www.bloomberglaw.com Open in urlscan Pro
69.187.20.19  Public Scan

Form analysis
1 forms found in the DOM

POST /client_matter/session/create

<form id="startClientMatterSessionForm" action="/client_matter/session/create" accept-charset="UTF-8" method="post"><input name="utf8" type="hidden" value="✓" autocomplete="off"><input type="hidden" name="authenticity_token"
    value="Ge/tGzGmf9Wdf0TO30TtYgaTijAN6eMd9QKTtrfDKWuULJvnXFqtw2cTK4w9LvOIC1nKvqYvljYk5xgPekgz9w==" autocomplete="off">
  <input type="hidden" name="create_client_matter" id="create_client_matter" value="false" autocomplete="off">
  <div class="content">
    <div class="informativeParagraph"> Your firm optionally allows a client matter to be selected while you are using Bloomberg Law. Please contact your administrator if you have any questions. Please select from a recently used Client Matter or
      enter a Client Matter manually. </div>
    <div class="errors">
      <div class="error" id="clientMatterLabelErrors" style="display:none"></div>
      <div class="error" id="attorneyNumberLabelErrors" style="display:none"></div>
    </div>
    <div class="recents">
      <div class="title"> RECENTLY USED </div>
      <div class="items">
      </div>
    </div>
    <div class="input">
      <div class="title"> CLIENT MATTER </div>
      <div class="inputContainer"><input type="text" name="client_matter_label" id="client_matter_label" value="" autocomplete="off" class="autocompleteTextField input_auto autocompleteForm" data-url="/autocomplete/lookup"
          data-context="CLIENT_MATTERS" data-show-no-matches="false" data-highlight-term="true" data-select-callback="applyClientMatterFromAutocompleteSelection">
        <div class="results autocompleteBox" id="client_matter_label_results" style="display: none;"></div>
      </div>
      <script>
        //<![CDATA[
        document.readyState != 'interactive' && document.readyState != 'complete' ? $(window).load(function() {
          $('#client_matter_label').bbAutocomplete();
        }) : $(document).ready(function() {
          $('#client_matter_label').bbAutocomplete();
        });
        //]]>
      </script>
      <iron-icon class="searchy" icon="blaw-ct-small:search"></iron-icon>
    </div>
    <div class="input clientMatterSuppressionCheckholder" id="clientMatterSuppressionCheckholder">
      <label>
        <input type="hidden" name="suppress_client_matter_prompt_enabled" id="suppress_client_matter_prompt_enabled" value="1" autocomplete="off">
        <input type="checkbox" name="suppress_client_matter_prompt" id="suppress_client_matter_prompt" value="1" checked="checked">
        <label for="suppress_client_matter_prompt">Do not remind me again this session</label>
      </label>
    </div>
    <div class="informativeParagraph"> Please contact your administrator if you have questions about client matter. </div>
  </div>
  <div class="buttons">
    <paper-button class="cancel" onclick="cancelClientMatterPopup();" type="button"> Cancel </paper-button>
    <paper-button class="disabled submitTheForm" onclick="BLAW.General.submitClientMatterForm();" type="button"> Submit </paper-button>
  </div>
</form>

Text Content

Request a Demo Login

Privacy & Data Security Law
Illustration: Jonathan Hurtarte/Bloomberg Law
March 27, 2023, 7:23 PM


NY LAW FIRM FINED $200,000 FOR HEALTH DATA BREACH BY STATE AG

By Skye Witley

Skye Witley
Reporter

Share To:Facebook
LinkedIn
Twitter
Listen
 * Heidell, Pittoni, Murphy & Bach was hacked in 2021
 * Firm failed to protect info, notify hospital clients

Bloomberg Law News 2023-04-10T10:08:24080618277-04:00


NY LAW FIRM FINED $200,000 FOR HEALTH DATA BREACH BY STATE AG

By Skye Witley 2023-03-27T15:23:52000-04:00
 *  Heidell, Pittoni, Murphy & Bach was hacked in 2021
 *  Firm failed to protect info, notify hospital clients

New York-based law firm Heidell, Pittoni, Murphy & Bach LLP must pay $200,000 in
penalties to the state and improve its cybersecurity practices after an
investigation by state Attorney General Letitia James found it responsible for a
2021 data breach.

The firm, whose clients include hospitals, experienced a cyberattack in November
2021 that exposed the private data of over 114,000 patients—including names,
birthdates, Social Security numbers, and health information—the investigation
found.

Heidell Pittoni violated New York law pertaining to data breaches and failed to
comply with several standards required by the federal healthcare privacy law,
the Health Insurance Portability and Accountability Act, according to the
assurance of discontinuance issued by the AG’s office.

The firm violated state law by “failing to provide affected New Yorkers with
timely notice” of the data breach and leaving its systems vulnerable to attack
by not quickly patching an email server security vulnerability, the
investigation found. Thousands of Microsoft Exchange email servers have been
hacked as a result of the vulnerability.

“The institutions charged with protecting this information have a responsibility
to get it right, and to keep authorities and New Yorkers informed about
breaches,” James said in a Monday statement announcing the penalty agreement.
“Companies can, and should, strengthen their data security measures to safeguard
consumers’ digital data, otherwise they can expect to hear from my office.”

A patch for the email server vulnerability was available for months, but the
firm didn’t apply it before the hacker crashed its email system with malware and
stole tens of thousands of files in December 2021, the probe found.

After an internal investigation, Heidell Pittoni paid the hackers a $100,000
ransom with the promise that exfiltrated data would be returned and deleted, but
the firm never received evidence of deletion.

Heidell Pittoni then didn’t start to notify those affected of the hack until May
2022, counter to a New York business law that requires notification “immediately
following discovery” of the breach.

The firm’s failure to protect electronic protected health information also
violated 17 different federal standards or procedural specifications required by
HIPAA’s privacy and security rules, the investigation found. These included
failing to ensure the confidentiality of ePHI and to protect it against
reasonably anticipated security threats.

Heidell Pittoni is subject to HIPAA’s rules as a business associate of its
hospital clients.

Beyond monetary fines, the firm must now implement a patch management program
and other cybersecurity measures designed to better protect its clients’
patients information.

To contact the reporter on this story: Skye Witley at
switley@bloombergindustry.com

To contact the editors responsible for this story: Tonia Moore at
tmoore@bloombergindustry.com; Jay-Anne B. Casuga at jcasuga@bloomberglaw.com



LAW FIRMS

 * Heidell Pittoni Murphy & Bach

TOPICS

 * digital privacy
 * hacking
 * health data privacy
 * Social Security numbers
 * email
 * breach notification

© 2023 Bloomberg Industry Group, Inc.
All Rights Reserved
Top


MORE FROM BLOOMBERG LAW


MOST READ STORIES IN PRIVACY & DATA SECURITY LAW


PROSKAUER CYBER ATTACK LEFT SENSITIVE CLIENT DATA UNGUARDED (1)

A data breach at Proskauer Rose exposed client data, including sensitive legal
and financial information, the law firm confirmed Friday.


CLASS BID REJECTED IN SUIT OVER DEBT-COLLECTION PHONE CALLS

A Massachusetts federal judge denied class certification to a man who claimed
his electricity company excessively called him while trying to collect debt.


JAILBREAKING AI CHATBOTS IS THE TECH INDUSTRY’S NEW PASTIME

In chatbot parlance, “jailbreaks” are a way around the litany of restrictions
artificial intelligence programs have built in—stopping them from being used in
harmful ways, abetting crimes, or espousing hate speech. Jailbreak prompts have
the ability to push powerful chatbots such as ChatGPT to sidestep the
human-built guardrails governing what the bots can and can’t say.


LATEST STORIES IN PRIVACY & DATA SECURITY LAW


THIS WEEK IN CHANCERY COURT: AT&T SUBPOENA, GEN DIGITAL SETTLES

AT&T Inc. already has prevailed twice over the state of Delaware’s attempts to
enforce an unclaimed funds subpoena against the telecom giant. Now, the Court of
Chancery will consider another subpoena from the state issued in the wake of
those AT&T legal victories.


J&J TALC SUITS’ OUTSIDE FUNDERS UNVEILED VIA LITTLE USED NJ RULE

The sweeping lawsuits against Johnson & Johnson over talc products got a boost
from at least two outside litigation funders, which have invested in hundreds of
claims in exchange for a portion of any winnings.


STATES START TO REGULATE AI-BASED HIRING WITHOUT FEDERAL GUIDANCE

States are moving to regulate use of artificial intelligence to prevent bias and
ensure applicants’ consent, while the federal government has been sluggish about
issuing guidance, Paul Daugherity, Bruce Liebman, and Kevin Yombor of Kaufman,
Dolowich & Voluck say.

Browse More Stories in Privacy & Data Security Law


 * Contact Us
 * View Full Desktop Site
 * BLAW ® 24 / 7 Help Desk (888) 560-2529

Terms of service , Privacy , Copyright , Accessibility

© 2023 Bloomberg Industry Group, Inc.
All Rights Reserved




ENTER A CLIENT MATTER


Your firm optionally allows a client matter to be selected while you are using
Bloomberg Law. Please contact your administrator if you have any questions.
Please select from a recently used Client Matter or enter a Client Matter
manually.

RECENTLY USED

CLIENT MATTER

Do not remind me again this session
Please contact your administrator if you have questions about client matter.
Cancel Submit
Unrecognized Client Matter

Client Matter   does not currently exist in Bloomberg Law. Would you like to add
this client matter to the system?
Yes No

Bloomberg Industry Group
About Us Contact Us
Other Products
Big Law Business Professional Learning BNA
Help Topics
Getting Started BCite Citator Smart Code Points of Law Browse All Help Topics
24/7 BLAW® Help Desk
888.560.2529
help@bloomberglaw.com
0.1618.0
Terms of Service Privacy Policy Copyright Accessibility
© 2023 Bloomberg Industry Group, Inc. All Rights Reserved.