An international law firm that works with companies affected by security incidents has suffered its own cyberattack that exposed sensitive health information of hundreds of thousands of data breach victims.
San Francisco-based Orrick, Herrington & Sutcliffe said last week that hackers stole his personal information and sensitive health data more than 637,000 data breach victims from a file share on her network during a March 2023 hack.
Orrick works with companies affected by security incidents, including data breaches, to manage regulatory requirements, such as obtaining victim information in order to notify government authorities and affected individuals.
In a series of data breach notification letters sent to affected individuals, Orrick said hackers stole reams of data from his systems related to security incidents at other companies, during which Orrick served as legal counsel.
Orrick said the breach of its systems affected the data of its customers, including people who had vision plans with insurance giant EyeMed Vision Care and those who had dental plans with Delta Dental, a giant health insurance network that provides dental coverage to millions of Americans. Orrick also said it notified health insurer MultiPlan, behavioral health giant Beacon Health Options (now known as Carelon) and the US Small Business Administration that their data was also compromised due to Orrick’s data breach.
Orrick said the stolen data included consumer names, dates of birth, mailing and email addresses, and government-issued identification numbers, such as Social Security numbers, passport and driver’s license numbers, and tax ID numbers. The data also includes medical treatment and diagnosis information, insurance claims information — such as the date and cost of services — and health care insurance numbers and provider information.
Orrick said the breach includes; online account credentials and credit or debit card numbers;.
The number of people known to be affected by this data breach has tripled since Orrick first disclosed the incident. Orrick said in the most recent data breach notification that it “does not anticipate providing notifications on behalf of additional businesses,” but did not say how it reached that conclusion.
It’s unclear how the hackers originally broke into Orrick’s network or whether the hackers demanded a financial ransom from the law firm.
Orrick would not respond to TechCrunch’s questions about the incident. Orrick spokeswoman Jolie Goldstein said in a statement: “We regret the inconvenience and distraction this malicious incident has caused. We’ve made it our priority to resolve it as soon as possible for our customers, the people whose data was affected and our team.”
In December, Oric he said in federal court in San Francisco that it had reached an agreement in principle to settle four class-action lawsuits that accused Orrick of failing to notify victims of the breach until months after the incident.
“We are pleased to have reached a settlement within a year of the incident, which brings the matter to a close, and we will continue to focus on protecting our systems and the information of our customers and our company,” added the spokesperson. Orrick.
