Governance & Risk Management , Healthcare , Industry Specific
Court Finalizes $8M Settlement in Orrick Data Breach Case
Settlement Comes as Other Law Firms Face Their Own Data Breach WoesA federal court has finalized an $8 million settlement in a consolidated proposed class action lawsuit against law firm Orrick, Herrington & Sutcliffe involving a hacking incident that affected several clients and more than 638,000 individuals.
See Also: Netskope FERPA Mapping Guide
On Friday, a U.S. district court for the Northern District of California granted final approval of the settlement, which provides class members with up to $2,500 for documentable out-of-pocket expenses and up to $7,500 for documentable extraordinary losses. Nine lead plaintiffs in the case will also each receive $2,500 service awards.
Orrick previously offered 24 months of credit monitoring services with its initial notice of the data breach. But under the settlement, class members can claim three additional years of three-bureau credit monitoring services, including $1 million in identity theft insurance.
The settlement also requires Orrick to beef up its data security practices by implementing and maintaining "meaningful data security enhancements" to help protect settlement class members from any future data breaches at the law firm.
This includes Orrick improving its detection and response tools, enhancing its continuous vulnerability scanning at both the network and application levels, deploying additional endpoint detection and response software, and performing additional 24/7 network managed detection and response with the help of a third-party cybersecurity vendor, court documents said.
Attorneys representing the class members and plaintiffs are expected to receive a total of $2 million, or about one-fourth of the $8 million settlement fund.
The litigation, which consolidated four proposed class action lawsuits against Orrick, centered on a hacking incident that the law firm detected on Mar. 13, 2023.
Orrick's investigation into the incident determined that a cybercriminal gained unauthorized access to the law firm's network for nearly four months - between Nov. 19, 2022, and Mar. 13, 2023. Ultimately, the firm notified 638,023 individuals that their information was potentially accessed and exfiltrated in the incident.
Information potentially compromised included individuals' name, address, date of birth, Social Security number, health information and other personally identifiable information.
Orrick clients affected by the data breach included several healthcare sector entities, including vision benefits plan EyeMed and dental insurance plan Delta Dental of California (see: Law Firm to Pay $8M to Settle Health Data Hack Lawsuit).
Initially, Orrick told regulators the breach affected about 153,000 people, but the firm subsequently updated its breach reports several times, with the final count exceeding 638,000 (see: Law Firm Facing Lawsuit in Aftermath of Its Own Big Breach).
An attorney representing Orrick in the data breach class action litigation did not immediately respond to Information Security Media Group's request for comment on the settlement.
Other Legal Firm Breaches
The Orrick data breach lawsuit settlement was finalized in the same week that another Missouri-based law firm Thompson Coburn reported a hacking incident to the U.S. Department of Health and Human Services, affecting the protected health information of 305,088 individuals (see: Law Firm Hack Compromise Health Systems' Patient Data).
Thompson Coburn in a notice said the affected individuals are patients of New Mexico-based Presbyterian Healthcare Services - a legal services client. It is unclear whether other Thompson Coburn clients in the healthcare or other sectors were also affected by the hacking incident. So far, Thompson Coburn has not issued any additional breach notices, and the law firm did not respond to ISMG's requests for clarification and comment in the hacking incident.
Nonetheless, Thompson Coburn's data breach is already getting the attention of other law firms. The first of what likely will be many proposed class actions was filed in a Missouri federal court on Tuesday against Thompson Coburn as well as PHS.*
Meanwhile, several other law firms have announced investigations into the hacking incident for potential class action lawsuits against Thompson Coburn. That includes law firm Federman & Sherwood, which represented plaintiffs and class members in the now-settled data breach lawsuit against Orrick.
Ironically, both Thompson Coburn and Orrick offer their clients an array of legal services that includes data breach litigation assistance.
While Thompson Coburn and Orrick's incidents are prime examples of the data breach risks that law firms can pose to their healthcare sector clients, sometimes those risks can grow even more complicated when other third-party vendors are also part of the mix.
In June, Compex Legal Services, which provides medical record retrieval and litigation support to law firms, insurers and third-party administrators, reported to regulators - and also an undisclosed number of clients - a data exfiltration incident discovered in April affecting nearly 30,000 individuals, including employees' past and present records and their dependents.
The information potentially compromised included individuals' name, Social Security number, financial account information, diagnosis, medical information and record number, and health insurance information, Compex said.
Compex so far faces at least four proposed punitive federal class action lawsuits filed by individuals affected by the incident, who allege among other claims that Compex was negligent in failing to safeguard plaintiff and class members' sensitive information.
Compex did not immediately respond to ISMG's request for comment on the lawsuits and additional details about the hacking incident.
*Updated on Nov. 12, 2024, at 22:09 UTC to include mention of first federal lawsuit being filed in the Thompson Coburn data breach.