The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

New York Law Firm Pays $200,000 to State AG to Resolve HIPAA Violations

Posted By on Mar 28, 2023

A New York law firm that suffered a LockBit ransomware attack has agreed to pay a financial penalty of $200,000 to the New York Attorney General to resolve alleged violations of New York General Business Law and the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA).

Heidell, Pittoni, Murphy & Bach LLP (HPMB) is a New York City-based medical malpractice law firm. On or around Christmas Day 2021, the LockBit ransomware gang gained access to its network and encrypted files. The investigation confirmed that files were exfiltrated in the attack, including legal documents, patient lists, and medical records. The patient information included names, birthdates, medical histories, treatment information, Social Security numbers, and health insurance information. The incident was reported to the HHS’ Office for Civil Rights on May 16, 2022, as affecting 114,979 individuals. HPMB engaged a third-party ransomware remediation firm to negotiate with the threat actor and ended up paying $100,000 for the keys to decrypt files and to prevent the release of the stolen data. The investigation confirmed the LockBit gang gained access to its network in November 2021 by exploiting unpatched Microsoft Exchange vulnerabilities.

The incident was investigated by the Office of the New York Attorney General to determine whether the law firm had violated state laws and the HIPAA Rules. The NY AG determined the vulnerabilities exploited by the LockBit gang had been identified by Microsoft in April and May 2021 and patches had been released shortly thereafter to fix those vulnerabilities. Despite the vulnerabilities being well known, they remained unpatched for more than 6 months, which left firm’s email server vulnerable to attack.

The NY AG determined 17 provisions of the HIPAA Privacy and Security Rules had been violated and there were also violations of New York General Business law by failing to implement reasonable security practices to protect private information and the failure to issue timely notifications to 61,438 New York residents.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The alleged HIPAA violations were:

  • The failure to safeguard electronic protected health information (ePHI).
  • The failure to protect against reasonably anticipated threats to ePHI.
  • The failure to review and modify data protection practices.
  • The failure to conduct an accurate and thorough risk assessment.
  • The failure to implement appropriate security measures to reduce risks to ePHI.
  • The failure to regularly review records of information system activity.
  • The failure to implement procedures sufficient to guard against, detect, and report malicious software.
  • The failure to implement procedures sufficient for periodic testing and revision of contingency plans.
  • The failure to perform a periodic technical and nontechnical evaluation.
  • The failure to sufficiently implement technical policies and procedures for ePHI to limit access by unauthorized individuals.
  • The failure to encrypt ePHI.
  • The failure to implement a centralized logging system for information systems to allow unauthorized system activity to be detected.
  • The failure to implement a system for detecting the alteration or destruction of ePHI.
  • The failure to implement procedures sufficient to verify that a person or entity seeking access to ePHI is the one claimed.
  • The failure to implement reasonable and appropriate policies and procedures to comply with the standards of 45 C.F.R. Part 164, Subpart C.
  • The failure to prevent unauthorized access to ePHI.
  • The failure to adhere to the minimum necessary standard.

In addition to paying a financial penalty, HPMB has agreed to implement a comprehensive information security program that includes risk analyses at least annually, implement appropriate administrative, technical, and physical safeguards, and conduct regular tests of those safeguards. HPMB will appoint a Chief Information Security Officer (CISO), encrypt all ePHI at rest and in transit, implement a centralized logging system, conduct system activity reviews, establish a patch management program, and develop a penetration testing program.

“New Yorkers should not have to worry that their privacy is being violated and their sensitive information is being mishandled,” said Attorney General Letitia James. “Confidential patient information should be treated with care and secured online to protect New Yorkers from identity theft and fraud. The institutions charged with protecting this information have a responsibility to get it right, and to keep authorities and New Yorkers informed about breaches. Companies can, and should, strengthen their data security measures to safeguard consumers’ digital data, otherwise they can expect to hear from my office.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist