New York Attorney General Letitia James secured $200,000 from the law firm, Heidell, Pittoni, Murphy & Bach LLP (HPMB) for failing to protect New Yorkers’ personal and healthcare data.
HPMB’s poor data security measures made it vulnerable to a 2021 data breach that compromised the private information of approximately 114,000 patients, including more than 60,000 New Yorkers.
The law firm represents New York City area hospitals and maintains sensitive private information from patients, including dates of birth, social security numbers, health insurance information, medical history, and/or health treatment information.
HPMB’s data security failures violated not only state law but also HIPAA, which required HPMB to adhere to certain advanced data security practices.
As a result of the agreement, HPMB must pay $200,000 in penalties to the state and strengthen its cybersecurity measures to protect consumers’ personal and private health information.
“New Yorkers should not have to worry that their privacy is being violated and their sensitive information is being mishandled,” said Attorney General James. “Confidential patient information should be treated with care and secured online to protect New Yorkers from identity theft and fraud. The institutions charged with protecting this information have a responsibility to get it right, and to keep authorities and New Yorkers informed about breaches. Companies can, and should, strengthen their data security measures to safeguard consumers’ digital data, otherwise, they can expect to hear from my office.”
In November 2021, an attacker was able to exploit a vulnerability in HPMB’s Microsoft Exchange email server to gain access to HPMB’s systems.
Patches for this vulnerability had been released by Microsoft several months earlier, but HPMB had not applied these patches in a timely manner, leaving this vulnerability exposed for potential exploitation.
In December 2021, an attacker deployed malware on HPMB’s systems which resulted in a disruption in HPMB’s email system. In its subsequent investigation, HPMB found that tens of thousands of files had been potentially taken from HPMB’s systems.
An analysis of these files determined that electronic health information and/or private information — including names, dates of birth, social security numbers, and/or health data — of 114,979 individuals, including 61,438 New York residents, had likely been exposed as a result of the attack.
In May 2022, HPMB began notifying affected consumers whose personal information was compromised during the incident. The Office of the Attorney General determined that HPMB had failed to adopt reasonable practices to protect consumers’ personal information in several areas. In particular, HPMB failed to adopt several measures required by HIPAA, which HPMB is covered by due to its business relationship with hospitals and hospitals, including conducting regular risk assessments of its systems, encrypting the private information on its servers, and adopting appropriate data minimization practices.
As a result of today’s agreement, HPMB must pay the state $200,000 in penalties.
HPMB is also required to adopt measures to better protect the personal and private health information of its clients’ patients going forward, including:
- Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats and reporting security risks to the firm’s leadership;
- Encrypting the private and health information it collects, uses, stores, and maintains;
- Implementing centralized logging and monitoring of network activity, including logs that are readily accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged;
- Establishing a reasonable patch management program, including appropriate monitoring of required updates, supervision of the program, and training for employees;
- Developing a penetration testing program that includes regular testing of HPMB’s network security; and,
- Updating its data collection and retention practices, including only collecting data to the minimum extent necessary to perform legitimate business functions and permanently deleting all such data when there is no longer a reasonable business or legal purpose to retain such information.
This matter was handled by Assistant Attorney General Laura Mumm and Deputy Bureau Chief Clark Russell, with special assistance from Internet and Technology Analyst Nishaant Goswamy, of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger.
The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo and overseen by First Deputy Attorney General Jennifer Levy.