The New York attorney general has hit Heidell, Pittoni, Murphy & Bach (HPMB), a law firm representing hospitals, with a $200,000 fine for poor data security that allegedly allowed a 2021 ransomware attack to expose 114,000 people's sensitive information.

The investigation revealed that the attacker had taken advantage of a Microsoft Exchange vulnerability that had been identified more than six months earlier. Despite Microsoft having released fixes for the bugs, the firm allegedly failed to timely apply the patch.

In May 2022, the firm notified those affected by the breach after conducting an investigation of the leaked files. The Office of the Attorney General determined that the firm had violated data protection standards mandated by the Health Insurance Portability and Accountability Act (HIPAA), which protects medical information privacy.

The fine will also require HPMB to adopt an array of security measures, including private information, developing a penetration testing program, updating data retention policies and developing a “comprehensive information security program.” This is not the first time the New York attorney general has been aggressive in punishing companies deemed at fault for data breaches. Last October, the office fined the e-commerce retailer Zoetop $1.9 million for its handling of a leak. The United Kingdom’s data protection authority has also fined London firm Tuckers Solicitors LLP about $120,000 for allegedly violating standards laid out in data protection laws.

How to Protect Your Law Firm against Ransomware Attacks

"Ransomware attacks can be a major headache for law firms," said Chris Close, a cybersecurity expert with Cyber Sleuth Security, a leader in cybersecurity operations. "But with the correct preparation and protocols in place, law firms can protect themselves from these threats."

When asked what the first step should be, Close said: "The most important thing to do is to make sure all critical systems and data are backed up regularly. This way, if ransomware does manage to get through, you won't have to pay the ransom to recover your data."

Close also said that keeping all software up to date is a crucial step in preventing ransomware attacks: "Software updates often contain security patches that protect against new threats. So make sure your systems are always up to date to avoid becoming a target."

Finally, Close stressed the importance of employee education: "It's important to train your staff on the risks of ransomware and how to recognize the signs of an attack. This will help them identify threats before they have a chance to do any damage."


Law firm fined $200,000 over ‘poor data security’ that led to ransomware attack