Security News > 2023 > March > New York law firm gets fined $200k for failing to protect health data

A New York law firm has agreed to pay $200,000 in penalties to the state because it failed to protect the private and electronic health information of approximately 114,000 patients.

Heidell, Pittoni, Murphy and Bach represents New York City area hospitals in litigation and maintains sensitive private information from patients, including dates of birth, social security numbers, health insurance information, medical history, and/or health treatment information.

According to the findings by the Office of the Attorney General, the firm "Paid $100,000 in ransom in exchange for the return and promised deletion of the exfiltrated data but was not provided evidence the data was deleted."

The Office of the New York Attorney General determined that HPMB had failed to adopt reasonable practices to protect consumers' personal information in several areas.

HPMB's data security failures violated not only state law, but also HIPAA. The firm failed to adopt several measures required by HIPAA, which HPMB is covered by due to its business relationship with hospitals and hospital, including conducting regular risk assessments of its systems, encrypting the private information on its servers, and adopting appropriate data minimization practices.

"Confidential patient information should be treated with care and secured online to protect New Yorkers from identity theft and fraud. The institutions charged with protecting this information have a responsibility to get it right, and to keep authorities and New Yorkers informed about breaches. Companies can, and should, strengthen their data security measures to safeguard consumers' digital data, otherwise they can expect to hear from my office," said New York Attorney General Letitia James.

News URL

https://www.helpnetsecurity.com/2023/03/29/new-york-law-firm-fined-200k-failing-protect-health-data/