Security News > 2023 > March > Lawyers cough up $200k after health data stolen in Microsoft Exchange pillaging
New York law firm Heidell, Pittoni, Murphy and Bach has agreed to pay $200,000 to settle a data-breach lawsuit related to the now-notorious Hafnium Microsoft Exchange attacks that siphoned sensitive data from victims around the world.
New York Attorney General Letitia James, who brought the lawsuit against the lawyers, blamed HPMB's poor data security practices for the privacy breach.
In addition to paying the settlement fee, the law firm also agreed to implement a number of security measures - including encrypting private and health information, establishing a patch management program, and performing penetration testing - to better protect private data in the future.
The settlement also requires the law firm to hire a third-party assessor to review its new infosec program and report back to the New York attorney general in one year, and then annually for five years thereafter.
The law firm disconnected its servers from the internet, hired a cybersecurity firm to conduct a forensic investigation, and ultimately paid the crooks a $100,000 ransom in exchange for the stolen data.
During its investigation into the privacy breach, the New York AG's office determined that the law firm's data security failures violated not only state law, but also the federal Health Insurance Portability and Accountability Act of 1996, which outlines privacy and information security protection that Americans can expect for their medical information.
News URL
https://go.theregister.com/feed/www.theregister.com/2023/03/27/nyc_lawyers_security_data/
Related news
- 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns (source)
- Germany warns of 17K vulnerable Microsoft Exchange servers exposed online (source)
- These 17,000 unpatched Microsoft Exchange servers are a ticking time bomb (source)
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online (source)
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online (source)
- Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack (source)
- US Cyber Safety Review Board on the 2023 Microsoft Exchange Hack (source)
- Microsoft will limit Exchange Online bulk emails to fight spam (source)
- Microsoft releases Exchange hotfixes for security update issues (source)