Breach Notification,
Cybercrime,
Fraud Management & Cybercrime
Did Data Theft at Law Firm Also Compromise Information of Other Clients?
Thompson Coburn, a national law firm based in Missouri focusing on data breach law, has itself fallen victim to a cyberattack. The incident potentially affects patient information belonging to Presbyterian Healthcare Services, a healthcare client that has reported multiple breaches over the past five years. Notably, it remains unclear whether additional clients of Thompson Coburn were impacted by this breach.
The law firm announced in a notice posted on Presbyterian Healthcare Services’ website that the breach was detected on May 29, following the identification of suspicious activity within their network. Unauthorized access was confirmed to have occurred between May 28 and May 29, leading to the theft of sensitive files.
Presbyterian Healthcare Services operates over 100 clinics and nine hospitals across New Mexico, offering various health plans, including Medicare Advantage and state Medicaid options. The compromised data reportedly includes protected health information (PHI), such as patient names, Social Security numbers, birthdates, and medical records.
As of the latest update, this incident has not yet been reported to the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool, which lists breaches affecting 500 or more individuals. Thompson Coburn has stated that, to date, no evidence of identity theft or fraudulent activity has emerged from this breach. They have initiated an investigation and adopted additional security measures in response to the incident.
The law firm has not specified whether information from other clients may have been compromised. Experts suspect this could be a possibility, given that if the attackers gained access to the network, they might have also targeted other sensitive data. Digital forensics will likely play a critical role in determining the full extent of the breach and the data accessed.
For notifications related to data breaches, the primary responsibility lies with the healthcare entity itself, and there may be a delay before affected individuals are informed. It’s also possible that Thompson Coburn is still assessing the situation to identify any further impacts. This incident illustrates an ongoing trend of law firms experiencing breaches that expose healthcare clients’ patient data, a concern echoed in recent high-profile cases.
The incident involving Thompson Coburn is a reminder of the vulnerabilities that exist in the cybersecurity landscape. Protecting sensitive healthcare data necessitates stringent communication and operational protocols between law firms and their clients. Adherence to the MITRE ATT&CK framework suggests that tactics such as initial access, lateral movement, and data exfiltration may have been employed in this attack. As the investigation unfolds, understanding how to improve data security across all touchpoints remains critical for firms handling sensitive information.
