A law firm that represents hospitals and healthcare organizations in litigation will pay $200,000 in an enforcement action with the Attorney General of New York after being accused of maintaining “poor data security measures” that resulted in a data breach which compromised the personal information of 114,000 patients of the firm’s clients. The firm was also accused of failing to adopt measures required by the Health Insurance Portability and Accountability Act (HIPAA), which was required when working with hospitals.
A copy of the Assurance of Discontinuance with Heidell, Pittoni, Murphy & Bach can be accessed by clicking here.
The attacker was able to access the company’s information through its email server. Microsoft had released a patch to address the vulnerability in question months earlier, but the firm had not yet installed it, according to the AG’s office. The attacker then deployed malware on the company’s system that disrupted the firm’s email servers. An investigation conducted by the firm uncovered that tens of thousands of patient files may have been potentially taken from its systems.
““Confidential patient information should be treated with care and secured online to protect New Yorkers from identity theft and fraud,” said New York Attorney General Letitia James, in a statement. “The institutions charged with protecting this information have a responsibility to get it right, and to keep authorities and New Yorkers informed about breaches. Companies can, and should, strengthen their data security measures to safeguard consumers’ digital data, otherwise they can expect to hear from my office.”
Along with paying the fine, the company is also being required to adopt measures to shore up its information security practices, including:
- Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats and reporting security risks to the firm’s leadership;
- Encrypting the private and health information it collects, uses, stores, and maintains;
- Implementing centralized logging and monitoring of network activity, including logs that are readily accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged;
- Establishing a reasonable patch management program, including appropriate monitoring of required updates, supervision of the program, and training for employees;
- Developing a penetration testing program that includes regular testing of HPMB’s network security; and,
- Updating its data collection and retention practices, including only collecting data to the minimum extent necessary to perform legitimate business functions and permanently deleting all such data when there is no longer a reasonable business or legal purpose to retain such information.