A law firm based in New York has been fined $200,000 by the Office of the Attorney General. They failed to patch vulnerabilities that had been identified months previously. This meant someone was able to attack and access client data. The firm represents hospitals and hospital networks as part of their work and so the 2021 data breach meant electronic protected health information and other private information relating to their client’s patients was impacted.
Violations
Due to the firm working with hospitals and data regarding their patients being compromised this meant the firm was actually in violation of HIPAA. The protected health information that was accessed should have been protected according to HIPAA’s Privacy Rule and Security Rule.
Additionally, the firm were found to have also violated the General Business Law because they failed to notify the impacted individuals in a timely manner.
Actions
The law firm have had to agree to a number of improvements including
- Using reasonable encryption where feasible
- Maintain a comprehensive information security program
- Comply with
- Executive Law
- HIPAA’s Privacy Rule and Security Rule
This is in addition to having to pay the $200,000 fine.
Value Privacy’s experts are on hand to make sure that you and your company aren’t caught out by new or existing privacy laws.
You can find out more about the services we offer or just get in touch with us directly with any questions you have about how privacy laws impact you.
