Law Firm Says Year-Old Hack Affected PHI of 255,000 People
Besides a Lag in Reporting, Some of the Compromised Data Was a Decade-Old
… Keith Fricke, principal consultant at privacy and security consultancy tw-Security, offers a similar assessment. “What is concerning about the incident is the amount of PHI involved, Fricke says “It makes you take pause and ask how many other law firms store, process or transmit such large amounts of PHI and how well protected it is.”
Although HIPAA requires health data breaches affecting 500 or more individuals to be reported to HHS by or within 60 days of discovery, the WNJ incident illustrates some of the challenges many organizations face in uncovering details during the incident response, some experts say.
“Forensic investigations of breaches take a lot of time, unlike how television shows portray that process,” Fricke says. Nonetheless, the apparent nine-month lag between WNJ discovering the data security incident in October 2021 and first reporting it to state regulators in July 2002 “does seem like an unusually long time before notifying affected individuals,” he says.
“Any business associate should be aligning its practices with HIPAA requirements. The fact this breach involves a law firm doesn’t make it any different from any other BA’s obligations,” he says.
… Law firms should also take note of this incident, Fricke says. “This is yet another example of criminals not being discriminant about their targets. Criminals may see them as targets of intent rather than the target of opportunity.”