A national law firm recently announced a data breach impacting over 325,000 individuals.
What happened
Houser LLP is a national law firm with offices in 11 states. The firm specializes in business, commercial, and real estate litigation, serving several high-profile financial institutions.
On May 9th, 2023, Houser LLP discovered some of their network files had been encrypted. When Houser discovered the breach, the firm enlisted the help of a third-party organization to launch an investigation. It determined that a number of files had been encrypted as well as copied and taken from Houser’s network.
The data may have included Social Security numbers, driver’s license numbers, individual tax identification numbers, financial account information, medical information, and credit card numbers. According to Houser’s filing in Maine, the breach affected approximately 326,386 people. The investigation determined an unauthorized party had accessed Houser’s network between May 7th and May 9th.
In June 2023, the unauthorized actor informed Houser they had deleted copies of stolen data and would not distribute any stolen files. Houser did not provide additional detail regarding its communication with the actor.
What’s new
On January 18th, 2024, Houser said the third-party investigation had been completed. Houser went on to examine the data and results. The firm said the investigation and subsequent data examination was a resource and time-intensive process. Once complete, Houser began sending notices to impacted individuals on February 28th, 2024.
More recently, Houser is now facing a class action lawsuit filed by impacted individual Richard McMillen, who claims that Houser was negligent in securing data. The lawsuit includes allegations of negligence, invasion of privacy, breach of quasi-contract, and unjust enrichment.
What was said
Houser said upon discovering the cyberattack, the firm immediately began implementing additional safeguards, “These additional safeguards include, but are not limited to, deployment of RocketCyber, an endpoint detection and response tool. Houser has also implemented multi-factor authentication for Outlook 365, net extender VPN tunnel and remote desktop connection. Houser has also added ransomware detection software, implemented the use of phishing simulation software and conducted vulnerability assessment and penetration testing.”
While Houser is improving security measures, the class action suit has still been filed. According to the filing, the “plaintiff is very concerned about the theft of his PII and has and will continue to spend substantial amounts of time and energy monitoring his credit status…Had plaintiff known that the defendant or anyone in defendant’s position would not implement reasonable data security necessary to protect his PII, he would not have entrusted it, directly or indirectly, to defendant.”
The complaint further stated, “Assurances from cybercriminals that they deleted stolen, sensitive PII are worthless, as it involves trusting the very criminal actors who perpetrated the cyberattack in the first instance.”
Why it matters
The case stresses the time-consuming and resource-heavy process of investigating a cyber incident. Furthermore, it proves that even if data is not sold or distributed, a company can still be held responsible for allowing an attack to occur.
The public is increasingly aware of data protection laws and is quick to take action if it believes a company’s negligence may have caused a data breach.
The big picture
Healthcare companies, law firms, and financial institutions all have an obligation to protect customer and patient privacy. Once an attack occurs, a situation can quickly worsen and impact a company’s reputation as well as its financial and legal status.
Paubox is proud to say we have never experienced a data breach and know that secure technology is one of the best ways to prevent attacks from occurring.
Read more: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
