NY Law Firm Pays $200K Over Healthcare Data Security Failures

March 28, 2023 - The office of New York Attorney General Letitia James announced a $200,000 settlement with law firm Heidell, Pittoni, Murphy, & Bach LLP (HPMB) for failing to implement proper healthcare data security measures. The law firm represents a variety of New York City area hospitals and maintains protected health information (PHI).

HPMB’s alleged security failures made it vulnerable to a 2021 breach that impacted 114,000 patients, violating state laws and HIPAA, the announcement stated. The breach occurred when a cybercriminal managed to exploit a known vulnerability in HPMB’s Microsoft Exchange email server.

Although Microsoft had issued patches for this specific vulnerability months earlier, HPMB did not apply them in a timely manner. The attacker was able to deploy malware and potentially take tens of thousands of files from HPMB’s systems.

“The Office of the Attorney General determined that HPMB had failed to adopt reasonable practices to protect consumers’ personal information in several areas,” the New York Attorney General’s Office stated.

“In particular, HPMB failed to adopt several measures required by HIPAA, which HPMB is covered by due to its business relationship with hospitals and hospital, including conducting regular risk assessments of its systems, encrypting the private information on its servers, and adopting appropriate data minimization practices.”

HPMB issued an update on the 2021 incident on March 23, explaining that the incident took place on December 25, 2021 and that the impacted information was largely limited to names and dates of birth. HPMB said it had no evidence that any infomration has been or will be misused as a result of the incident.

Along with the $200,000 in penalties, HPMB is required to adopt updated data security measures. Specifically, HPMB will have to encrypt the health information it collects and maintains, implement centralized logging and monitoring of network activity, and develop a penetration testing program.

In addition, HPMB is required to update its data collection and retention practices, establish a patch management program, and maintain a “comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats and reporting security risks to the firm’s leadership,” the NY AG stated.

“New Yorkers should not have to worry that their privacy is being violated and their sensitive information is being mishandled,” James said.

“Confidential patient information should be treated with care and secured online to protect New Yorkers from identity theft and fraud. The institutions charged with protecting this information have a responsibility to get it right, and to keep authorities and New Yorkers informed about breaches. Companies can, and should, strengthen their data security measures to safeguard consumers’ digital data, otherwise they can expect to hear from my office.”