Orrick Settlement

Orrick Law Firm Agrees to Multi-Million Dollar Settlement

This prestigious law firm was caught in the crosshairs of HIPAA compliance after being hacked, exposing the personal data of hundreds of thousands of individuals and several large healthcare organization clients. The proposed $8 million settlement is outlined in court documents in a northern California federal court concerning four consolidated class action lawsuits.

Orrick, Herrington & Sutcliffe reported the breach last summer, noting that it affected 153,000 individuals. Later, Orrick amended its report to reveal that 638,000 individuals had been affected.

Law Firms Can Be HIPAA Business Associates

San Francisco-based Orrick represented healthcare organizations affected by the breach, such as the vision benefits plan EyeMed and the dental insurance plan Delta Dental of California.

According to court documents, Orrick defended data breach lawsuits brought against its clients. During those lawsuits, Orrick collected the personal information of its clients’ members, and the hacking incident compromised some of that information—including names, addresses, dates of birth, health care provider information, and limited diagnosis and treatment-related information.

Under HIPAA, a third-party vendor that “creates, receives, maintains, or transmits” protected health information for a covered entity is considered a HIPAA business associate. Such vendors must adhere to HIPAA regulations, including implementing robust cybersecurity defenses and a comprehensive HIPAA risk management plan.

The class action cases alleged, among other things, that Orrick failed to implement adequate and reasonable measures to protect its computer systems, failed to prevent and stop the breach, and failed to detect and notify individuals about the breach promptly, causing “substantial harm and injuries to plaintiff and the class.”

As part of the settlement, Orrick has strengthened its cybersecurity defenses – from the settlement documents:

“These enhancements include improving its detection and response tools, enhancing its continuous vulnerability scanning at both the network and application levels, deploying additional endpoint detection and response software, and with the help of an industry-leading cybersecurity vendor, performing additional 24/7 network managed detection and response.”

A Large Settlement Cuts Losses

A hack this size affecting so many individuals can cause costly reputation damage. Law firms depend on their reputations for growth.

According to its website, Orrick is a global law firm representing prestigious and large organizations in the Technology and Innovation, Energy and Infrastructure, and Finance sectors.

Orrick may still face a HIPAA investigation from states or the Office for Civil Rights (OCR). But the cybersecurity improvements they’ve already agreed to will likely help them in additional investigations. Settlement of these class actions now, even for millions of dollars, will save money and allow them to return to representing clients and growing their business—a business that now has improved cybersecurity defenses.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2024 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU