New York Law Firm Pays 200k Penalty for HIPAA Violations

New York Law Firm Pays 200k Penalty for HIPAA Violations

March 28, 2023

In a recent development, Heidell, Pittoni, Murphy & Bach LLP (HPMB), a prominent law firm that serves New York City hospitals, has reached a $200,000 settlement agreement following alleged violations of the HIPAA privacy regulations. The Health Insurance Portability and Accountability Act (HIPAA) violation settlement comes from a ransomware attack that compromised sensitive data and subsequently breached patient information.

new york law firm settlement agreement

Computer System Vulnerability Led to Ransomware Attack

HPMB handles sensitive personal patient information, such as dates of birth, social security numbers, health insurance information, medical history, and health treatment records. During the unfortunate incident, the law firm fell victim to a targeted ransomware attack perpetrated by the LockBit group. According to The HIPAA Journal, the attack occurred on or around Christmas Day, 2021. The LockBit gang successfully broke into the law firm’s computer network in November 2021 and took advantage of the vulnerabilities in the law firm’s Microsoft Exchange email server. 

HPMB Pays Ransom Money to Cybercriminals

The data breach affected 114,979 individuals wherein, 61,438 of which were New York residents. Reuters reports that HPMB employed the services of a cybersecurity firm to conduct a forensic investigation, which uncovered a long list of potentially compromised files. The attackers themselves claimed that they had accessed and obtained a large number of files, including legal pleadings, patient lists, and medical records. In exchange for the return and deletion of the data, HPMB paid a $100,000 ransom. However, there was no proof or evidence of exfiltrated data deletion.

New York Law Firm Pays 200k Penalty for HIPAA Violations

HPMB Reports the Attack, NY Attorney General Investigates

The New York law firm started informing individuals impacted by the data breach on May 2022. It also reported the incident to the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) on May 16, 2022. The Office of the New York Attorney General initiated its own investigation, which revealed that HPMB violated HIPAA Rules and the New York General Business Law.

HPMB Law Firm’s HIPAA Violations

The investigation showed that the New York-based law firm failed to update the software program, exposing it to cyberattacks. This careless action seriously violated HIPAA regulations and state law, which require strict data security practices to protect sensitive patient health information.

The HIPAA Journal reports that the law firm failed to do the following:

  • Adequately protect electronic Protected Health Information (ePHI) from unauthorized access or disclosure.
  • Protect against possible threats to ePHI security.
  • Review and update data protection practices to secure ePHI.
  • Conduct comprehensive risk assessments to identify weaknesses in protecting ePHI.
  • Apply appropriate measures to minimize the risks to ePHI security.
  • Regularly review records of information system activity to identify and respond to security incidents.
  • Establish and implement procedures to guard against, detect, and report malicious software or unauthorized system activity.
  • Implement procedures for periodic testing and updating of contingency plans to ensure an effective response to security threats.
  • Perform periodic technical and nontechnical evaluations to check the effectiveness of security measures.
  • Apply technical policies and procedures to limit access to ePHI to only authorized individuals.
  • Encrypt data to protect ePHI stored or transmitted electronically.
  • Establish a centralized logging system to detect unauthorized system activity.
  • Implement a system to detect and prevent the alteration or destruction of ePHI.
  • Implement procedures to verify the identity of individuals or entities accessing ePHI.
  • Establish and implement appropriate policies and procedures to comply with HIPAA standards.
  • Prevent unauthorized access to ePHI through stringent safeguards and access controls.
  • Adhere to the minimum necessary standard for ePHI use and disclosure.

New York Attorney General Letitia James emphasized the importance of carefully handling ePHI, saying, “New Yorkers should not have to worry that their privacy is being violated and their sensitive information is being mishandled. Confidential patient information should be treated with care and secured online to protect New Yorkers from identity theft and fraud. The institutions charged with protecting this information have a responsibility to get it right and to keep authorities, and New Yorkers informed about breaches. Companies can, and should, strengthen their data security measures to safeguard consumers’ digital data; otherwise, they can expect to hear from my office.”

New York Law Firm Pays 200k Penalty for HIPAA Violations

HPMB Settlement for HIPAA Violations

Covered entities such as healthcare providers, health plans, healthcare clearinghouses, and their business associates should understand the importance of HIPAA compliance. Violations can incur strict penalties, financial loss, and reputational damage.

In light of the findings, HPMB has agreed to a $200,000 settlement as a penalty for HIPAA violations and state law breaches. The law firm has also committed to improving its data security measures and adopting comprehensive information security practices. This settlement between HPMB and the Office of the New York Attorney General emphasizes the need for healthcare organizations to understand HIPAA Rules and have robust data security practices in place.  

Kent Cañas

Kent is a content strategist currently specializing in HIPAA-compliant online fax. Her expertise in this field allows her to provide valuable insights to clients seeking a secure and efficient online fax solution.

More great articles
Is Zapier HIPAA-Compliant?
Is Zapier HIPAA-Compliant?

Despite Zapier being a popular automation tool, let's answer "Is Zapier HIPAA-Compliant?" first before you use it to automate your…

Read Story
Best Business Communication Tools For Insurance Companies
Best Business Communication Tools For Insurance Companies

The modern business world is moving so quickly and as it does, so our reliance on technology to communicate better…

Read Story
hipaa-compliant virtual receptionist solutions
5 Best HIPAA-Compliant Virtual Receptionist Solutions

Check out this list featuring the best HIPAA-compliant virtual receptionist services and why they're more cost-effective than hiring a front…

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we don’t share your email with third parties.