An international law firm that specializes in handling security incidents for companies has fallen victim to a cyberattack of its own, resulting in the exposure of sensitive health information for hundreds of thousands of individuals affected by data breaches.
Last week, San Francisco-based Orrick, Herrington & Sutcliffe, announced that hackers had accessed its network in March 2023 and stolen personal data and sensitive health information from over 637,000 victims of data breaches.
Orrick works with companies impacted by security incidents, such as data breaches, to navigate regulatory requirements. This includes obtaining information from victims in order to notify state authorities and affected individuals.
In recent breach notification letters sent to those affected, Orrick disclosed that the hackers had gained unauthorized access to a large amount of data from their systems, relating to security incidents at other companies where Orrick had served as legal counsel.
The breach included data belonging to clients who had vision plans with insurance giant EyeMed Vision Care, dental plans with healthcare insurance network Delta Dental, and health insurance provider MultiPlan. Additionally, data belonging to behavioral health giant Beacon Health Options (now known as Carelon) and the U.S. Small Business Administration was also compromised in the breach.
The stolen data contains sensitive information such as names, dates of birth, postal addresses, email addresses, government-issued identification numbers, and medical treatment and diagnosis information. Additionally, insurance claims, healthcare insurance numbers, and provider details were exposed.
Orrick also confirmed that online account credentials and credit or debit card numbers were part of the stolen data.
The number of individuals impacted by the breach has tripled since Orrick initially disclosed the incident. In the most recent data breach notice, Orrick stated that they do not anticipate notifying additional businesses of the breach, although it is unclear how they came to this decision.
It is not known how the hackers gained initial access to Orrick’s network, nor if they demanded a ransom from the law firm.
Orrick spokesperson Jolie Goldstein declined to answer questions from TechCrunch regarding the incident, stating: We regret the inconvenience and distraction caused by this malicious incident. We made it a top priority to promptly resolve the situation for our clients, the affected individuals, and our team.
In December, Orrick reached a settlement in principle for four class action lawsuits brought against them in federal court in San Francisco. The lawsuits alleged that Orrick failed to inform victims of the breach until several months after it occurred.
We are pleased to reach a settlement within a year of the incident, bringing this matter to a close. We remain dedicated to safeguarding our systems and the information of our clients and firm,
added Orrick’s spokesperson.