Law firm fined $200,000 over ‘poor data security’ that led to ransomware attack

New York’s attorney general has levied a $200,000 fine on a law firm representing hospitals whose sensitive files were accessed in a 2021 ransomware attack.

Attorney General Laetitia James accused the New York City-based firm, Heidell, Pittoni, Murphy & Bach (HPMB), of having “poor data security,” resulting in the leak of some 114,000 people’s information, including about their health.

“New Yorkers should not have to worry that their privacy is being violated and their sensitive information is being mishandled,” she said in a release accompanying the decision.

“Companies can, and should, strengthen their data security measures to safeguard consumers’ digital data, otherwise they can expect to hear from my office.”

According to the results of the Office of the Attorney General’s investigations, an attacker exploited the firm’s Microsoft Exchange email server, taking advantage of a vulnerability that Microsoft had identified more than six months earlier. Despite Microsoft having released fixes for the bugs, the firm allegedly failed to “timely apply the patch for these vulnerabilities.”

The next month, around Christmas, the attacker deployed the LockBit malware. While negotiating with the attackers, a hired forensic firm was supplied a list of tens of thousands of files, which “included legal pleadings, patient lists, and medical records that HPMB had in its possession in connection with litigation matters,” the OAG wrote.

Ultimately, HPMB paid a $100,000 ransom but was not provided evidence the files were deleted. In May 2022, six months after the initial breach, the firm notified those affected by the breach after conducting an investigation of the leaked files.

The OAG determined the firm violated data protection standards mandated by the Health Insurance Portability and Accountability Act (HIPAA), which protects privacy around medical information.

Those requirements include “conducting regular risk assessments of its systems, encrypting the private information on its servers, and adopting appropriate data minimization practices.”

On top of the $200,000 fine, the firm must adopt an array of security measures, including private information, developing a penetration testing program, updating data retention policies and developing a “comprehensive information security program.”

The New York attorney general has been aggressive in punishing companies deemed at fault for data breaches. Last October, the office fined the e-commerce retailer Zoetop $1.9 million for its handling of a leak.

Regulators have levied fines on other law firms as well, with the United Kingdom’s data protection authority fining the London firm Tuckers Solicitors LLP about $120,000 for allegedly violating standards laid out in data protection laws.