Thompson Coburn faced a targeted hacking incident, resulting in unauthorized access to sensitive files related to their client, Presbyterian Healthcare Services.
In May 2024 Thompson Coburn, a national law firm based in Missouri experienced a data breach involving an unspecified number of patients of a healthcare sector client, Presbyterian Healthcare Services in New Mexico. The breach was detected on May 29 when suspicious activity was discovered in the law firm's network.
The unauthorized access occurred between May 28 and 29, during which an unknown actor stole files containing protected health information. Although the breach appears to only have impacted Presbyterian, Thompson has not publicly disclosed whether other client's information has been compromised by the incident.
In their notice of data security incident, Thompson Coburn provided, “The investigation determined that certain files stored within our environment were viewed or taken by an unauthorized actor between May 28, 2024, and May 29, 2024. A detailed review of the affected files was undertaken and through that review, we determined that certain protected health information related to certain patients of PHS was contained within those files.”
The breach likely stemmed from insufficient cybersecurity defenses making it an unauthorized access breach where hackers infiltrated the network and exfiltrated data. This would have been potentially avoidable had Thompson employed adequate security infrastructure or segmented the data of clients for whom they act as business associates in order to better comply with the security requirements set by HIPAA.
Related: HIPAA Compliant Email: The Definitive Guide
Protected health information consists of any health data that can identify an individual and is protected by HIPAA.
It is characterized by the unauthorized access or use of sensitive personal information.
The HIPAA Breach Notification Rule requires covered entities notify individuals, the HHS, and sometimes the media when a breach of PHI is uncovered.