Heidell Pittoni fined $200k by New York AG for 2021 data breach  

New York Attorney General Letitia James announced today (27 March) that she has secured $200,000 from New York/Connecticut law firm, Heidell, Pittoni, Murphy & Bach LLP (HPMB) for a 2021 data breach that compromised the private information of approximately 114,000 patients, including over 60,000 New Yorkers. 

HPMB represents New York City area hospitals and maintains sensitive private information from patients, including dates of birth, social security numbers, health insurance information, medical history, and/or health treatment information.  

An announcement from Attorney General James today said that HPMB’s data security failures violated not only state law, but also HIPAA, which required HPMB to adhere to certain advanced data security practices. As a result of the agreement, HPMB must pay $200,000 in penalties to the state and strengthen its cybersecurity measures to protect consumers’ personal and private health information.

In a strongly-worded statement, Attorney General James said:  “The institutions charged with protecting this information have a responsibility to get it right, and to keep authorities and New Yorkers informed about breaches. Companies can, and should, strengthen their data security measures to safeguard consumers’ digital data, otherwise they can expect to hear from my office.” 

In November 2021, an attacker was able to exploit a vulnerability in HPMB’s Microsoft Exchange email server to gain access to HPMB’s systems. Patches for this vulnerability had been released by Microsoft several months earlier, but HPMB had not applied these patches in a timely manner, leaving this vulnerability exposed for potential exploitation. In December 2021, an attacker deployed malware on HPMB’s systems which resulted in a disruption in HPMB’s email system. In its subsequent investigation, HPMB found that tens of thousands of files had been potentially taken from HPMB’s systems. An analysis of these files determined that electronic health information and/or private information — including names, dates of birth, social security numbers, and/or health data — of 114,979 individuals, including 61,438 New York residents, had likely been exposed as a result of the attack.  

In May 2022, HPMB began notifying affected consumers whose personal information was compromised during the incident. The Office of the Attorney General determined that HPMB had failed to adopt reasonable practices to protect consumers’ personal information in several areas. In particular, HPMB failed to adopt several measures required by HIPAA, which HPMB is covered by due to its business relationship with hospitals and hospital, including conducting regular risk assessments of its systems, encrypting the private information on its servers, and adopting appropriate data minimization practices.  

As a result of today’s agreement, HPMB must pay the state $200,000 in penalties and adopt measures to better protect the personal and private health information of its clients’ patients going forward, including: 

  • Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats and reporting security risks to the firm’s leadership; 
  • Encrypting the private and health information it collects, uses, stores, and maintains; 
  • Implementing centralized logging and monitoring of network activity, including logs that are readily accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged; 
  • Establishing a reasonable patch management program, including appropriate monitoring of required updates, supervision of the program, and training for employees; 
  • Developing a penetration testing program that includes regular testing of HPMB’s network security; and, 
  • Updating its data collection and retention practices, including only collecting data to the minimum extent necessary to perform legitimate business functions and permanently deleting all such data when there is no longer a reasonable business or legal purpose to retain such information. 

HPMB sent us the statement below.

On December 25, 2021, HPMB detected suspicious activity within its network environment. Upon discovery, HPMB worked with its information technology (IT) support team and immediately engaged a law firm specializing in cybersecurity and data privacy to investigate further. Additionally, HPMB engaged third-party forensic specialists to assist in its analysis of any unauthorized activity. HPMB also cooperated fully with federal and state authorities and its institutional clients.

The extensive investigation, which concluded on April 22, 2022, determined that certain personal information was impacted by this incident. The impacted information was largely limited to names and dates of birth. Notably, of the individuals whose personal information was impacted, less than 1% involved Social Security numbers.

The potentially impacted individuals were notified by mail and by public notice. These notifications included steps the impacted individuals could take to protect their information. In order to address any concerns and mitigate any exposure or risk of harm following this Incident, HPMB further arranged for complimentary credit monitoring and identity theft protection services to all potentially impacted individuals at no cost to them. HPMB does not have any evidence to indicate that any personal information has been or will be misused as a result of this incident.

HPMB takes the security of sensitive information very seriously. It has taken numerous steps to prevent a similar event from occurring in the future, including security measures, policies, and procedures. There have been no similar incidents since December 25, 2021.

HPMB sincerely regrets any inconvenience that this incident may have caused and remains dedicated to protecting all personal and health information. If you have any questions about this incident, please contact us by email at inquiries@hpmb.com.