www.bloomberglaw.com
Open in
urlscan Pro
69.187.20.19
Public Scan
Submitted URL: https://news-api.bloomberglaw.com/v1/link?id=937cff14-8473-566f-3d08-d8240d21003a-1281&url=https%3A%2F%2Fwww.bloomberglaw.com%2Fex...
Effective URL: https://www.bloomberglaw.com/bloomberglawnews/exp/eyJpZCI6IjAwMDAwMTg3LTIzZDktZGFkYi1hZjg3LTIzZjk2ZjE0MDAwMSIsImN0eHQiOiJQVk5...
Submission: On April 10 via manual from US — Scanned from DE
Effective URL: https://www.bloomberglaw.com/bloomberglawnews/exp/eyJpZCI6IjAwMDAwMTg3LTIzZDktZGFkYi1hZjg3LTIzZjk2ZjE0MDAwMSIsImN0eHQiOiJQVk5...
Submission: On April 10 via manual from US — Scanned from DE
Form analysis
1 forms found in the DOMPOST /client_matter/session/create
<form id="startClientMatterSessionForm" action="/client_matter/session/create" accept-charset="UTF-8" method="post"><input name="utf8" type="hidden" value="✓" autocomplete="off"><input type="hidden" name="authenticity_token"
value="Ge/tGzGmf9Wdf0TO30TtYgaTijAN6eMd9QKTtrfDKWuULJvnXFqtw2cTK4w9LvOIC1nKvqYvljYk5xgPekgz9w==" autocomplete="off">
<input type="hidden" name="create_client_matter" id="create_client_matter" value="false" autocomplete="off">
<div class="content">
<div class="informativeParagraph"> Your firm optionally allows a client matter to be selected while you are using Bloomberg Law. Please contact your administrator if you have any questions. Please select from a recently used Client Matter or
enter a Client Matter manually. </div>
<div class="errors">
<div class="error" id="clientMatterLabelErrors" style="display:none"></div>
<div class="error" id="attorneyNumberLabelErrors" style="display:none"></div>
</div>
<div class="recents">
<div class="title"> RECENTLY USED </div>
<div class="items">
</div>
</div>
<div class="input">
<div class="title"> CLIENT MATTER </div>
<div class="inputContainer"><input type="text" name="client_matter_label" id="client_matter_label" value="" autocomplete="off" class="autocompleteTextField input_auto autocompleteForm" data-url="/autocomplete/lookup"
data-context="CLIENT_MATTERS" data-show-no-matches="false" data-highlight-term="true" data-select-callback="applyClientMatterFromAutocompleteSelection">
<div class="results autocompleteBox" id="client_matter_label_results" style="display: none;"></div>
</div>
<script>
//<![CDATA[
document.readyState != 'interactive' && document.readyState != 'complete' ? $(window).load(function() {
$('#client_matter_label').bbAutocomplete();
}) : $(document).ready(function() {
$('#client_matter_label').bbAutocomplete();
});
//]]>
</script>
<iron-icon class="searchy" icon="blaw-ct-small:search"></iron-icon>
</div>
<div class="input clientMatterSuppressionCheckholder" id="clientMatterSuppressionCheckholder">
<label>
<input type="hidden" name="suppress_client_matter_prompt_enabled" id="suppress_client_matter_prompt_enabled" value="1" autocomplete="off">
<input type="checkbox" name="suppress_client_matter_prompt" id="suppress_client_matter_prompt" value="1" checked="checked">
<label for="suppress_client_matter_prompt">Do not remind me again this session</label>
</label>
</div>
<div class="informativeParagraph"> Please contact your administrator if you have questions about client matter. </div>
</div>
<div class="buttons">
<paper-button class="cancel" onclick="cancelClientMatterPopup();" type="button"> Cancel </paper-button>
<paper-button class="disabled submitTheForm" onclick="BLAW.General.submitClientMatterForm();" type="button"> Submit </paper-button>
</div>
</form>
Text Content
Request a Demo Login Privacy & Data Security Law Illustration: Jonathan Hurtarte/Bloomberg Law March 27, 2023, 7:23 PM NY LAW FIRM FINED $200,000 FOR HEALTH DATA BREACH BY STATE AG By Skye Witley Skye Witley Reporter Share To:Facebook LinkedIn Twitter Listen * Heidell, Pittoni, Murphy & Bach was hacked in 2021 * Firm failed to protect info, notify hospital clients Bloomberg Law News 2023-04-10T10:08:24080618277-04:00 NY LAW FIRM FINED $200,000 FOR HEALTH DATA BREACH BY STATE AG By Skye Witley 2023-03-27T15:23:52000-04:00 * Heidell, Pittoni, Murphy & Bach was hacked in 2021 * Firm failed to protect info, notify hospital clients New York-based law firm Heidell, Pittoni, Murphy & Bach LLP must pay $200,000 in penalties to the state and improve its cybersecurity practices after an investigation by state Attorney General Letitia James found it responsible for a 2021 data breach. The firm, whose clients include hospitals, experienced a cyberattack in November 2021 that exposed the private data of over 114,000 patients—including names, birthdates, Social Security numbers, and health information—the investigation found. Heidell Pittoni violated New York law pertaining to data breaches and failed to comply with several standards required by the federal healthcare privacy law, the Health Insurance Portability and Accountability Act, according to the assurance of discontinuance issued by the AG’s office. The firm violated state law by “failing to provide affected New Yorkers with timely notice” of the data breach and leaving its systems vulnerable to attack by not quickly patching an email server security vulnerability, the investigation found. Thousands of Microsoft Exchange email servers have been hacked as a result of the vulnerability. “The institutions charged with protecting this information have a responsibility to get it right, and to keep authorities and New Yorkers informed about breaches,” James said in a Monday statement announcing the penalty agreement. “Companies can, and should, strengthen their data security measures to safeguard consumers’ digital data, otherwise they can expect to hear from my office.” A patch for the email server vulnerability was available for months, but the firm didn’t apply it before the hacker crashed its email system with malware and stole tens of thousands of files in December 2021, the probe found. After an internal investigation, Heidell Pittoni paid the hackers a $100,000 ransom with the promise that exfiltrated data would be returned and deleted, but the firm never received evidence of deletion. Heidell Pittoni then didn’t start to notify those affected of the hack until May 2022, counter to a New York business law that requires notification “immediately following discovery” of the breach. The firm’s failure to protect electronic protected health information also violated 17 different federal standards or procedural specifications required by HIPAA’s privacy and security rules, the investigation found. These included failing to ensure the confidentiality of ePHI and to protect it against reasonably anticipated security threats. Heidell Pittoni is subject to HIPAA’s rules as a business associate of its hospital clients. Beyond monetary fines, the firm must now implement a patch management program and other cybersecurity measures designed to better protect its clients’ patients information. To contact the reporter on this story: Skye Witley at switley@bloombergindustry.com To contact the editors responsible for this story: Tonia Moore at tmoore@bloombergindustry.com; Jay-Anne B. Casuga at jcasuga@bloomberglaw.com LAW FIRMS * Heidell Pittoni Murphy & Bach TOPICS * digital privacy * hacking * health data privacy * Social Security numbers * email * breach notification © 2023 Bloomberg Industry Group, Inc. All Rights Reserved Top MORE FROM BLOOMBERG LAW MOST READ STORIES IN PRIVACY & DATA SECURITY LAW PROSKAUER CYBER ATTACK LEFT SENSITIVE CLIENT DATA UNGUARDED (1) A data breach at Proskauer Rose exposed client data, including sensitive legal and financial information, the law firm confirmed Friday. CLASS BID REJECTED IN SUIT OVER DEBT-COLLECTION PHONE CALLS A Massachusetts federal judge denied class certification to a man who claimed his electricity company excessively called him while trying to collect debt. JAILBREAKING AI CHATBOTS IS THE TECH INDUSTRY’S NEW PASTIME In chatbot parlance, “jailbreaks” are a way around the litany of restrictions artificial intelligence programs have built in—stopping them from being used in harmful ways, abetting crimes, or espousing hate speech. Jailbreak prompts have the ability to push powerful chatbots such as ChatGPT to sidestep the human-built guardrails governing what the bots can and can’t say. LATEST STORIES IN PRIVACY & DATA SECURITY LAW THIS WEEK IN CHANCERY COURT: AT&T SUBPOENA, GEN DIGITAL SETTLES AT&T Inc. already has prevailed twice over the state of Delaware’s attempts to enforce an unclaimed funds subpoena against the telecom giant. Now, the Court of Chancery will consider another subpoena from the state issued in the wake of those AT&T legal victories. J&J TALC SUITS’ OUTSIDE FUNDERS UNVEILED VIA LITTLE USED NJ RULE The sweeping lawsuits against Johnson & Johnson over talc products got a boost from at least two outside litigation funders, which have invested in hundreds of claims in exchange for a portion of any winnings. STATES START TO REGULATE AI-BASED HIRING WITHOUT FEDERAL GUIDANCE States are moving to regulate use of artificial intelligence to prevent bias and ensure applicants’ consent, while the federal government has been sluggish about issuing guidance, Paul Daugherity, Bruce Liebman, and Kevin Yombor of Kaufman, Dolowich & Voluck say. Browse More Stories in Privacy & Data Security Law * Contact Us * View Full Desktop Site * BLAW ® 24 / 7 Help Desk (888) 560-2529 Terms of service , Privacy , Copyright , Accessibility © 2023 Bloomberg Industry Group, Inc. All Rights Reserved ENTER A CLIENT MATTER Your firm optionally allows a client matter to be selected while you are using Bloomberg Law. Please contact your administrator if you have any questions. Please select from a recently used Client Matter or enter a Client Matter manually. RECENTLY USED CLIENT MATTER Do not remind me again this session Please contact your administrator if you have questions about client matter. Cancel Submit Unrecognized Client Matter Client Matter does not currently exist in Bloomberg Law. Would you like to add this client matter to the system? Yes No Bloomberg Industry Group About Us Contact Us Other Products Big Law Business Professional Learning BNA Help Topics Getting Started BCite Citator Smart Code Points of Law Browse All Help Topics 24/7 BLAW® Help Desk 888.560.2529 help@bloomberglaw.com 0.1618.0 Terms of Service Privacy Policy Copyright Accessibility © 2023 Bloomberg Industry Group, Inc. All Rights Reserved.