The Californian law firm Orrick, Herrington & Sutcliffe has recently confirmed that a cyberattack that was detected in March 2023 has affected more than 637,000 individuals. The Orrick, Herrington & Sutcliffe data breach was reported to the HHS’ Office for Civil Rights on June 30, 2023, as affecting 40,823 individuals, then on July 20, 2023, the law firm notified the Maine Attorney General that the breach had affected 152,818 individuals. An updated notification was sent to the Maine Attorney General on August 18, 2023, with an increased total of 461,100 affected individuals. Another update was issued on December 29, 2023, with an increased total of 637,620 individuals. This appears to be the final total, as the law firm said it does not anticipate providing notifications on behalf of any further affected businesses.

The services provided by Orrick, Herrington & Sutcliffe include legal counsel for companies that have suffered security incidents and data breaches, including handling regulatory requirements such as notifications to state authorities and the individuals whose sensitive data was exposed. The law firm’s experience in issuing notifications has grown considerably in 2023 with its own consumer notifications, which were sent in July, August, September, and November.

The nature of the services provided by the law firm means many of the individuals affected by the data breach had been affected by data breaches at other companies who availed of Orrick, Herrington & Sutcliffe’s services for their own breach responses. For instance, individuals who had vision plans from EyeMed Vision Care, dental plans from Delta Dental, and health insurance from MultiPlan and Beacon Health Options (Carelon). Another client affected was the U.S. Small Business Administration.

Settlement Proposed to Resolve Class Action Data Breach Lawsuits

Several lawsuits were filed in response to the data breach that Orrick, Herrington & Sutcliffe has chosen to settle quickly. Four of those lawsuits made similar claims and were consolidated into a single class action lawsuit in California Federal Court – In Re: Orrick, Herrington & Sutcliffe LLP Data Breach Litigation. The lawsuits alleged the law firm should have been well aware of the risk of ransomware attacks and data breaches due to extensive media reports, warnings from the Federal Bureau of Investigation, and the attacks suffered by the law firm’s clients. They claimed the cyberattack and data breach could have and should have been prevented had the law firm implemented necessary and appropriate cybersecurity measures and followed industry best practices for cybersecurity.

In a court filing on December 21, 2023, Orrick, Herrington & Sutcliffe said a settlement is being finalized and an agreement in principle has been reached. The law firm said it expects to present the settlement to U.S. District Judge Susan Illston for approval in early January. Orrick, Herrington & Sutcliffe issued a statement saying it regretted the “inconvenience and distraction that this malicious incident caused,” and that the law firm is happy to have reached a settlement within a year to bring the matter to a close. Details of the settlement have yet to be made public; however, attorney William Federman, who is representing the plaintiffs, confirmed that the settlement is reasonable and fair and will resolve all pending litigation.

The post Orrick, Herrington & Sutcliffe Data Breach Affected 637,000 Individuals appeared first on HIPAA Journal.

The Foleck Center in Virginia and Mountain Dermatology Specialists in Colorado have discovered unauthorized access to employee email accounts and the exposure of patient data.

The Foleck Center Discovers Forwarding Rule on Employee Email Account

The Foleck Center, a provider of cosmetic, implant, and general dentistry services in Norfolk, Hampton, and Virginia Beach, has recently notified 6,965 patients that some of their protected health information has been acquired by an unauthorized individual.

On October 26, 2023, The Foleck Center was made aware that one of its employees had a forwarding rule on their email account that sent emails to a Gmail account. The Foleck Center contacted its managed IT service provider, which performed a forensic investigation. Rather than this being a HIPAA violation by the employee, the forensic investigation revealed that an unauthorized third party had gained access to the email account and set up the forwarding rule on September 4, 2023.

Copies of all emails sent to the employee’s account between September 4, 2023, and October 31, 2023, were forwarded to the Gmail account. The Gmail account had not been sent up by the employee or anyone else at The Foleck Center. The IT company secured the account and implemented additional safeguards to prevent mailbox rules from being set up for external forwarding.

While it was possible to tell which emails had been forwarded between September 4, 2023, and October 31, 2023, it was not possible to determine if any other emails in the account had been read or copied. All emails were reviewed to check which patient data had been exposed or stolen, and all individuals whose PHI was present in the account were notified. The information exposed varied from individual to individual and may have included names, addresses, dates of birth, employer name and address, dates and office locations of treatment/appointments, employer name and address, our patient and system ID numbers, and insurance information. A limited number of patients also had their Social Security numbers and/or driver’s licenses exposed.

The Foleck Center said it already provides HIPAA and security awareness training for employees several times a year, and additional training is now being provided to improve password and network security further.

Email Account Breach Reported by Mountain Dermatology Specialists

Mountain Dermatology Specialists in Edwards and Dillion, CO, has also recently reported an email account breach that was detected on October 26, 2023. An unauthorized individual gained access to the email account of one of its employees and used the account to send phishing emails to contacts within the mailbox.

The forensic investigation confirmed there had been unauthorized access to the email account between October 24, 2023, and October 26, 2023. A review of the emails in the account confirmed that the protected health information of 2,705 patients was exposed, including full names, addresses, dates of birth, phone numbers, email addresses, dates of treatment, types of treatment, conditions/diagnoses, medications, health insurance information, and cost/billing information/amount paid. A limited number of individuals also had their Social Security numbers and/or compensation/benefits information exposed.

Mountain Dermatology Specialists said it has implemented additional technical safeguards, performed password resets, and reinforced security awareness training for the workforce.

The post Email Accounts Compromised at The Foleck Center, Mountain Dermatology Specialists appeared first on HIPAA Journal.