A successful law firm with a sterling reputation is not immune to cyberattacks. In fact, hackers are targeting law firms more frequently because they possess so much valuable private information. When a law firm represents a covered entity and receives protected health information (PHI) during their work, the law firm is a HIPAA business associate.

On July 20 Orrick, Herrington & Sutcliffe LLP (Orrick) reported a data breach affecting 153,000 individuals to several state regulators. It also reported a HIPAA breach to the U.S. Department of Health and Human Services on June 30, noting that the PHI of 40,823 individuals was compromised. Orrick is a global law firm focusing on technology and innovation, energy and infrastructure and finance.

Orrick discovered suspicious activity on its network on March 13. In a press statement Orrick explains that between February 28 and March 13, 2023, an unauthorized third party obtained files containing personal and protected health information.

Vision Benefits Plan Members and Dental Patients Affected

Although we don’t know details of the cyber incident, public reports indicate that members of vision benefit plans and dental patients of Delta Dental California have been affected. Orrick held vision benefits PHI because it had worked on a case involving a 2020 security event at EyeMed Vision Care. As a result, this 2023 hack on Orrick caused the data to be breached a second time. The vision benefits PHI taken in the breach included names, addresses, birth dates, and Social Security numbers.

Orrick held dental PHI because it has provided legal services to Delta Dental of California and had received personal and protected health information about plan participants. The dental PHI taken during the breach may have included names, addresses, date of birth, dental insurance policy, health care provider information and limited dental diagnosis and treatment-related information. The event was isolated to Orrick’s system and did not involve Delta Dental of California’s network or systems.

Attorney-Client Privilege Not Enough for HIPAA

Confidentiality is fundamental to the practice of law, so lawyers are used to maintaining privacy. But law firm business associates have specific HIPAA compliance requirements for special policies and procedures that go well beyond routine attorney-client privilege safeguards.

For example, the HIPAA Security Rule requires administrative, physical and technical safeguards for electronic PHI. Both the Privacy and Security Rules mandate that only the minimum necessary PHI be used or disclosed, so minimizing personal data received and stored is key. Cybersecurity defenses need to be strong and constantly updated. Business associates must conduct an annual HIPAA risk analysis and provide workforce training.

The HIPAA E-Tool^® understands business associates and has special provisions for law firm business associates. The HIPAA E-Tool^® Business Associate Edition explains what you need to do and how your responsibilities compare to covered entities. A self-guided Risk Analysis and workforce training are included. And The HIPAA E-Tool^® updates all the policies, templates and forms are every time the law changes.

Don’t wait for an embarrassing cyber attack to uncover your cybersecurity weaknesses and reveal protected health information. Shore up your defenses and protect your reputation with targeted preventive HIPAA compliance instead.