NEW YORK LAW FIRM DATA BREACH

-

It is 2023 and almost every company in the world handles peoples data. But while certain regions of the world are not as advanced in protecting data privacy of data subjects, I was quite  surprised to read about this particular data breach in the news. 

 On March 27, 2023, New York Attorney General Letitia James announced that a New York-based law firm (Heidell, Pittoni, Murphy & Bach LLP) had agreed to pay $200,000 in penalties and enhance its cybersecurity practices to settle charges stemming from a 2021 data breach.

The New York AG alleged that, in November 2021, the firm experienced a cybersecurity incident in which attackers acquired the private data of over 114,000 patients of hospitals who were clients of the firm, including names, Social Security numbers, dates of birth and health information. The cause of the breach was a software vulnerability for which a patches had been issued, but allegedly not implemented by the firm. The AG’s investigation determined that the firm failed to take reasonable measures to protect consumer personal information, such as conducting risk assessments or implementing encryption for the data, in violation of HIPAA and New York state law. 

In addition to the monetary penalty and obligation to implement an enhanced information security program, the settlement also requires the firm to offer affected consumers two years of complimentary credit monitoring and identity theft protection services (if such services were not already offered). The firm neither admitted nor denied the Attorney General's allegations as part of the settlement.

 I wondered why and how a Law firm handling the data of over 144,000 thousand patients of hospitals failed to take reasonable measures to protect consumer personal information, such as conducting risk assessments or implementing encryption for the data, in violation of HIPAA and New York state law.

Do they not have a Data Privacy officer? Have they not heard of OneTrust?  I am quite curious to know how this happened. I am quite sure this breach will never happen again at least for this particular law firm- this reflects the value of having data privacy laws and adequate penalty. No law firm would want to have to form out $200,000. also, that amount could have been way more!


Comments

Post a Comment

Popular posts from this blog

PART 1 : LACK OF OPENNESS AND TRANSPARENCY BY AD TECH COMPANIES TOWARDS DATA SUBJECTS FACING DATA PRIVACY VIOLATIONS WITH A FOCUS ON RE-IDENTIFICATION

-
  LACK OF OPENNESS AND TRANSPARENCY BY AD TECH COMPANIES TOWARDS DATA SUBJECTS FACING DATA PRIVACY VIOLATIONS WITH A FOCUS ON RE-IDENTIFICATION   I.           INTRODUCTION Daily, data subjects’ information is pumped into cyberspace, thereby creating an avenue for more data privacy breaches. Mobile phones and laptops are tools used to input data online, particularly through social media apps and from access to the world wide web. Social media houses millions of data in the form of photos, texts, likes, retweets, reshares, and posts. Data is gold for commercial entities via Advertising Technologies (or Adtech) companies who use the data to understand customer behavior and target advertising. Social Media platforms either use the data retrieved from their customers for their businesses or sell it to other companies or third-party brokers. [1] While these tech companies collecting data from users claim the data is de-id...
Read more

Technochauvinism

-
  As human beings, our role in the technological world cannot be downplayed. While high-tech computers have the power to make complex calculations that humans cannot, we must remember that it is humans that feed it this data in the first place and if one piece of information is left out, the output is automatically flawed. The computer cannot fix itself the way a human being can heal when injured. As I was taught in my computer studies class in secondary school, “ Garbage in, garbage out."  Not only are we not the same, but we are also superior.  How can the created be greater than the creator? Techno chauvinism might falsely make us believe that technology in the form of Artificial Intelligence is more superior to humans. Unfortunately, it is against this back drop that Ayn Randian meritocracy- techno libertarian political values exist. Meredith Brousard in her book “ Artificial Unintelligence, How Computers Misunderstand the world,” states that under this mindset,...
Read more

An email from my father

-
  I believe an email can be   persistent, visible, searchable , and   spreadable   depending on the kind of architecture or social media device one uses to manipulate it. Danah Boyd’s 2014 article  titled "It's complicated, the social lives of teens,"  reminds me so much of an email my late father sent to my older sister when she was in the UK for her bachelor’s degree. At the time I was in high school in Nigeria and my dad was about to take a medical trip abroad, so I wrote a list of things I needed for my high school prom which was to happen in a few months’ time, and I tasked him and my older sister to get my prom dress for me. Attached to the list was a cut-out  from a magazine of a dress Beyonce wore for some award, so they would have an idea of the kind of prom dress I wanted. Quite frankly my father could not deal so he sent an email to my sister which said, “Uju, The attached is a scanned photo of Beyonce, which as you may be aware is Adaeze’s ...
Read more