“Law Firm Hack Compromises Health System’s Patient Data” —
- “A hacking incident at Thompson Coburn, a Missouri-based national law firm that specializes in data breach law and other types of legal cases, has been breached itself. The law firm says the data breach affected an unspecified number of patients of a healthcare sector client, Presbyterian Healthcare Services in New Mexico, which has now suffered at least four breaches in five years.”
- “But two big unanswered questions is whether other Thompson Coburn clients were affected, or if all 305,088 individuals that the law firm reported to regulators on Nov. 4 as impacted are PHS patients.*”
- “Thompson Coburn, in a breach notice posted on Presbyterian Healthcare Services’ website, said the incident was first detected on May 29 when the law firm became aware of suspicious activity within its network. Presbyterian Healthcare Services operates more than 100 physician and specialty clinics and nine full-service hospitals across New Mexico. The group also offers individual, family, Medicare Advantage and state Medicaid health plans.”
- “Thompson Coburn said an unauthorized actor stole some files between May 28 and May 29. ‘A detailed review of the affected files was undertaken and through that review, we determined that certain protected health information related to certain patients of PHS was contained within those files,’ the law firm said.”
- “Thompson Coburn said so far there is no indication of identity theft or fraud stemming from the breach. ‘Upon becoming aware of this incident, Thompson Coburn promptly took steps to investigate the incident and implemented additional security enhancements to further protect against similar incidents,’ the notice said.”
- “So far, Thompson Coburn – which offers a long list of legal services, including data breach litigation in an array of industries besides healthcare – has not publicly disclosed whether other clients’ information was also potentially compromised in the incident. But some experts not involved in the Thompson Coburn hack suspect that could be the case.”
- “‘If the threat actor was inside their network, as it appears was the case here, it is certainly possible and perhaps even likely that they gained access to data of other Thompson Coburn clients,’ said Jon Moore, chief risk officer at privacy and consulting firm Clearwater. ‘At a minimum, a forensic analysis will be required and even that might not be able to determine with certainty what files or data the threat actor accessed.'”
- “In the meantime, there are a few reasons why this incident might not yet have resulted in additional breach notifications, Moore said. ‘For example, the primary responsibility for notification of individuals whose electronic PHI is breached resides with the covered entity. A business associate who suffers a breach of ePHI is typically only required to notify the covered entity whose information was impacted,’ he said.”
- “Another possibility is that Thompson Coburn is still working through the investigation of the incident to determine what other clients and individuals may have been impacted, Moore added.”
- “Of course, Thompson Coburn is not the only law firm to experience a data breach that results in a compromise of protected health information belonging to healthcare clients’ patients.”
New York: “Judicial Ethics Opinion 24-57” —
- “A judge may invite attorneys to his/her wedding, provided that the attorneys are not on trial before the judge at the time of the event. The judge may also invite members of law enforcement to the wedding. For two years after the wedding, the judge must disclose when a wedding guest appears in the judge’s court.”
“No Ruling On Zeta DQ Bid After Second Marathon Hearing” —
- “A Houston judge declined Wednesday [9/25] to decide whether to disqualify Transocean’s counsel from Hurricane Zeta litigation following the second hearing on a former Arnold & Itkin LLP law clerk-turned-defense-lawyer’s work with the plaintiffs’ firm, indicating she needed time to figure out when the parties reasonably should have learned of the potential conflict of interest.”
- “Across two hearings this month spanning more than 12 hours, Transocean counsel from Ahmad Zavitsanos & Mensing PLLC and plaintiffs’ counsel from Arnold & Itkin presented differing views of the work that Karina Sanchez-Peralta of Ahmad Zavitsanos performed during a brief stint as a law clerk for Arnold & Itkin in late 2022.”
- “Harris County District Judge Rabeea Sultan Collier said at the end of Wednesday’s proceeding that one of the key questions she has been presented is at what point a conflict waiver should have been sought after Ahmad Zavitsanos added Sanchez-Peralta to the multidistrict litigation in March.”
- “Central to Arnold & Itkin’s disqualification bid is a memo Sanchez-Peralta created at the direction of Arnold & Itkin attorney Roland Christensen, who testified at length Wednesday. The memo, which is not publicly available, is connected to Dr. Henry Small, an orthopedic surgeon who treated some Zeta plaintiffs, though the two firms have presented different versions of what Sanchez-Peralta’s work entailed beyond those facts.”
- “Christensen testified Wednesday that he was contacted by Small in September 2022 for legal advice concerning a Texas Medical Board complaint filed against him, which was not publicly available.”
- “The firm has taken the position that Small’s conversation with Christensen created an attorney-client relationship that extended to Sanchez-Peralta when she worked on the memo, though whether the firm raised that argument adequately in its first disqualification motion has been contested by Ahmad Zavitsanos and questioned by Judge Collier.”
- “‘Before sharing any of the information with me that was confidential, I agreed to provide him [Small] legal services,’ Christensen said. ‘After that, I emailed Sanchez and asked her to come talk with me about the representation and gave her an assignment.'”
“Christensen testified that Sanchez-Peralta performed legal work and represented Small ‘just like I did,’ adding that he told her Small’s name and other details about the complaint.” - “But Sanchez-Peralta testified earlier this month that her assignment was ‘a copy-paste memo’ based on publicly available Texas Medical Board documents and complaint processes.”
- “Arnold & Itkin has said that it only became aware of Sanchez-Peralta’s conflict of interest in early September, when she texted an attorney on the plaintiffs’ team and said she would be updating the defense team’s exhibit list.”
- “Shortly after sending the text, Arnold & Itkin claims that Ahmad Zavitsanos submitted an exhibit that contained confidential information about the Texas Medical Board complaint that Small contacted Christensen about. Arnold & Itkin moved for disqualification a week later.”
- “But Shahmeer Halepota of Ahmad Zavitsanos said his opponent’s arguments had serious ‘credibility issues,’ beginning with what he said was the firm’s sole reliance on Christensen’s testimony for its disqualification bid.”
- “In its motion for disqualification, Arnold & Itkin repeatedly described Small as a witness. But in a reply filed a week later, he is described as a client of the firm.”
- “‘This is a shift that this court has specifically recognized, but it’s not the only shift,’ Halepota said.”
- “Arnold & Itkin, however, said Wednesday that Ahmad Zavitsanos was ‘feigning’ misunderstanding, claiming it only replied using the term ‘client’ because Ahmad Zavitsanos had argued that Sanchez-Peralta did not have confidential information connected to a client or former client and thus hadn’t violated the state’s professional rules.”
- “Halepota said additional ‘shifts’ include Arnold & Itkin’s use of the singular word ‘complaint’ across its motions in reference to Small, while Christensen insisted Wednesday that there were three complaints against Small — two of which are publicly available, and one of which is the complaint he learned about in 2022.”