An international law firm that works with companies affected by security incidents has experienced its own cyberattack that exposed the sensitive health information of hundreds of thousands of data breach victims.
San Francisco-based Orrick, Herrington & Sutcliffe said last week that hackers stole the personal information and sensitive health data of more than 637,000 data breach victims from a file share on its network during an intrusion in March 2023.
Orrick works with companies that are hit by security incidents, including data breaches, to handle regulatory requirements, such as obtaining victims’ information in order to notify state authorities and the individuals affected.
In a series of data breach notification letters sent to affected individuals, Orrick said the hackers stole reams of data from its systems that pertain to security incidents at other companies, during which Orrick served as legal counsel.
Orrick said that the breach of its systems involved its clients’ data, including individuals who had vision plans with insurance giant EyeMed Vision Care and those who had dental plans with Delta Dental, a healthcare insurance network giant that provides dental coverage to millions of Americans. Orrick also said it notified health insurance company MultiPlan, behavioral health giant Beacon Health Options (now known as Carelon) and the U.S. Small Business Administration that their data was also compromised in Orrick’s data breach.
Orrick said the stolen data includes consumer names, dates of birth, postal address and email addresses, and government-issued identification numbers, such as Social Security numbers, passport and driver license numbers, and tax identification numbers. The data also includes medical treatment and diagnosis information, insurance claims information — such as the date and costs of services — and healthcare insurance numbers and provider details.
Orrick said that the breach includes online account credentials and credit or debit card numbers.
The number of individuals known to be affected by this data breach has risen by threefold since Orrick first disclosed the incident. Orrick said in its most recent data breach notice that it “does not anticipate providing notifications on behalf of additional businesses,” but did not say how it came to this conclusion.
It’s not clear how the hackers initially broke into Orrick’s network, or whether the hackers demanded a financial ransom from the law firm.
Orrick would not answer TechCrunch’s questions about the incident. Orrick spokesperson Jolie Goldstein said in a statement: “We regret the inconvenience and distraction that this malicious incident caused. We made it our priority to resolve it as quickly as possible for our clients, the individuals whose data was impacted, and our team.”
In December, Orrick told a San Francisco federal court that it had reached an agreement in principle to resolve four class action lawsuits, which accused Orrick of failing to inform victims of the breach until months after the incident.
“We are pleased to reach a settlement well within a year of the incident, which brings this matter to a close, and will continue our ongoing focus on protecting our systems and the information of our clients and our firm,” added Orrick’s spokesperson.