A New York-based medical malpractice law firm has agreed to pay $200,000 to the New York Attorney General over inadequate data security practices that led to the now-infamous Microsoft Exchange attacks in 2021.
In November 2021, months after Microsoft issued patches for vulnerabilities in its servers, the attackers gained access to unpatched systems for legal firm Heidell, Pittoni, Murphy & Bach (HPMB) and compromised the private data of nearly 115,000 hospital patients, including names, dates of birth, social security numbers, and health information.
New York Attorney General Letitia James said HPMB's "poor data security measures" violated state law and privacy and security standards in the federal Health Insurance Portability and Accountability Act (HIPAA). Those measures include improperly conducting regular risk assessment of its systems, and not implementing thorough procedures to detect malicious software.
"New Yorkers should not have to worry that their privacy is being violated and their sensitive information is being mishandled," James said in a statement on Monday. "Companies can, and should, strengthen their data security measures to safeguard consumers' digital data, otherwise they can expect to hear from my office."
In addition to the financial penalty, HPMB has agreed to improve its security measures — including establishing an appropriate patch management program, conducting annual risk analysis, encrypting private and health information, and securely deleting ePHI and private information when appropriate— to protect its clients' patients' data in the future.
"Confidential patient information should be treated with care and secured online to protect New Yorkers from identity theft and fraud. The institutions charged with protecting this information have a responsibility to get it right, and to keep authorities and New Yorkers informed about breaches," James added.
SC Media has reached out to the law firm for comment.
In March 2021, Microsoft said a sophisticated group of Beijing-backed hackers exploited four zero-vulnerabilities in its Exchange Server to steal data from U.S. defense contractors and law firms and urged organizations to patch on-premises systems immediately. However, HPMB failed to update their servers in a timely manner, leading them to be breached in November.
On or around Christmas, the attacker deployed Lockbit ransomware on HPMB's network. While the company hired a forensic firm to negotiate, the attackers provided a list of tens of thousands of files that they claimed to have stolen from the HPMB’s systems, including legal pleadings, patient lists, and medical records, which the forensic firm later confirmed were indeed exfiltrated from the law firm, the investigation found.
Ultimately, HPMB paid $100,000 ransom in exchange for the return and deletion of the data "but was not provided evidence the data was deleted," the court document noted.
On May 16, 2022, HPMB's vendor concluded the information of 114,979 hospital patients, including 61,438 New York residents, has likely been exposed. The law firm started notifying affected parties while reporting the incident to the U.S. Department of Health and Human Services on the same day.