An international law firm that handles security incidents on its clients’ behalf has suffered a cyber attack exposing the sensitive information of over half a million data breach victims.
The San Francisco, California-based law firm assists organizations in regulatory compliance, data management, and incident response. It obtains victims’ information for notification and reporting purposes.
However, law firm Orrick, Herrington & Sutcliffe was the victim of a cyber attack that impacted victims of previous data breaches.
Orrick said it detected suspicious activity on its network on March 13, 2023. It immediately blocked unauthorized access, notified law enforcement, and launched an investigation with third-party cybersecurity experts.
The law firm determined that threat actors breached a “portion of its network” from February 28, 2023, and accessed “certain client files.”
Orrick law firm exposed data breach victims’ PII and PHI
A data breach notification filed with the Office of the Maine Attorney General states that hackers breached the law firm’s file-sharing network and accessed extensive personal and treatment information of over 637,620 data breach victims.
That information included the data breach victims’ personal information, such as names, postal addresses, email addresses, dates of birth, and government-issued IDs, such as Social Security Numbers, tax identification numbers, passports, and driver’s license numbers.
Additionally, sensitive health data, including medical treatment, diagnosis, insurance claims, cost of services, and insurance numbers were compromised. The Orrick data breach also exposed the data breach victims’ online account credentials and credit or debit card numbers.
Organizations impacted include Eyemed Vision Care, Delta Dental of California, MultiPlan, Carelon Behavioral Health (formerly Beacon Health Options), the U.S. Small Business Administration, Charles Schwab financials, and Fujitsu North America.
Having issued three data breach notifications on behalf of its clients, Orrick does not anticipate discovering more data breach victims.
“At this time, Orrick does not anticipate providing notifications on behalf of additional businesses,” Orrick stated.
Law firm settles lawsuits
The law firm has paid the price for alleged negligence, breach of fiduciary duty, and breach of trust for failing to prevent the incident and delayed notification.
Orrick consolidated several complaints stemming from the 2023 data breach, and in December, the law firm told a San Francisco federal court it had agreed to settle four class action lawsuits.
“We are pleased to reach a settlement well within a year of the incident, which brings this matter to a close, and will continue our ongoing focus on protecting our systems and the information of our clients and our firm,” the law firm disclosed.
However, critical details regarding the cyber attack are missing, including the threat actor’s identity, the attack vector, and if ransomware was involved.
The law firm was also secretive on whether it had received ransom demands or paid extortion to dissuade hackers from leaking or misusing data breach victims’ stolen information. Orrick said there was no evidence that the threat actors had misused the stolen information.
Meanwhile, the data breach victims will benefit from two years of complimentary credit card and identity theft monitoring via Kroll. The law firm has also “deployed additional security measures” to strengthen its network security and prevent similar incidents.
