Wolf Haldenstein, a law firm with offices in major cities like New York and Chicago, experienced a massive data breach in late 2023, impacting millions of clients.
On December 13, 2023, the U.S. law firm Wolf Haldenstein experienced a data breach exposing sensitive information belonging to approximately 3.5 million individuals. The breach was first detected when the firm noticed suspicious activity on its network. To address the issue, Wolf Haldenstein secured its system and engaged a cybersecurity firm to investigate.
It was discovered that an unauthorized actor accessed files and data within the firm’s network during this period. The exposed data includes full names, dates of birth, Social Security numbers (SSNs), addresses from the past two to five years, proof of current addresses (like utility bills), photocopies of government-issued IDs or driver's licenses, and copies of police or investigative reports.
According to the breach notification, “On December 3, 2024, Wolf Haldenstein identified a subset of potentially affected persons but Wolf Haldenstein was unable to locate address information to provide direct notice to the subset of potentially impacted individuals.”
Wolf Haldenstein represented plaintiffs in a class action against Acadia Healthcare Company Inc. early last year. Breaches like this leave the healthcare organization vulnerable to exposure through the litigation and settlement documents exposed for cases that might not have been made public. Hackers can use information in these documents to request ransoms from the organizations resulting in a trickle-down impact from the breach.
Related: HIPAA Compliant Email: The Definitive Guide
Yes, law firms can be considered business associates if they provide legal services that involve access to protected health information (PHI), such as handling healthcare related litigation or compliance matters.
Law firms must comply with HIPAA, which includes safeguarding PHI, reporting breaches, and entering into a business associate agreement (BAA) with the covered entity.
A BAA is a written contract between a covered entity and a business associate that outlines the permitted uses and disclosures of PHI.