NYS Attorney General Letitia James announced a settlement:
New York Attorney General Letitia James secured $200,000 from the law firm, Heidell, Pittoni, Murphy & Bach LLP (HPMB) for failing to protect New Yorkers’ personal and healthcare data. HPMB’s poor data security measures made it vulnerable to a 2021 data breach that compromised the private information of approximately 114,000 patients, including more than 60,000 New Yorkers. The law firm represents New York City area hospitals and maintains sensitive private information from patients, including dates of birth, social security numbers, health insurance information, medical history, and/or health treatment information. HPMB’s data security failures violated not only state law, but also HIPAA, which required HPMB to adhere to certain advanced data security practices. As a result of the agreement, HPMB must pay $200,000 in penalties to the state and strengthen its cybersecurity measures to protect consumers’ personal and private health information.
Read more on the Attorney General’s website.
According to the filing, the law firm’s server was vulnerable to attack in November 2021 because they had not patched a vulnerability reported by Microsoft months earlier in April and May. A patch had been made available by Microsoft at around the the time as the vulnerability report.
On or around December 25, 2021, LockBit deployed ransomware using PSExec.
This incident was reported to HHS in May 2022 as impacting 114,979 patients.