Data Breach at 2 Law Group Impacts 282,100 Patients

Two law firms situated in Florida, with additional offices across the U.S., are alerting 282,100 individuals about potential compromises to their healthcare and personal information due to separate data breaches. Notably, one firm has acknowledged paying a ransom to secure a promise that stolen data would be deleted and not disseminated on the dark web.

A particularly severe breach was disclosed by Zumpano Patricios PA, a firm based in Coral Gables, which operates in five states and has international satellite offices. According to ZP Law, it informed the U.S. Department of Health and Human Services on July 3 that a cyber incident may have affected the HIPAA-protected health information of approximately 280,000 individuals.

ZP Law represents healthcare providers in disputes with insurers, often managing sensitive data from medical organizations, typically presented in spreadsheet formats. The firm reported identifying the cyber intrusion on May 6, but the specific date and time of the breach’s initiation remain undetermined.

The investigation indicated that an unauthorized actor accessed and potentially exfiltrated certain files from ZP Law’s IT infrastructure. The compromised data may include names, healthcare provider names, member ID numbers, details about insurance coverage, service dates, charges, Social Security numbers, clinical codes, and medical records.

In a distinct case, LaBovick Law Group, based in Palm Beach Gardens and with operations in Massachusetts, reported a breach to the Maine attorney general on July 16, revealing that an October 2024 incident had affected 2,825 individuals. LaBovick stated that the breach involved a “well-known ransomware group” that extracted data from an affected server.

Details of the compromised information varied among individuals and may include names, addresses, dates of birth, Social Security numbers, driver’s license numbers, bank account information, health insurance ID numbers, claims history, and medical records. In November 2024, LaBovick paid an undisclosed ransom, asserting that the cybercriminals confirmed the deletion of the stolen data.

According to attorney Paul Hales of the Hales Law Group, unrelated to either case, responding to a ransom demand places law firms in a challenging position, emphasizing the necessity for ethical and legal consideration during such negotiations. He noted that every law firm should assess the implications of ransom engagements carefully, framing it as a critical topic for continuing legal education.

Notably, the attacks on ZP Law and LaBovick Law Group are part of a concerning trend involving high-profile breaches targeting law firms with access to healthcare data. These firms often handle sensitive records that can be exploited for extortion, particularly in disputes over medical billing, as highlighted by Michael Hamilton, Field CISO at Lumifi Cyber. He pointed out that smaller firms often lack qualified cybersecurity personnel and are less regulated, making them attractive targets.

Law firms, safeguarding highly sensitive client information—including PHI (Protected Health Information)—must uphold rigorous security standards. Furthermore, compliance with HIPAA mandates is critical, imposing necessary safeguards such as the ‘minimum necessary’ access standard. Such protective measures are essential to avoid becoming victims of similar breaches in the rapidly evolving landscape of cyber threats.

Recent data breaches in the legal sector have affected hundreds of thousands of individuals. For instance, Thompson Coburn LLP reported that a May 2024 hack affected over 305,000 individuals, while Orrick, Herrington & Sutcliffe disclosed an incident impacting approximately 638,000 individuals in July 2023. Both instances underscore the urgency for enhanced cybersecurity protocols within the legal profession.

As investigations into the ZP Law breach continue, several national firms are exploring potential class action litigation, one of which has already been initiated in Florida federal court.