The New York Attorney General has received a payment of $200,000 from a law firm based out of New York, which was recently confronted by a LockBit ransomware attack, to settle the claims of violations of New York General Business Law and the HIPAA’s Privacy and Security Rules.
The Story of The HPMB Case
Heidell, Pittoni, Murphy & Bach LLP (HPMB), a legal practice based in New York City, was compromised by the LockBit ransomware gang around Christmas Day 2021. This attack exfiltrated legal documents, patient lists, and medical records, including names, birthdates, medical histories, treatment information, Social Security numbers, and health insurance information, of 114,979 individuals.
Especially, HPMB paid the threat actor $100,000 for the keys used to decrypt files and stop the release of the stolen data. It was found that the ransomware gang exploited unpatched Microsoft Exchange vulnerabilities in November 2021 to gain access to the network. The incident was reported to the HHS Office for Civil Rights on May 16, 2022.
Moreover, the New York Attorney General’s Office conducted an inquiry to assess if there was any breach of the HIPAA Rules and state laws by the law firm. Results of the investigation revealed that the LockBit gang capitalized on weaknesses that Microsoft had already identified in April and May of 2021 and released patches to rectify them. Unfortunately, the patches were not implemented for more than half a year, thus leaving the email server of the firm exposed to attack.
Hipaa Violations Committed by New York Law Firm
The NY AG determined that there were violations of the HIPAA Privacy and Security Rules, as well as violations of New York General Business law. This was due to the lack of reasonable security practices to protect private information and the failure to issue timely notifications to 61,438 New York residents.
- Failing to secure ePHI.
- Neglecting to anticipate threats to ePHI.
- Neglecting to review and modify data protection practices.
- Neglecting to undertake a thorough risk assessment.
- Neglecting to institute appropriate security measures to reduce risks to ePHI.
- Neglecting to review records of information system activity regularly.
- Neglecting to establish procedures to protect against, detect, and report malicious software.
- Neglecting to create procedures for periodic testing and revising contingency plans.
- Neglecting to do a periodic technical and nontechnical evaluations.
- Neglecting to apply technical policies and procedures for ePHI to restrict access by unauthorized persons.
- Neglecting to encrypt ePHI.
- Neglecting to have a centralized logging system for information systems to detect unauthorized system activity.
- Neglecting to have a system to detect the alteration or destruction of ePHI.
- Neglecting to have procedures to verify that a person or entity seeking access to ePHI is the one claimed.
- Neglecting to institute reasonable and appropriate policies and procedures to comply with the standards of 45 C.F.R. Part 164, Subpart C.
- Neglecting to prevent unauthorized access to ePHI.
- Neglecting to observe the minimum necessary standard.
The Final Decision on The HPMB Case
HPMB has consented to a monetary fine and has further agreed to construct a thorough information security program, featuring risk assessments once yearly, the appointment of a Chief Information Security Officer (CISO), encryption of all ePHI, a centralized logging system, system activity reviews, patch management program, and a penetration testing program.
Attorney General Letitia James asserted that New Yorkers should not have to stress over the potential of their private information being mishandled or their privacy being compromised. She further highlighted that patient data should be treated with respect and stored securely online to protect citizens from identity theft and fraud.
Concerning those responsible for safeguarding said data, James demanded that they remain vigilant and keep the authorities and New Yorkers informed if any breaches occur. Finally, she warned that companies must take the proper steps to strengthen their data security and protect consumers’ digital data, or else they can expect to hear from her office.
So, the availability of technology has had a major influence on the way we communicate. It has opened up a range of new possibilities, allowing us to interact with people in far-off places in an instant. As a result, communication has become more efficient and has enabled us to make connections with people whom we otherwise would not have been able to reach. Consequently, the scope of our communication has broadened, allowing us to stay in touch more easily.