Breach Notification
,
Cybercrime
,
Fraud Management & Cybercrime
Did Data Theft at Firm Also Affect Other Clients’ Information?
A hacking incident at Thompson Coburn, a Missouri-based national law firm that specializes in data breach law and other types of legal cases, has been breached itself.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
The law firm says the data breach has affected an unspecified number of patients of a healthcare sector client, Presbyterian Healthcare Services in New Mexico, which has now suffered at least four breaches in five years. But a big unanswered question is whether other clients were affected.
Thompson Coburn, in a breach notice posted on Presbyterian Healthcare Services’ website, said the incident was first detected on May 29 when the law firm became aware of suspicious activity within its network.
Presbyterian Healthcare Services operates more than 100 physician and specialty clinics and nine full-service hospitals across New Mexico. The group also offers individual, family, Medicare Advantage and state Medicaid health plans.
Thompson Coburn said an unauthorized actor stole some files between May 28 and May 29.
“A detailed review of the affected files was undertaken and through that review, we determined that certain protected health information related to certain patients of PHS was contained within those files,” the law firm said.
Potentially compromised information includes Presbyterian Healthcare Services patient name, Social Security number, date of birth, medical record number, patient account number, prescription and treatment information, clinical information, medical provider information, and health insurance information.
As of Thursday, the incident had not been posted to the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Thompson Coburn said so far there is no indication of identity theft or fraud stemming from the breach. “Upon becoming aware of this incident, Thompson Coburn promptly took steps to investigate the incident and implemented additional security enhancements to further protect against similar incidents,” the notice said.
Neither Thompson Coburn nor Presbyterian Healthcare Services immediately responded to Information Security Media Group’s request for additional details about the incident, including the number of individuals affected, the type of legal services the law firm provided, and whether any other Thompson Coburn clients were affected by the hack.
Were Other Clients Affected?
So far, Thompson Coburn – which offers a long list of legal services, including data breach litigation in an array of industries besides healthcare – has not publicly disclosed whether other clients’ information was also potentially compromised in the incident.
But some experts not involved in the Thompson Coburn hack suspect that could be the case.
“If the threat actor was inside their network, as it appears was the case here, it is certainly possible and perhaps even likely that they gained access to data of other Thompson Coburn clients,” said Jon Moore, chief risk officer at privacy and consulting firm Clearwater. “At a minimum, a forensic analysis will be required and even that might not be able to determine with certainty what files or data the threat actor accessed.”
In the meantime, there are a few reasons why this incident might not yet have resulted in additional breach notifications, Moore said.
“For example, the primary responsibility for notification of individuals whose electronic PHI is breached resides with the covered entity. A business associate who suffers a breach of ePHI is typically only required to notify the covered entity whose information was impacted,” he said.
“In most cases, this is how notification is handled. The exception is when the business associate has agreed contractually to handle or support the notifications. In this case, other clients may have been notified and either we are unaware of individual notices they have sent out or they haven’t done it yet,” he said.
Another possibility is that Thompson Coburn is still working through the investigation of the incident to determine what other clients and individuals may have been impacted, Moore added.
Of course, Thompson Coburn is not the only law firm to experience a data breach that results in a compromise of protected health information belonging to healthcare clients’ patients.
In July 2023, global law firm Orrick, Herrington & Sutcliffe, which also provides data breach litigation services, reported to state and federal regulators a hacking incident affecting several healthcare sector clients and a total of about 638,000 individuals.
Orrick in April agreed to an $8 million settlement to resolve a consolidated proposed class action lawsuit filed against the firm in the wake of the data breach, which affected clients including vision benefits plan EyeMed and dental insurance plan Delta Dental of California (see: Law Firm to Pay $8M to Settle Health Data Hack).
“PHI data breaches are a healthcare law firm’s biggest nightmare. They are costly and embarrassing and invite class action lawsuits,” said regulatory attorney Paul Hales of the Hales Law Group, which is not involved in the Presbyterian Healthcare Services incident.
Similar to the situation in the Orrick data breach, Thompson Coburn is a business associate liable for HIPAA compliance when a healthcare client discloses protected health information to it in the performance of legal services, Hales said.
“At this stage, the nature and extent of the Thompson Coburn data breach is not publicly known. However, an electronic trail preserves critical details,” he said. Regulators and plaintiffs eventually will learn how the breach happened, he added. “They also will dissect the law firm’s HIPAA compliance program,” he said.
Law firms should be treated like any other third party that handles ePHI and must be subject to due diligence, Moore said.
“They should be required to sign a business associate agreement and undergo regular risk analyses. Before sharing ePHI, organizations should evaluate the law firm’s security posture,” he said.
Healthcare clients also should limit their law firm’s access to PHI to the minimum necessary, he said.
“They should verify that the firm has an incident response plan in place and is prepared to respond and notify the organization in a timely manner if their data is breached. Organizations should also periodically review that the firm is maintaining appropriate security safeguards and compliance with HIPAA,” he said.
“These measures help ensure that law firms uphold the same level of data protection as any other vendor handling sensitive healthcare data,” Moore said.
The Presbyterian Healthcare Services breach involving Thompson Corburn “is a cautionary tale for other law firms who are well advised to use it as a learning experience,” Hales said.
As for Presbyterian Healthcare Services, the incident involving Thompson Coburn joins a list of several other breaches the healthcare organization has reported to federal regulators since 2019.
The largest such incident was an email phishing breach Presbyterian Healthcare Services initially reported to HHS’ Office for Civil Rights in August 2019 as affecting about 183,400 health plan members. That figure was later revised upward to more than 1.1 million affected individuals (see: 2 Phishing Attacks Affect Presbyterian Health Plan Members).