The New York attorney general found that Heidell, Pittoni, Murphy & Bach LLP failed to protect consumers’ health information.
03/28/2023 3:00 P.M.
5 minute read
A New York law firm was recently fined $200,000 over a 2021 data breach that compromised the personal information of 114,000 patients.
New York Attorney General Leticia James announced the settlement with Heidell, Pittoni, Murphy & Bach LLP (HPMB), a law firm that represents hospitals and hospital networks, in connection with the data breach.
The attorney general alleged that the firm’s data security failures violated not only state law, but also the Health Insurance Portability and Accountability Act (HIPAA).
According to the Assurance of Discontinuance from the attorney general’s office, in November 2021, an attacker exploited vulnerabilities in HPMB’s server to gain access to its systems. Microsoft had released patches for the software vulnerabilities several months earlier, but HPMB had not yet applied them. That’s how the hacker was able to deploy malware on the firm’s systems.
“In its subsequent investigation, HPMB found that tens of thousands of files had been potentially taken from HPMB’s systems,” according to a press release. “An analysis of these files determined that electronic health information and/or private information—including names, dates of birth, Social Security numbers, and/or health data—of 114,979 individuals, including 61,438 New York residents, had likely been exposed as a result of the attack.”
In addition to paying the fine, HPMB is also required to adopt measures to better protect the personal information of its clients’ patients going forward, including:
- Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats and reporting security risks to the firm’s leadership;
- Encrypting the private and health information it collects, uses, stores and maintains;
- Implementing centralized logging and monitoring of network activity, including logs that are readily accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged;
- Establishing a reasonable patch management program, including appropriate monitoring of required updates, supervision of the program, and training for employees;
- Developing a penetration testing program that includes regular testing of HPMB’s network security; and,
- Updating its data collection and retention practices, including only collecting data to the minimum extent necessary to perform legitimate business functions and permanently deleting all such data when there is no longer a reasonable business or legal purpose to retain such information.
“Confidential patient information should be treated with care and secured online to protect New Yorkers from identity theft and fraud,” James said in a statement. “The institutions charged with protecting this information have a responsibility to get it right, and to keep authorities and New Yorkers informed about breaches. Companies can, and should, strengthen their data security measures to safeguard consumers’ digital data, otherwise they can expect to hear from my office.”
The Importance of Data Security
As a client alert issued by Barron & Newburger, P.C. notes, “The settlement is a wake-up call for law firms and other debt collectors that handle medical accounts.”
Debt collectors are required by state and federal laws to protect the security of their customers’ financial information. In 2021, the Federal Trade Commission updated its Standards for Safeguarding Customer Information—the Safeguards Rule.
The rule requires financial institutions to develop, implement, and maintain a comprehensive information security program by June 9, 2023. (This is an extension from the previous deadline of Dec. 9, 2022, which was achieved thanks in part to ACA’s advocacy on the issue.)
Doing the work to comply with the Safeguards Rule will help reduce your risk of facing a breach like this.
ACA partnered with TPx Communications, a member of our Alliance ACA program, on industry-specific education for the Safeguards Rule that you can use to strengthen your data security program.
We recently added new webinars to our ACA How: Safeguards Rule Implementation series. All sessions are scheduled from 12 to 12:30 p.m. CT. Read the upcoming session descriptions below:
Friday, April 14, 2023: Reviewing Multi-factor Authentication
Multi-factor authentication (MFA) is a layered approach to securing physical and logical access where a system requires a user to present a combination of two or more authenticators to verify a user’s identity for login. In this session, we will be presenting an MFA strategy in relation to the Safeguards Rule. Additionally, we will explain how to effectively implement MFA for your organization.
Friday, May 12, 2023: Vulnerability & Penetration Scanning Exposed
All qualifying organizations must perform an annual penetration assessment using “a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems.”
Friday, June 9, 2023: Haven’t Started Meeting the Safeguards Rule? Do This
The deadline is here—June 9, 2023. If you haven’t started down the path to becoming FTC Safeguards Rule-compliant, start now. Small and medium-sized agencies might find it more challenging to become compliant. To pass the FTC audits beginning in June 2023, you’ll need to be defensible and provide a strong case that your information security program is secure and running smoothly. In this session, we will help you figure out what you can tackle in-house and where you need to outsource. We will also help you understand the Safeguards Rule requirements and learn how to become defensible by working on a plan today.
Plus: Our live Q&A series will be held April 21, May 19, June 16, and July 14, 2023. Note: these sessions will not be recorded, so get them in your calendar today!
Members can register for the ACA How: Safeguards Rule Implementation Series at any time and will gain access to all previous content otherwise missed. Members who have already purchased the series can take advantage of these exclusive add-on sessions for free to prepare for the upcoming June 9 compliance date.
You will find the full lineup of the Safeguards Rule webinar series, including information on how to register, right here.
Visit the Safeguards Rule Resource Center and register for the webinar series here.
Remember, subscribe to ACA Daily and Member Alerts under your My ACA profile when logged in to acainternational.org to receive updates on the ACA Huddle.