In an ironic twist, Thompson Coburn, a national law firm headquartered in Missouri and specializing in data breach cases, has fallen victim to a hacking incident that compromised sensitive data. This breach has notably impacted patients from Presbyterian Healthcare Services (PHS), a New Mexico-based healthcare provider, marking at least the fourth data breach PHS has faced in the past five years.
On November 4, Thompson Coburn reported the incident to regulators, revealing that 305,088 individuals were potentially affected. However, the exact number of impacted PHS patients, or whether other clients' data was involved, remains unclear.
The breach was first detected by the law firm on May 29, following the identification of suspicious activity on its network. The unauthorized actor managed to exfiltrate files between May 28 and May 29, which, upon review, were found to contain protected health information (PHI) linked to PHS patients. The compromised data includes names, Social Security numbers, birth dates, medical record numbers, treatment details, and insurance information.
As one of New Mexico’s largest healthcare providers, Presbyterian Healthcare Services operates numerous clinics and hospitals throughout the state and offers a range of health plans, including Medicare Advantage and Medicaid. This incident places the healthcare provider’s data security practices under renewed scrutiny.
The breach, cataloged on the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool, highlights the growing threat landscape for organizations handling sensitive information. Despite the breach, Thompson Coburn has indicated that there is currently no evidence of identity theft or fraud arising from the incident. The firm claims to have swiftly investigated the breach and implemented further security measures to prevent similar incidents in the future.
Were Other Clients’ Data at Risk?
While Thompson Coburn has not disclosed whether the breach affected clients beyond PHS, cybersecurity experts suggest this could be a possibility. Jon Moore, chief risk officer at Clearwater, notes that if the hacker had network access, it’s likely that additional client data may have been compromised. A comprehensive forensic investigation would be essential to determine the full scope of the incident, though even that may leave some questions unanswered.
In cases like this, notification responsibilities can be complex. Under HIPAA regulations, business associates who experience a data breach involving PHI are typically required to inform the relevant healthcare entity, which then notifies affected individuals. However, if a business associate has a contractual obligation to assist with notifications, some clients may have already received individual notices. Moore also suggests that Thompson Coburn could still be evaluating the full impact of the breach.
The Broader Trend of Law Firms Targeted in PHI Breaches
Law firms representing healthcare clients face significant challenges in securing PHI. This incident is reminiscent of a previous breach at the global law firm Orrick, Herrington & Sutcliffe, which in 2023 disclosed that a data breach had affected several healthcare clients, compromising the information of over 638,000 individuals. Orrick later reached an $8 million settlement following a class-action lawsuit related to the breach.
For law firms, breaches involving PHI are high-stakes events that can result in regulatory scrutiny, legal action, and reputational damage. Regulatory attorney Paul Hales emphasizes that healthcare clients entrusting PHI to a law firm under a HIPAA-compliant business associate agreement must ensure the firm has rigorous security measures in place. Hales advises that such firms should be treated with the same scrutiny as any other third-party vendor handling PHI.
Proactive Measures to Mitigate Risk for Law Firms Handling PHI
Moore stresses that law firms should maintain strong security protocols, including regular risk assessments, a clear incident response plan, and periodic security reviews. He further advises healthcare providers to minimize the PHI they share and verify their law firms' security readiness. These steps can help ensure that law firms protect healthcare data as diligently as other vendors.
The incident at Thompson Coburn serves as a critical reminder to law firms of the risks associated with handling sensitive data, especially in the healthcare sector. Both law firms and their healthcare clients can draw lessons from this breach to reinforce their defenses against increasingly sophisticated cyber threats.
For Presbyterian Healthcare Services, the breach involving Thompson Coburn adds to a troubling list of reported incidents since 2019, signaling the ongoing data security challenges facing healthcare providers nationwide.
0 Comments