Cyber Incident Victim: Warner Norcross & Judd LLP

Warner Norcross & Judd LLP discovered unauthorized activity in its systems on October 22, 2021, prompting immediate network security measures and engagement of a digital forensics firm to investigate. The Michigan-based law firm confirmed through data mining and manual review that protected health information of 255,160 individuals was compromised, including members of client Priority Health, a Michigan health plan. Exposed data included names, dates of birth, Social Security numbers, financial account details, government IDs, health information, and life insurance policy data. Priority Health disclosed that 120,000 of its members were affected, with compromised records containing pharmacy claim information from 2012 such as drug names, prescription fill dates, and insurer details. The law firm attributed the delay in individual notifications to challenges in verifying current mailing addresses, maintaining there was no evidence of data misuse. Forensic analysis revealed the breach involved a network server, though specific attacker methodologies were not disclosed.

WNJ first reported the incident to Maine's attorney general on July 11, 2022, as affecting 19,000 individuals including seven Maine residents, then revised this to 214,000+ individuals with 131 Maine residents in an August 17 update. The firm formally notified the U.S. Department of Health and Human Services on August 24, 2022—10 months post-discovery—listing the breach as a hacking/IT incident. Priority Health issued its own breach notice in July 2022, clarifying that WNJ held legacy data for an active legal project. Experts noted the nine-month notification delay exceeded HIPAA's 60-day requirement for breaches affecting 500+ individuals, questioning both the retention of decade-old PHI and the adequacy of its protection. The incident highlighted risks associated with law firms storing large volumes of sensitive health data while managing third-party legal projects.