On March 27, the New York attorney general announced a settlement with a law firm to resolve claims that it allegedly failed to protect individuals’ personal and health care data. According to the announcement, an attacker was able to exploit a vulnerability in the law firm’s email server and gained access to the sensitive private information, including names, dates of birth, social security numbers, and/or health data, of nearly 115,000 individuals, including more than 60,000 New Yorkers. According to the AG, the law firm’s data security failures not only violated state law, but also violated HIPPA requirements relating to the adherence to certain advance data security practices. The law firm, which represents New York City area hospitals and maintains patients’ sensitive private information, is required to adopt several measures required by HIPPA, including conducting regular system risk assessments, encrypting private information housed on its servers, and adopting appropriate data minimization practices—all of which it failed to do prior to the breach.
Under the terms of the assurance of discontinuance, the law firm is required to pay $200,000 in penalties to the state and strengthen its cybersecurity measures. Required actions include encrypting private information, monitoring and logging network activity, establishing a reasonable patch management policy, developing a penetration testing program, updating its data collection and retention practices, and permanently deleting data “when there is no reasonable business or legal purpose to retain it.”