153,000 Individuals Affected in Hack, Including Client Linked to an Earlier Breach
A global law firm that handles data breach litigation is faced with defending itself against a proposed class action lawsuit filed in the aftermath of its own data breach.
The lawsuit complaint stems from a March hacking incident at San Francisco-based Orrick, Herrington & Sutcliffe that compromised the information of nearly 153,000 individuals, including victims of a client’s data breach three years ago.
The plaintiffs allege the firm was negligent by failing to protect personal identifiable information, including names, addresses, birthdates and Social Security numbers.
The law firm’s conduct – including allegedly failing to implement adequate and reasonable measures to protect its computer systems, failing to prevent and stop the breach, and failing to detect and notify individuals about the breach in a timely manner – “caused substantial harm and injuries to plaintiff and the class,” the lawsuit asserts.
As a result of the incident, the plaintiff and class members have suffered damages, the lawsuit alleges, pointing to a post-breach “flood of spam telephone calls from unknown persons” and risk of identity theft.
“This will continue, as they must spend their time being extra vigilant, due to Defendant’s failures, to try to prevent being victimized for the rest of their lives.”
The lawsuit also faults Orrick for tardy breach notification. “Despite detecting the breach back in March, and knowing many plaintiff and the class members were in danger, Defendant did nothing to warn breach victims until four months later. During this time, the cyber criminals had free reign to surveil and defraud their unsuspecting victims,” the lawsuit alleges.
Orrick, having significant knowledge in the area of data breach issues, “should be held to a standard that is at the level of this expertise,” attorney William Federman of law firm Federman & Sherwood, which is representing Werley, told Information Security Media Group.
The litigants in the complaint seek monetary damages, including punitive damages, as well as injunctive relief, including “significant improvements” to Orrick’s data security practices, future annual audits and long-term credit monitoring services funded by the law firm.
Orrick reported the hacking incident to the U.S. Department of Health and Human Services on June 30 as a HIPAA breach affecting about 41,000 individuals. It reported the incident to regulators in July as affecting a total of 152,818 people (see: Law Firm Hack Affects Victims of an Earlier Breach Again).
Information compromised in the incident included files of an Orrick client tied to an unidentified vision benefits plan that had suffered its own health data breach in 2020.
The law firm also reported that insurer Delta Dental of California was among the organizations affected in the incident. Orrick has provided legal counsel to the company.
Some experts predict the litigation against the law firm involving the data breach could grow more complicated in the weeks and months ahead.
The lawsuit does not mention the HIPAA-protected health information that Orrick reported as compromised.
It’s possible the plaintiff’s personal health information “was not disclosed or he has not experienced incidents allegedly traceable to disclosure of his PHI,” said attorney Paul Hales of Hales Law Group, who is not involved in the lawsuit.
That leaves the door open for a new lawsuit or an amended complaint that raises the alleged HIPAA breach, he added. “If or when lawsuits alleging harm from a PHI breach are filed, Orrick’s compliance with HIPAA business associate rules will be in play. I suspect this will be a long-running story, hard fought by all parties.”
Orrick, Herrington & Sutcliffe declined ISMG’s request for comment about the proposed class action litigation.