Thompson Coburn Law Firm Data Breach Affects 300,000 Presbyterian Healthcare Patients
getty
A major data breach has occurred at Thompson Coburn LLP, a law firm representing Presbyterian Healthcare Services (PHS), exposing sensitive personal information of more than 300,000 individuals. The incident has led to a class-action lawsuit filed on November 12 in a federal court in Illinois, charging both entities with negligence in securing sensitive medical and personal data.
The breach reportedly took place between May 28 and May 29, 2024, through unauthorized access to Thompson Coburn’s network. Consequently, the compromised data includes names, Social Security numbers, birth dates, medical record numbers, patient account information, prescriptions, and insurance details.
In legal filings, plaintiffs assert that both Thompson Coburn and PHS exhibited negligence concerning their cybersecurity practices, citing insufficient safeguards against recognized cyber threats. They argue that the heightened risks associated with healthcare data breaches necessitate the implementation of more stringent security measures by both organizations.
Healthcare information is a lucrative target on the dark web, often exploited for identity theft and fraudulent activities. As outlined by cybersecurity expert Steve Alder for HIPAA Journal, the longer detection of healthcare fraud compared to other types of data breaches contributes to its desirability on illicit markets. This underscores the critical obligation of healthcare providers and their associated legal firms to protect sensitive patient information effectively.
This lawsuit reflects a troubling trend within the industry, where cyberattacks increasingly target not only healthcare providers but also their service partners, like law firms that manage extensive patient data. In 2024 alone, the average cost of a healthcare data breach reached nearly $9.8 million. This steep financial burden, exacerbated by an overreliance on digital records and outdated IT infrastructure, heightens the urgency for robust cybersecurity measures.
Further reports indicate that the healthcare sector experienced over 745 significant data breaches in 2023, affecting millions and exposing vulnerabilities that cybercriminals are eager to exploit. Such incidents have wide-ranging implications, as breaches often disrupt patient care, with ransomware attacks leading to serious operational challenges for healthcare facilities, including the potential for delayed surgeries and essential treatments.
In the wake of the breach, Thompson Coburn released a public notice, detailing the incident and their response. It stated that each affected individual received specific notifications regarding the types of compromised data while emphasizing that no evidence of identity theft or fraud had been detected so far. Nevertheless, the firm is providing affected individuals with free credit monitoring and identity theft protection services. The notice also encourages vigilance in monitoring financial and healthcare statements for any suspicious activity, and offers a toll-free assistance line for further inquiries.
This incident serves as a cautionary tale for business owners regarding the significance of implementing stringent cybersecurity protocols. By understanding the MITRE ATT&CK framework, organizations can better identify potential methods used by adversaries, such as gaining initial access and leveraging persistence strategies to maintain access once inside the network. Given the evolving landscape of cyber threats, continuous improvements in cybersecurity practices are essential to safeguard sensitive data.
