Law Firm Hack Affects Victims of an Earlier Breach AgainClient Files Breached Included Data of Vision Benefits Plan Members
A global law firm is notifying nearly 153,000 individuals of a hacking incident that compromised several client files. The files contained sensitive personal information and affects vision care patients who had been victims of a breach three years ago.
Orrick, Herrington & Sutcliffe on July 20 reported the data breach to several state regulators, including the attorneys general of Maine and California, as well as a HIPAA breach to the U.S. Department of Health and Human Services.
Among the affected individuals was an Orrick client tied to a vision benefits plan that had suffered its own health data breach several years ago. Orrick said it had provided legal counsel for a 2020 security event involving the manager of the vision benefits plan.
While health data breaches have become common place, individuals being affected a second time in two separate but loosely related incidents is highly unusual, some experts say.
Law firms such, as Orrick, that receive PHI from clients to provide legal services, including to assist in health data breach response, are clearly business associates subject to compliance with HIPAA rules, said regulatory attorney Paul Hales.
"This is every law firm’s worst HIPAA nightmare, even more so for one with the well-regarded reputation like Orrick, Herrington & Sutcliffe," Hales said. "Government investigations and private lawsuit discovery will examine Orrick’s HIPAA compliance program in minute detail. Those proceedings will be painful and unpleasant for Orrick and its client. And likely will pit legal counsel against its client," he said.
Orrick also reported that insurer Delta Dental of California was among the organizations affected. Orrick provided legal counsel to the company.
"On March 13, we identified a threat actor targeting our file storage devices where we maintain certain client files," Orrick told Information Security Media Group in a statement.
The firm's investigation determined that an unauthorized actor accessed client files containing protected health information and personally identifiable information between Feb. 28 and March 7.
"We did not experience any client service or operational disruptions, nor did we identify any ransomware related to this attack. We reported the matter to law enforcement," Orrick said.
Orrick told Maine's AG that the external hacking incident affected nearly 153,000 individuals, including 27 Maine residents. The law firm reported to HHS' Office for Civil Rights that the incident affected the PHI of about 41,000 individuals.
The San Francisco-based law firm, which has 25 offices worldwide, told regulators that information contained in the compromised file of the vision benefits plan included individuals' name, address, date of birth and Social Security number. Social Security and financial information were not among the member information contained in the compromised Delta Dental of California file, Orrick told regulators.