Detroit, Michigan-based law firm Warner Norcross and Judd (WNJ) has reported a data breach to the Department of Health and Human Services’ (HHS) affecting the PHI of 255,160 individuals. The notification comes following a client of the law firm, Priority Health’s breach notification letter, who had previously informed 120,000 clients of the incident.
According to a statement released on their website, WNJ had discovered suspicious unauthorized activity in their systems. The law firm promptly implemented its cybersecurity procedures and employed a cybersecurity specialist firm to conduct a comprehensive forensic investigation to determine the cause of the attack and the scope of the incident. The investigation concluded that the threat actors had gained access to systems which had contained patient personal and protected health information. The information obtained by the unauthorized third-party included full names, birth dates, Social Security numbers, driver’s license numbers, government issued IDs, annual compensation amounts, benefit contribution information, credit card or debit card numbers, credit card or debit card pins, financial accounts or routing numbers, passport numbers, patient account numbers, health information, and life insurance policy information.
Following the investigation, WNJ identified the email addresses of potentially affected individuals and issued breach notifications. In the notifications, WNJ detailed how affected individuals can better protect their information to mitigate harm caused by the atack and encouraged affected individuals to remain vigilant against any suspicious activity indicating identity theft and fraud. The law firm recommended those affected by the breach to notify their financial institution immediately and to report any fraudulent activity to the appropriate law enforcement authorities. To help detect this suspicious activity, WNJ is offering 12 months of credit monitoring and identity theft services to affected individuals free of charge.
Furthermore, the law firm also took several steps to ensure an attack of this nature does not occur again such as improving security policies and procedures and has apologized for any inconvenience caused by the breach. “Data privacy and security are among WNJ’s highest priorities,” the firm stated. “WNJ has taken steps to help prevent a similar incident from occurring in the future.”