New York Attorney General Settles with Law Firm Over Data Breach
Time 2 Minute Read
Categories: Cybersecurity, Information Security, Security Breach

On March 27, 2023, New York Attorney General Letitia James announced that a New York-based law firm (Heidell, Pittoni, Murphy & Bach LLP) had agreed to pay $200,000 in penalties and enhance its cybersecurity practices to settle charges stemming from a 2021 data breach. 

The New York AG alleged that, in November 2021, the firm experienced a cybersecurity incident in which attackers acquired the private data of over 114,000 patients of hospitals who were clients of the firm, including names, Social Security numbers, dates of birth and health information. The cause of the breach was a software vulnerability for which a patches had been issued, but allegedly not implemented by the firm. The AG’s investigation determined that the firm failed to take reasonable measures to protect consumer personal information, such as conducting risk assessments or implementing encryption for the data, in violation of HIPAA and New York state law. 

In addition to the monetary penalty and obligation to implement an enhanced information security program, the settlement also requires the firm to offer affected consumers two years of complimentary credit monitoring and identity theft protection services (if such services were not already offered). The firm neither admitted nor denied the AG’s allegations as part of the settlement.

Tags: Consumer Protection, Credit Monitoring, Encryption, HIPAA, New York, Personal Health Information, Personal Information, Social Security Number, State Attorneys General
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 2 Minute Read
HHS’ Office for Civil Rights Settles HIPAA Investigation of Health Care Software Company

The U.S. Department of Health and Human Services’ Office for Civil Rights recently announced a settlement with health care software company MMG Fusion to resolve the company’s alleged noncompliance with the HIPAA Privacy, Security and Breach Notification Rules.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 5 Minute Read
How Insurance Fundamentals Drove a Coverage Win for Uber
By and

A recent summary judgment order is a reminder that, in insurance coverage disputes, straightforward arguments can still win the day. In a coverage action arising from dozens of underlying personal injury suits, the court adopted a clear, text-based approach to the duty to defend—and ordered the insurer to provide a defense.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Connecticut AG Clarifies AI Compliance Obligations Under CTDPA

The Connecticut Attorney General recently issued a legal memorandum regarding the application of existing Connecticut laws, such as the Connecticut Data Privacy Act, to the use of artificial intelligence.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Oklahoma Enacts Comprehensive Consumer Privacy Law

On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law, enacting the Oklahoma Consumer Data Privacy Act, which will take effect on January 1, 2027.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page