Security News > 2023 > March > Lawyers cough up $200k after health data stolen in Microsoft Exchange pillaging

New York law firm Heidell, Pittoni, Murphy and Bach has agreed to pay $200,000 to settle a data-breach lawsuit related to the now-notorious Hafnium Microsoft Exchange attacks that siphoned sensitive data from victims around the world.

New York Attorney General Letitia James, who brought the lawsuit against the lawyers, blamed HPMB's poor data security practices for the privacy breach.

In addition to paying the settlement fee, the law firm also agreed to implement a number of security measures - including encrypting private and health information, establishing a patch management program, and performing penetration testing - to better protect private data in the future.

The settlement also requires the law firm to hire a third-party assessor to review its new infosec program and report back to the New York attorney general in one year, and then annually for five years thereafter.

The law firm disconnected its servers from the internet, hired a cybersecurity firm to conduct a forensic investigation, and ultimately paid the crooks a $100,000 ransom in exchange for the stolen data.

During its investigation into the privacy breach, the New York AG's office determined that the law firm's data security failures violated not only state law, but also the federal Health Insurance Portability and Accountability Act of 1996, which outlines privacy and information security protection that Americans can expect for their medical information.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/03/27/nyc_lawyers_security_data/