Lawyers cough up $200k after health data stolen in Microsoft Exchange pillaging
In addition to $100k given to LockBit
New York law firm Heidell, Pittoni, Murphy and Bach (HPMB) has agreed to pay $200,000 to settle a data-breach lawsuit related to the now-notorious Hafnium Microsoft Exchange attacks that siphoned sensitive data from victims around the world.
In 2021, months after Redmond had fixed the security flaws in servers running its code, criminals exploited these vulnerabilities to gain access to HPMB's unpatched systems (and many others) before deploying ransomware and stealing sensitive data belonging to the firm's clients, including hospitals.
After breaking into the law firm's email server, the crooks stole copies of tens of thousands of files containing health-related info, names, dates of birth, social security and drivers' license numbers, and biometric data belonging to 114,979 individuals, according to court documents [PDF].
New York Attorney General Letitia James, who brought the lawsuit against the lawyers, blamed HPMB's poor data security practices for the privacy breach. In addition to paying the settlement fee, the law firm also agreed to implement a number of security measures — including encrypting private and health information, establishing a patch management program, and performing penetration testing — to better protect private data in the future.
The settlement also requires the law firm to hire a third-party assessor to review its new infosec program and report back to the New York attorney general in one year, and then annually for five years thereafter.
"Confidential patient information should be treated with care and secured online to protect New Yorkers from identity theft and fraud," James said in a statement. "Companies can, and should, strengthen their data security measures to safeguard consumers' digital data, otherwise they can expect to hear from my office."
The now-infamous Microsoft Exchange attacks, in which Beijing-backed snoops and other miscreants exploited four zero-day vulnerabilities in the email platform to steal data from US-based defense contractors, law firms, and infectious disease researchers, happened in early March 2021.
Microsoft patched the bugs in April and May 2021. However, according to the court documents, by November 2021, HPMB's systems remained unpatched — and that's when the miscreants broke in.
- Microsoft fixes four zero-day flaws in Exchange Server exploited by China's 'Hafnium' spies to steal victims' data
- Lawyers slam SEC for 'blatant fishing expedition' after Exchange mega-attack
- Microsoft's GitHub under fire after disappearing proof-of-concept exploit for critical Microsoft Exchange vuln
- FTC: BetterHelp pushed users to share mental health info then gave it to Facebook
About a month later, around Christmas 2021, the attacking crew deployed LockBit ransomware on the infected systems, which finally tipped off HPMB personnel to the intrusion. The law firm disconnected its servers from the internet, hired a cybersecurity firm to conduct a forensic investigation, and ultimately paid the crooks a $100,000 ransom in exchange for the stolen data. But they never received the promised proof that the data had been deleted.
In May 2022, HPMB began alerting folks whose personal information was swiped during the intrusion.
During its investigation into the privacy breach, the New York AG's office determined that the law firm's data security failures violated not only state law, but also the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), which outlines privacy and information security protection that Americans can expect for their medical information.
These HIPAA data-security requirements cover the law firm because of its business relationship with hospitals. We'd imagine other companies are taking note of the penalty and hopefully updating their patching schedule. ®