Patient data compromised outside of healthcare

When it comes to the protected health information (PHI) of patients, healthcare organizations aren’t the only ones on the hook.  A New York law firm, Heidell, Pittoni, Murphy and Bach (HPMB), has just been hit with a $200,000 fine for failing to protect the electronic health records (EHR) of around 114,000 patients.  Representing New York City hospitals, the firm has access to sensitive patient data, including Social Security numbers, health insurance, treatment information and medical history. 

A server vulnerability allowed the cyber criminals into the law firm’s systems, whereupon they subsequently deployed ransomware.  This is standard operating procedure for many bad actors.  Unfortunately, HPMB had not applied Microsoft’s patches for this vulnerability on time.  By the time all was discovered, HPMB’s email system had been compromised, with tens of thousands of files taken.  An investigation by NY’s Office of the Attorney General accuses the firm of failing to protect personal data as required by not only state law, but by the Health Insurance Portability and Accountability Act (HIPAA) as well. 

The financial costs the firm has incurred have come in waves.  Initially, as the investigation found, HPMB paid the ransom of $100,000 for the data’s return and deletion.  Now, they must pay $200,000 to the state of New York.  Further costs will come via adoption of new measures to better protect sensitive data: an information security program that keeps pace with the latest technology and security updates; monitoring network activity and employee training; achieving standard data collection and disposal practices.  All of these steps will add up to burden HPMB’s budget far more than intended, to say nothing of any potential legal actions the affected patients may take in the future.

Perhaps most crucial is the provision that the law firm encrypt its accumulated PHI, an area with which we at NetLib Security are intimately familiar.  Using a solution like NetLib’s Encryptionizer provides an organization with out of the box, transparent encryption of data at rest, rendering it useless to cyber criminals who gain access to sensitive data.  NetLib Security has been protecting stored data across all platforms, devices and cloud environments for over 20 years. Companies can utilize Encryptionizer to satisfy a pressing security need quickly, and with confidence to protect the safety, integrity and confidentiality of sensitive data.Encryptionizer also assists with compliance requirements  like HIPAA.

HPMB ran into violations of state law and HIPAA on multiple fronts, including a failure to appropriately encrypt its data.  While not a hospital, its traffic with private data nonetheless conforms the firm to following the same standards and enforcing the same basic protections.  Don’t be lured into a false sense of security, when more security is still the very thing you need.


By: Jonathan Weicher, post on April 11, 2023
Originally published at: https://www.netlibsecurity.com
Copyright: NetLib Security