The San Francisco, CA-based law firm, Orrick, Herrington & Sutcliffe LLP, is facing a class action lawsuit over a ransomware attack and data breach that was detected on March 13, 2023. The law firm determined that part of its network had been compromised by an unauthorized third party, which gained access to a file share that was used to store client files. The unauthorized access was immediately blocked; however, the forensic investigation confirmed that files containing personal information had been exfiltrated from its servers between February 28 and March 13, 2023. The compromised information included names, addresses, dates of birth, and Social Security numbers. The law firm offered the affected individuals complimentary credit monitoring and identity theft protection services.

On August 11, 2023, a lawsuit was filed in the U.S. District Court for the Northern District of California on behalf of plaintiff Dennis R Werley, and more than 152,818 similarly situated individuals who had their personal information compromised in the attack. The lawsuit alleges the law firm failed to implement adequate and reasonable measures to protect its computer systems, failed to take adequate steps to prevent and stop the breach, did not detect the breach in a timely manner, failed to disclose material facts that adequate system security measures were not in place to prevent data breaches, failed to honor repeated promises and representations to protect the information of the breach victims, then failed to provide timely notifications. According to the lawsuit, “Thanks to Defendant’s failure to protect the Breach Victims’ Personal Information, cyber criminals were able to steal everything they could possibly need to commit nearly every conceivable form of identity theft and wreak havoc on the financial and personal lives of potentially millions of individuals.”

The lawsuit alleges the plaintiff and class members have had their privacy violated and have been victims of identity theft and fraud or have been exposed to a heightened and imminent risk of fraud and identity theft, and have and will continue to incur out-of-pocket costs for credit monitoring services, credit freezes, and other protective measures. The lawsuit includes a long list of cybersecurity measures that the law firm could and should have implemented to prevent the data breach but failed to do so.

The lawsuit alleges negligence, negligence per se, breach of fiduciary duty, breach of confidence, breach of implied contract, and invasion of privacy and seeks a jury trial, compensatory damages, adequate credit monitoring services, and injunctive relief, including an order from the court requiring the law firm to implement a swathe of security measures to prevent future data breaches.

The post Orrick, Herrington & Sutcliffe Sued Over Ransomware Attack and Data Breach appeared first on HIPAA Journal.