Cyber Incident Victim: Heidell, Pittoni, Murphy & Bach, LLP
Date:
Dec 2021
Location:
United States of America
Summary
A law firm experienced unauthorized network access following the detection of suspicious activity, leading to potential compromise of sensitive personal and medical information including names, birth dates, Social Security numbers, and treatment details for over 114,000 individuals. The organization notified federal health authorities of the security incident and implemented enhanced safeguards by revising system security protocols and information management procedures in response.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 25, 2021, Heidell, Pittoni, Murphy & Bach, LLP (HPM&B) detected suspicious activity within its network environment, prompting an immediate investigation. The law firm determined that an unauthorized actor had gained access to certain portions of its systems, compromising sensitive information belonging to individuals. The investigation confirmed the incident involved unauthorized access to data stored on HPM&B's network, though the specific duration of exposure or intrusion methodology was not publicly disclosed. On May 16, 2022, HPM&B formally notified the U.S. Department of Health and Human Services Office for Civil Rights (OCR) about the breach, reporting that 114,979 individuals were affected. The compromised data included personally identifiable information such as full names, dates of birth, and Social Security numbers, alongside protected health information in the form of medical treatment details. No evidence suggested broader system-wide destruction or ransomware deployment occurred during the incident. The firm did not specify whether the breach stemmed from external attackers, insider threats, or compromised credentials in its public notification.
In response to the security incident, HPM&B implemented updates to its policies and procedures focusing on enhancing system security controls and information lifecycle management practices. These operational changes aimed to address vulnerabilities exposed by the breach, though the firm did not disclose technical specifics regarding the implemented safeguards. The compromised medical and identification data exposed affected individuals to potential identity theft, financial fraud, and unauthorized disclosure of sensitive health conditions. HPM&B's notification to OCR occurred nearly five months after initial detection, indicating the investigation and impact assessment required significant time to complete. The firm did not publicly report whether law enforcement agencies were involved in investigating the incident or whether affected individuals received complimentary credit monitoring services. The breach highlighted risks associated with storing highly sensitive personal and health information within legal sector networks, particularly given the volume of records involved.