New York Law Firm Pays $200,000 to State AG to Resolve HIPAA Violations
A New York law firm that suffered a LockBit ransomware attack has agreed to pay a financial penalty of $200,000 to the New York Attorney General to resolve alleged violations of New York General Business Law and the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA).
Heidell, Pittoni, Murphy & Bach LLP (HPMB) is a New York City-based medical malpractice law firm. On or around Christmas Day 2021, the LockBit ransomware gang gained access to its network and encrypted files. The investigation confirmed that files were exfiltrated in the attack, including legal documents, patient lists, and medical records. The patient information included names, birthdates, medical histories, treatment information, Social Security numbers, and health insurance information. The incident was reported to the HHS’ Office for Civil Rights on May 16, 2022, as affecting 114,979 individuals. HPMB engaged a third-party ransomware remediation firm to negotiate with the threat actor and ended up paying $100,000 for the keys to decrypt files and to prevent the release of the stolen data. The investigation confirmed the LockBit gang gained access to its network in November 2021 by exploiting unpatched Microsoft Exchange vulnerabilities.
The incident was investigated by the Office of the New York Attorney General to determine whether the law firm had violated state laws and the HIPAA Rules. The NY AG determined the vulnerabilities exploited by the LockBit gang had been identified by Microsoft in April and May 2021 and patches had been released shortly thereafter to fix those vulnerabilities. Despite the vulnerabilities being well known, they remained unpatched for more than 6 months, which left firm’s email server vulnerable to attack.
The NY AG determined 17 provisions of the HIPAA Privacy and Security Rules had been violated and there were also violations of New York General Business law by failing to implement reasonable security practices to protect private information and the failure to issue timely notifications to 61,438 New York residents.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The alleged HIPAA violations were:
- The failure to safeguard electronic protected health information (ePHI).
- The failure to protect against reasonably anticipated threats to ePHI.
- The failure to review and modify data protection practices.
- The failure to conduct an accurate and thorough risk assessment.
- The failure to implement appropriate security measures to reduce risks to ePHI.
- The failure to regularly review records of information system activity.
- The failure to implement procedures sufficient to guard against, detect, and report malicious software.
- The failure to implement procedures sufficient for periodic testing and revision of contingency plans.
- The failure to perform a periodic technical and nontechnical evaluation.
- The failure to sufficiently implement technical policies and procedures for ePHI to limit access by unauthorized individuals.
- The failure to encrypt ePHI.
- The failure to implement a centralized logging system for information systems to allow unauthorized system activity to be detected.
- The failure to implement a system for detecting the alteration or destruction of ePHI.
- The failure to implement procedures sufficient to verify that a person or entity seeking access to ePHI is the one claimed.
- The failure to implement reasonable and appropriate policies and procedures to comply with the standards of 45 C.F.R. Part 164, Subpart C.
- The failure to prevent unauthorized access to ePHI.
- The failure to adhere to the minimum necessary standard.
In addition to paying a financial penalty, HPMB has agreed to implement a comprehensive information security program that includes risk analyses at least annually, implement appropriate administrative, technical, and physical safeguards, and conduct regular tests of those safeguards. HPMB will appoint a Chief Information Security Officer (CISO), encrypt all ePHI at rest and in transit, implement a centralized logging system, conduct system activity reviews, establish a patch management program, and develop a penetration testing program.
“New Yorkers should not have to worry that their privacy is being violated and their sensitive information is being mishandled,” said Attorney General Letitia James. “Confidential patient information should be treated with care and secured online to protect New Yorkers from identity theft and fraud. The institutions charged with protecting this information have a responsibility to get it right, and to keep authorities and New Yorkers informed about breaches. Companies can, and should, strengthen their data security measures to safeguard consumers’ digital data, otherwise they can expect to hear from my office.”