This prestigious law firm was caught in the crosshairs of HIPAA compliance after being hacked, exposing the personal data of hundreds of thousands of individuals and several large healthcare organization clients. The proposed $8 million settlement is outlined in court documents in a northern California federal court concerning four consolidated class action lawsuits.

Orrick, Herrington & Sutcliffe reported the breach last summer, noting that it affected 153,000 individuals. Later, Orrick amended its report to reveal that 638,000 individuals had been affected.

Law Firms Can Be HIPAA Business Associates

San Francisco-based Orrick represented healthcare organizations affected by the breach, such as the vision benefits plan EyeMed and the dental insurance plan Delta Dental of California.

According to court documents, Orrick defended data breach lawsuits brought against its clients. During those lawsuits, Orrick collected the personal information of its clients’ members, and the hacking incident compromised some of that information—including names, addresses, dates of birth, health care provider information, and limited diagnosis and treatment-related information.

Under HIPAA, a third-party vendor that “creates, receives, maintains, or transmits” protected health information for a covered entity is considered a HIPAA business associate. Such vendors must adhere to HIPAA regulations, including implementing robust cybersecurity defenses and a comprehensive HIPAA risk management plan.

The class action cases alleged, among other things, that Orrick failed to implement adequate and reasonable measures to protect its computer systems, failed to prevent and stop the breach, and failed to detect and notify individuals about the breach promptly, causing “substantial harm and injuries to plaintiff and the class.”

As part of the settlement, Orrick has strengthened its cybersecurity defenses – from the settlement documents:

“These enhancements include improving its detection and response tools, enhancing its continuous vulnerability scanning at both the network and application levels, deploying additional endpoint detection and response software, and with the help of an industry-leading cybersecurity vendor, performing additional 24/7 network managed detection and response.”

A Large Settlement Cuts Losses

A hack this size affecting so many individuals can cause costly reputation damage. Law firms depend on their reputations for growth.

According to its website, Orrick is a global law firm representing prestigious and large organizations in the Technology and Innovation, Energy and Infrastructure, and Finance sectors.

Orrick may still face a HIPAA investigation from states or the Office for Civil Rights (OCR). But the cybersecurity improvements they’ve already agreed to will likely help them in additional investigations. Settlement of these class actions now, even for millions of dollars, will save money and allow them to return to representing clients and growing their business—a business that now has improved cybersecurity defenses.