to protect their clients’ personal and confidential data.

Failure to adequately protect client information can result in severe consequences, including disciplinary action, malpractice lawsuits and financial penalties.