Getty Images

Orrick Law Firm's Security Mishap Leads to Healthcare Data Breach Lawsuit 

The law firm, once counseled in a 2020 healthcare data breach lawsuit for a vision benefits plan manager, now grapples with one of its own.

From defender to defendant, Orrick Law Firm shifts gears after a data breach on its systems jeopardized the privacy of more than 152,818 individuals and landed the law firm with its own healthcare data breach lawsuit. 

On March 7, 2023, hackers remotely accessed the law firm's system, which contained a shared network of client files. Yet, it wasn't until March 13 that the breach was discovered, by which time the damage had been done. 

The information potentially included names, addresses, birth dates, and Social Security numbers. 

Notably, among the compromised files were those of patients from a vision benefits plan, who had previously been involved in a separate security incident from 2020. 

In its initial breach notice, Orrick Law Firm stated it had taken numerous steps to prevent future breaches. They reported the incident to the authorities and have been actively cooperating with ongoing investigations. Additionally, with the guidance of external cybersecurity experts, the firm has bolstered its digital security measures. 

Yet, the fallout continues. A class-action lawsuit was swiftly filed, alleging that Orrick Law Firm did not take sufficient precautions to secure client data, allowing this significant breach to occur. 

The lawsuit alleges negligence on multiple fronts: from not having robust security systems in place, and not detecting the breach in a timely manner, to an alleged lack of transparency about their cybersecurity readiness. 

The lead plaintiff in the lawsuit claims personal repercussions from the breach, including a surge in spam calls from individuals attempting to deceive using the stolen personal information. This uptick in deceptive spam is reportedly much higher than the average American encounters. 

Highlighting the premeditated nature of the attack, the lawsuit references a 2020 "Ransomware Guide" by the US Cybersecurity and Infrastructure Security Agency (CISA). The guide warns of evolving ransomware tactics, where cybercriminals not only lock data but also threaten its release if ransoms aren't paid. They further resort to public humiliation to pressure victims. 

Furthermore, the plaintiff argues that the firm should have adhered to several of the guide's recommendations to prevent such attacks, including timely system updates, cautious handling of email attachments, and careful navigation of online links and website addresses. 

Next Steps

Dig Deeper on Cybersecurity strategies