A New York City law firm has agreed to pay $200,000 to the state for failing to protect consumers’ personal and health care information.
Heidell, Pittoni, Murphy & Bach (HPMB) LLP’s poor data security measures made it vulnerable to a 2021 data breach that compromised the private information of about 114,000 patients, according to the New York Attorney General’s office.
HPMB represents New York City-area hospitals and maintains sensitive private information of patients, including dates of birth, Social Security numbers, health insurance information, and medical history.
HPMB’s data security failures violated state and federal laws.
In November 2021, an attacker was able to exploit a vulnerability in HPMB’s email server to gain access to computer systems.
Patches for the vulnerability were available, but HPMB had not applied them in a timely manner, according to the Attorney General’s office.
In December 2021, an attacker used malware to disrupt HPMB’s email system. HPMB found that tens of thousands of files had been potentially taken from the systems.
In May 2022, HPMB began notifying affected consumers. The Office of the Attorney General determined that HPMB had failed to adopt reasonable practices to protect consumers’ personal information in several areas.