NY Law Firm Pays $200,000 To Resolve HIPAA Violations Stemming From LockBit Cyberattack

Heidell, Pittoni, Murphy & Bach LLP (HPMB), a New York-based law firm, has agreed to a $200,000 payment to the New York Attorney General in order to settle alleged violations of the state’s General Business Law and the Privacy and Security Rules governed by the Health Insurance Portability and Accountability Act. The payment follows a LockBit ransomware attack on the law firm, which led to the encryption and theft of files containing confidential patient information.

LockBit ransomware is a cyberattack variant that primarily focuses on large enterprises and government organizations instead of individual users. Originally referred to as “ABCD” ransomware, this form of attack has since become a distinct menace in the world of extortion-driven cyberattacks. LockBit is classified as a ‘crypto virus’ because it requires victims to make a financial payment in return for decryption of their files. The initial wave of LockBit attacks occurred in September 2019 and has impacted organizations across multiple countries, including the United States, China, India, Indonesia, Ukraine, and European nations such as France, the United Kingdom, and Germany. LockBit functions on a ransomware-as-a-service (RaaS) basis, allowing interested parties to place deposits for access to custom attacks aimed at particular targets. Profits are shared between the LockBit development team and the affiliated assailants, with the latter receiving up to 75% of the ransom funds.

On Christmas Day 2021, the LockBit ransomware group infiltrated the firm’s network, resulting in the encryption of legal documents, patient lists, and medical records. The exposed patient information consisted of names, birthdates, medical histories, treatment specifics, Social Security numbers, and health insurance details. On May 16, 2022, HPMB informed the HHS’ Office for Civil Rights about the situation, reporting that 114,979 individuals were affected. The law firm employed a third-party ransomware remediation specialist to negotiate with the cybercriminals and paid $100,000 to obtain decryption keys and prevent the dissemination of the pilfered data. 

The investigation determined that the LockBit group accessed the law firm’s network in November 2021 by exploiting unaddressed Microsoft Exchange vulnerabilities. The New York Attorney General’s Office conducted an inquiry to establish whether HPMB had breached state laws and HIPAA regulations. They discovered that the vulnerabilities, identified by Microsoft in April and May 2021, were left unresolved for more than half a year, rendering the firm’s email server vulnerable to assault. 

The NY AG identified 17 infringements of the HIPAA Privacy and Security Rules and further violations of New York General Business Law, including the failure to implement adequate security measures to safeguard private information and the delay in notifying 61,438 New York residents. 

The alleged HIPAA violations encompassed a range of shortcomings, including the inability to secure electronic protected health information (ePHI), defend against foreseeable threats, evaluate and modify data protection practices, carry out precise and comprehensive risk assessments, and apply suitable security measures, among others. 

As a condition of the settlement, HPMB has agreed to create an extensive information security program comprising yearly risk analyses, the deployment of suitable administrative, technical, and physical safeguards, and frequent evaluations of those safeguards. The firm will also designate a Chief Information Security Officer (CISO), encrypt all ePHI in storage and transit, introduce a centralized logging system, perform system activity assessments, and create a patch management and penetration testing program. 

New York Attorney General Letitia James stressed the responsibility of organizations to protect sensitive data and keep both authorities and the public informed about data breaches. She called on businesses to enhance their data security measures to protect consumers’ digital information, warning that failure to do so would lead to repercussions from her office.