New York AG fines Heidell Pittoni $200k for 2021 data breach

Attorney General of New York

Today (27 March), Letitia James, the Attorney General of New York, made an announcement that she has acquired $200,000 from Heidell, Pittoni, Murphy & Bach LLP (HPMB), a law firm based in New York and Connecticut. This sum of money is for the security breach that occurred in 2021 revealing personal information of roughly 114,000 patients, including 60,000 individuals residing in New York.

HPMB is the organization that represents the hospitals located in the New York City area. They are responsible for safeguarding confidential details of their patients such as their date of birth, social security numbers, health insurance information, medical records, and any information concerning their medical treatment.

Attorney General James shared some news today which stated that HPMB's slip-up in data security broke not just the state law, but also HIPAA, which demanded HPMB to take on advanced data security actions. HPMB now has to fork out $200,000 to the state and beef up its cybersecurity measures to ensure that private and personal health information of customers stays protected.

Attorney General James issued a statement emphasizing the seriousness of safeguarding digital information. She stated that the responsibility to handle this information appropriately falls on organizations charged with this task. These organizations must ensure that the public and authorities are informed promptly in the event of a breach. The Attorney General also advises companies to improve their security measures to ensure the protection of digital data belonging to consumers. Failure to do so will result in consequences from her office.

During November 2021, someone was able to take advantage of a weakness in HPMB's Microsoft Exchange email server and infiltrate their computer network. Despite Microsoft having already developed a solution for this issue months prior, HPMB did not apply the patch in due time, thus leaving the system open for potential exploitation. Then, come December 2021, the intruder placed some malicious software in HPMB's computer network, which in turn led to disturbances in their email service. Upon later inspection, HPMB realized that tens of thousands of documents had possibly been unlawfully taken from their computer network. These documents included sensitive electronic patient and confidential information, such as names, social security numbers, dates of birth, and/or health records, which affected 114,979 people in total, including 61,438 inhabitants of New York.

By May of 2022, HPMB began informing customers whose personal information had been compromised in the incident. The Office of the Attorney General concluded that HPMB had not implemented suitable methods to safeguard customers' personal information in various aspects. HPMB did not comply with several measures mandated by HIPAA, which applied to HPMB because of its connection to hospitals and medical facilities. These included conducting frequent risk assessments of their systems, encoding confidential data on their servers, and using relevant data reduction practices.

Today, HPMB reached an agreement which requires them to pay a sum of $200,000 to the state as a penalty. In addition to that, they also need to take necessary steps to safeguard the confidential health information of their patients in the future. These measures should ensure the protection of patients' personal and private information.

The following statement was sent to us by HPMB.

HPMB found some strange activity on their network on December 25, 2021. They quickly got their IT team involved and hired a law firm that is an expert in cybersecurity and data privacy to help them investigate further. Furthermore, they brought in outside experts to help analyze any unauthorized activity. HPMB worked closely with federal and state authorities, as well as their institutional clients, to fully cooperate with the investigation.

A thorough examination was carried out until April 22, 2022 and it was found that some personal data was affected in this occurrence. The affected data mainly consisted of names and birth dates. It is important to mention that less than 1% of the people whose personal data was impacted had their Social Security numbers included.

People who may have been affected were told through mail and public announcements. They were given instructions on how to keep their information safe. To ensure safety and lessen any danger after this mishap, HPMB also provided free credit monitoring and protection against identity theft to those who may have been impacted. HPMB hasn't found any proof that shows anyone was or will be using their personal information wrongfully due to this incident.

Ensuring the safety of confidential data is a top priority for HPMB. The company has implemented various measures, such as security protocols, guidelines, and processes, to prevent comparable instances from emerging again. Since the date of December 25, 2021, no incidents of the alike nature have taken place.

HPMB deeply apologizes for any inconvenience caused by this occurrence and is committed to safeguarding personal and health-related information. Should you have any queries regarding this event, do not hesitate to contact us via email at [email protected].

Read more
This week's most popular news