cross-posted from: https://zerobytes.monster/post/5063838

I guess if the law firm handles its own data breach this way; you can expect the companies to handle the breaches the same way.

Summary

The international law firm Orrick, Herrington & Sutcliffe, specializing in handling security incidents for companies, suffered a cyberattack in March 2023, resulting in the exposure of sensitive health information belonging to over 637,000 data breach victims.

The stolen data included consumer names, dates of birth, postal address and email addresses, and government-issued identification numbers, such as Social Security numbers, passport and driver license numbers, and tax identification numbers. The data also includes medical treatment and diagnosis information, insurance claims information — such as the date and costs of services — and healthcare insurance numbers and provider details.

Orrick, serving as legal counsel during security incidents at other companies, revealed that the breach also affected clients such as EyeMed Vision Care, Delta Dental, MultiPlan, Beacon Health Options, and the U.S. Small Business Administration. The number of affected individuals tripled since the initial disclosure. Orrick reached a settlement for class action lawsuits in December, which accused Orrick of failing to inform victims of the breach until months after the incident, acknowledging the incident’s impact and expressing regret for the inconvenience caused. The firm did not disclose details about the hackers’ entry or whether a financial ransom was demanded.

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    3
    ·
    11 months ago

    This is the best summary I could come up with:


    An international law firm that works with companies affected by security incidents has experienced its own cyberattack that exposed the sensitive health information of hundreds of thousands of data breach victims.

    Orrick works with companies that are hit by security incidents, including data breaches, to handle regulatory requirements, such as obtaining victims’ information in order to notify state authorities and the individuals affected.

    The number of individuals known to be affected by this data breach has risen by threefold since Orrick first disclosed the incident.

    Orrick said in its most recent data breach notice that it “does not anticipate providing notifications on behalf of additional businesses,” but did not say how it came to this conclusion.

    Orrick spokesperson Jolie Goldstein said in a statement: “We regret the inconvenience and distraction that this malicious incident caused.

    “We are pleased to reach a settlement well within a year of the incident, which brings this matter to a close, and will continue our ongoing focus on protecting our systems and the information of our clients and our firm,” added Orrick’s spokesperson.


    The original article contains 509 words, the summary contains 178 words. Saved 65%. I’m a bot and I’m open source!