NY AG secures $200,000 from law firm for failing to protect PHI

According to the New York Attorney General’s office, a law firm was fined $200,000 for data security failures that led to a 2021 data breach.

Why it matters:

New York Attorney General Letitia James secured a $200,000 settlement from the law firm HPMB for their failure to protect the personal and healthcare data of over 60,000 New Yorkers. The case emphasizes the responsibility of law firms to maintain adequate data security measures, especially when handling sensitive personal and healthcare information that belongs to their healthcare clients.

The details:

In 2021, HPMB experienced a data breach that compromised the private information of around 114,000 patients, including more than 60,000 New Yorkers. The law firm represents New York City area hospitals and maintains sensitive private information from patients. HPMB’s data security failures violated both state law and the Health Insurance Portability and Accountability Act (HIPAA), which required the law firm to adhere to specific data security practices.

Settlement terms:

HPMB must pay $200,000 in penalties to the state and strengthen its cybersecurity measures to protect consumers’ personal and private health information.

How the breach occurred:

An attacker exploited a vulnerability in HPMB’s Microsoft Exchange email server to access the firm’s systems. Patches for this vulnerability had been released by Microsoft months earlier, but HPMB failed to apply them in a timely manner, leaving the vulnerability exposed for potential exploitation. 

In December 2021, an attacker deployed malware on HPMB’s systems, disrupting their email system and potentially exposing the personal and healthcare data of 114,979 individuals, including 61,438 New York residents.

Data security improvements:

As a result of the agreement, HPMB is required to adopt several measures to better protect the personal and private health information of its clients’ patients, including:

1. Maintaining a comprehensive information security program with regular updates to keep pace with changes in technology and security threats.
2. Encrypting the private and health information it collects, uses, stores, and maintains.
3. Implementing centralized logging and monitoring of network activity.
4. Establishing a reasonable patch management program, including appropriate monitoring of required updates, supervision, and employee training.
5. Developing a penetration testing program that regularly tests HPMB’s network security.
6. Updating its data collection and retention practices to minimize data collection and delete data when it no longer serves a reasonable business or legal purpose.

Law firms working with sensitive information must ensure compliance with data protection regulations and implement robust security measures to prevent breaches and protect their clients’ information.

Proactive steps for law firms to protect sensitive data

Law firms handling sensitive personal and healthcare information must prioritize data protection to prevent breaches and maintain compliance with regulations. Here are some specific, actionable tips for law firms working with healthcare organizations to protect PHI:

1. Use HIPAA compliant email: Ensure that all communication channels, including email, are compliant with HIPAA regulations. This includes implementing secure email platforms with encryption for sensitive data and features like access controls, audit trails, and automatic log-offs.
2. Conduct regular risk assessments: Regularly assess the security of your systems and identify potential vulnerabilities. This will help you stay proactive in addressing any weaknesses and keeping your security measures up to date with evolving threats.
3. Implement a data protection plan: Develop a comprehensive data protection plan that adheres to industry best practices and complies with state and federal regulations, such as HIPAA and state-specific data protection laws.
4. Employee training and awareness: Regularly train employees on the importance of data security and their role in protecting sensitive information. This includes providing guidance on recognizing and reporting phishing attempts, maintaining strong passwords, and securely handling sensitive data.
5. Implement multi-factor authentication: Require multi-factor authentication (MFA) for all users accessing sensitive data. MFA adds an extra layer of protection by requiring users to verify their identity through a combination of factors, such as something they know (a password), something they have (a security token), or something they are (a fingerprint).
6. Secure data storage and backups: Store sensitive data in secure, encrypted environments and maintain regular backups of all essential information. This ensures that data is protected from unauthorized access and can be recovered in case of a breach or system failure.
7. Establish a robust incident response plan: Develop a comprehensive incident response plan that outlines the steps to be taken in the event of a data breach. This should include procedures for identifying and containing the breach, assessing the damage, notifying affected parties, and recovering from the incident.

By adopting these measures, law firms can significantly reduce the risk of data breaches and protect the sensitive information entrusted to them by healthcare organizations and other clients.