New York Law Firm Fined $200,000 After Not Protecting Data

A law firm based in New York has been fined $200,000 by the Office of the Attorney General. They failed to patch vulnerabilities that had been identified months previously. This meant someone was able to attack and access client data. The firm represents hospitals and hospital networks as part of their work and so the 2021 data breach meant electronic protected health information and other private information relating to their client’s patients was impacted. 


Due to the firm working with hospitals and data regarding their patients being compromised this meant the firm was actually in violation of HIPAA. The protected health information that was accessed should have been protected according to HIPAA’s Privacy Rule and Security Rule. 

Additionally, the firm were found to have also violated the General Business Law because they failed to notify the impacted individuals in a timely manner. 


The law firm have had to agree to a number of improvements including

  • Using reasonable encryption where feasible
  • Maintain a comprehensive information security program
  • Comply with 
    • Executive Law
    • HIPAA’s Privacy Rule and Security Rule

This is in addition to having to pay the $200,000 fine. 

A blue gradient background which is darker in the bottom right and lighter in all other corners. In the centre is a logo for Value Privacy. It is value privacy written in white, privacy is bold, value is not and there is a yellow fullstop after privacy. Underneath this logo is written "Making Privacy Simple" in yellow

Value Privacy’s experts are on hand to make sure that you and your company aren’t caught out by new or existing privacy laws.

You can find out more about the services we offer or just get in touch with us directly with any questions you have about how privacy laws impact you.

Previous Post

North Carolina Consider Consumer Privacy Act

Next Post

NextGen Data Breach Compromises 1 Million Patient Records

Related Posts