Risk Update

Law Firm Hacks & Data Breaches — Data Breach Specialist Law Firm Hacked, Law Firm Faces Breach Class Action

Posted Dan Bressler

Law Office Wolf Haldenstein Says Hack Affected 3.4 Million” —

  • “Wolf Haldenstein Adler Freeman & Herz LLP, a law firm that represents consumers in data breach lawsuits and other disputes, has reported to regulators its own large 2023 hacking incident affecting more than 3.4 million individuals.”
    “The law firm – which has offices in New York, Chicago, Nashville and San Diego – told Maine’s attorney general on Wednesday [1/15] that information potentially compromised in the incident includes name, Social Security number, employee identification number, medical diagnosis, and medical claim information. Of the more than 3.4 million individuals affected, about 3,200 were Maine residents, Wolf Haldenstein told the state’s regulators.”
  • “Wolf Haldenstein said the hack was discovered in December 2023 when the firm detected suspicious activity in its network environment. ‘Upon discovery of this incident, Wolf Haldenstein promptly took steps to secure its network and engaged a specialized cybersecurity firm to investigate the nature and scope of the incident,’ the firm’s breach notice said.”
  • “The investigation determined that an unauthorized actor accessed certain files and data stored within the firm’s network, the notice said. ‘Wolf Haldenstein also conducted an examination of its systems and networks using all information available to determine the potential impact and the security of data housed on its servers,’ the firm said.”
  • “‘Wolf Haldenstein subsequently undertook a time-consuming and detailed review of the data stored on the servers at the time of this incident to understand to whom that data relates,’ the firm said. Nearly a year later, on Dec. 3, 2024, Wolf Haldenstein identified a subset of potentially affected persons but the firm was unable to locate address information to provide direct notice to that group of individuals, the law firm said.”
  • “Wolf Haldenstein had previously reported the hack to regulators in some other states, including Vermont in May. The law firm also reported the incident on Thursday to the Texas attorney general’s office as affecting nearly 328,000 Texans. But the firm’s report Wednesday to Maine’s attorney general appears to be the first and only time the law firm publicly disclosed that millions of individuals were affected by the incident.”
  • “As of Thursday, the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool website did not show any HIPAA breach reports filed by Wolf Haldenstein.”
  • “‘Wolf Haldenstein’s data breach and the tortuous investigation it took to find the breach is a law firm’s worst nightmare,’ said regulatory attorney Paul Hales of the Hales Law Group, which is not involved in the Wolf Haldenstein incident.”
  • “‘Maintaining system-wide HIPAA compliance is challenging but manageable for organizations with multiple locations like Wolf Haldenstein,’ he said. ‘Strict client confidentiality is paramount in law firms, but the minimum necessary standard for access to protected health information can inadvertently be overlooked,’ he said.”
  • “‘Wolf Haldenstein’s lengthy, painstaking breach investigation underscores the rationale for HHS OCR’s proposed Security Rule modifications that would require mapping the movement of electronic PHI throughout a HIPAA-regulated entity’s electronic information systems and a technology asset inventory,’ he said.”

Law Firm Faces Data Breach Class Action From Consumers Extending Beyond Client Base” —

  • “A group of consumers sued a law firm for a data breach that allegedly exposed their personal information despite never having an affiliation with the firm, raising concerns about its allegedly unauthorized collection and storage of their sensitive data.”
  • “Lead plaintiff Jason Warren alleged that, in early August, Riley Pope & Laney learned that cybercriminals had gained access to consumers’ personally identifiable information. According to the complaint, the more than 7,000 class members affected by the data breach were never associated with the law firm, never sought an association and never consented to the firm collecting and storing their sensitive information.”
  • “The breach allegedly occurred due to inadequate training of IT and data security agents, the suit stated. The firm then allegedly waited six months to begin notifying affected individuals of the breach, which made victims vulnerable to identify theft without warnings to monitor their financial records or credit reports.”
  • “Riley Pope & Laney’s legal services are specialized for corporations and employers who oversee highly sensitive data, the complaint said, requiring them to manage and secure the PII of its clients’ employees. However, these employees did not do any business with the law firm, according to Warren.”
  • “The risk of unauthorized uses of victims’ information is still ‘substantially high,’ the complaint stated, due to the law firm’s lack of corrective measures following the data breach.”

Law firm Berman & Rabin reports breach affecting 152K people” —

  • “The law firm Berman & Rabin is notifying around 152,000 individuals of a data breach following a ransomware attack that occurred in July 2024. The breach exposed sensitive personal information, prompting the company to take precautionary measures to protect those affected.”
  • “Headquartered in Overland Park, Kansas, Berman & Rabin is a law firm that focuses on debt collection and creditor rights, providing legal services to financial institutions, businesses, and lenders. With over 140 employees, the firm has built a reputation for handling creditor-specific legal matters.”
  • “The incident was discovered on July 8, 2024, when the law firm detected suspicious activity within its systems, including the encryption of certain data. An investigation revealed that attackers had accessed the company’s network between July 5 and July 8, during which time they exfiltrated data from several systems.”
  • “By October, it became clear that the compromised data included names, Social Security numbers, and financial information. Although there is no confirmed misuse of the stolen data, Berman & Rabin is notifying affected individuals as a cautionary step.”
  • “In response to the breach, the law firm has begun sending written notifications to approximately 151,944 individuals.”
  • “While details about the ransomware used in the attack remain unknown, no ransomware group has claimed responsibility for the breach. This situation could indicate that a ransom was paid, though the affected company has not commented on this possibility.”