Cyber Incident Victim: Coughlin & Cerhart, LLP

In early April 2021, Coughlin & Cerhart (C&G), a New York-based law firm, experienced a security breach compromising sensitive client information. The firm confirmed the incident through a press release dated around April 5, 2021, though specifics regarding the attack vector—such as whether it involved ransomware—remained undisclosed at the time of reporting. DataBreaches.net noted the firm’s failure to clarify the intrusion method despite direct inquiries. The compromised data varied by individual but included names, addresses, Social Security numbers, driver’s license numbers, passport numbers, financial account information, medical records, and health insurance details. This breach highlighted the vulnerability of legal entities storing highly sensitive personal and health-related data that typically falls outside HIPAA protections, as law firms are not classified as covered entities under the healthcare privacy law. The incident underscored systemic risks in sectors handling sensitive information without mandatory regulatory safeguards.

Coughlin & Cerhart initiated breach notifications to affected individuals shortly after discovery, though the exact timeline of detection and containment measures was not detailed in their public statement. The firm directed stakeholders to review its official press release for additional information, but no technical specifics—such as attack duration, threat actor attribution, or forensic findings—were disclosed publicly. DataBreaches.net emphasized the broader implications of the breach, noting that legal firms routinely manage medical data through litigation or client representation without being subject to healthcare-specific security requirements. The absence of confirmed details about attacker actions, system vulnerabilities, or remediation efforts left critical questions unanswered regarding the breach’s operational impact and the firm’s incident response protocols.