The New York Attorney General has accepted a settlement of $200,000 from a New York-based medical malpractice law firm in response to their inadequate data security practices that resulted in more than one-hundred thousand hospital patient’s details been exposed.

According to Letitia James, the Attorney General of New York, HPMB’s “poor data security measures” were not compliant with state laws and security standards set by HIPAA.

Microsoft disclosed in March 2021 that a China-based hacking team had used four previously unknown Exchange Server vulnerabilities to access data from U.S. defense contractors and law firms. It was not until November 2021, many months after Microsoft had issued patches for the critical vulnerabilities on its servers, that the attackers were able to access the unpatched server of Heidell, Pittoni, Murphy & Bach. Close to 115,000 hospital patients had their personal information, such as names, birthdates, social security numbers, and health details compromised.

Consequently, HPMB gave a ransom of $100,000 for the data to be erased and returned. However, there was no proof presented that the data was deleted, according to the court documents  [PDF].

Risk assessments must be conducted regularly to ensure the safety of your company. Installing measures to detect malicious software, establishing an appropriate patch management program, conducting annual risk analysis and encrypting private and health information are essential safeguards.

Reach out to Messageware to improve Microsoft Exchange Server Security

If you are not protecting all the protocols used by your Exchange Server, you’re putting your company at a higher risk of a data breach.

Security incidents happen frequently. They cause disruption, loss of data and potentially risk the reputation of your company. However, if you implement these steps, you’re doing more than most other companies.

Have you heard about Messageware’s EPG that offers advanced Exchange Server security to protect organizations from a variety of logon and password attacks, as well as extensive real-time reporting and alerts of suspicious logon activity? Click here to learn more.