Orrick, Herrington & Sutcliffe Data Breach Affected 637,000 Individuals
The Californian law firm Orrick, Herrington & Sutcliffe has recently confirmed that a cyberattack that was detected in March 2023 has affected more than 637,000 individuals. The Orrick, Herrington & Sutcliffe data breach was reported to the HHS’ Office for Civil Rights on June 30, 2023, as affecting 40,823 individuals, then on July 20, 2023, the law firm notified the Maine Attorney General that the breach had affected 152,818 individuals. An updated notification was sent to the Maine Attorney General on August 18, 2023, with an increased total of 461,100 affected individuals. Another update was issued on December 29, 2023, with an increased total of 637,620 individuals. This appears to be the final total, as the law firm said it does not anticipate providing notifications on behalf of any further affected businesses.
The services provided by Orrick, Herrington & Sutcliffe include legal counsel for companies that have suffered security incidents and data breaches, including handling regulatory requirements such as notifications to state authorities and the individuals whose sensitive data was exposed. The law firm’s experience in issuing notifications has grown considerably in 2023 with its own consumer notifications, which were sent in July, August, September, and November.
The nature of the services provided by the law firm means many of the individuals affected by the data breach had been affected by data breaches at other companies who availed of Orrick, Herrington & Sutcliffe’s services for their own breach responses. For instance, individuals who had vision plans from EyeMed Vision Care, dental plans from Delta Dental, and health insurance from MultiPlan and Beacon Health Options (Carelon). Another client affected was the U.S. Small Business Administration.
Settlement Proposed to Resolve Class Action Data Breach Lawsuits
Several lawsuits were filed in response to the data breach that Orrick, Herrington & Sutcliffe has chosen to settle quickly. Four of those lawsuits made similar claims and were consolidated into a single class action lawsuit in California Federal Court – In Re: Orrick, Herrington & Sutcliffe LLP Data Breach Litigation. The lawsuits alleged the law firm should have been well aware of the risk of ransomware attacks and data breaches due to extensive media reports, warnings from the Federal Bureau of Investigation, and the attacks suffered by the law firm’s clients. They claimed the cyberattack and data breach could have and should have been prevented had the law firm implemented necessary and appropriate cybersecurity measures and followed industry best practices for cybersecurity.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In a court filing on December 21, 2023, Orrick, Herrington & Sutcliffe said a settlement is being finalized and an agreement in principle has been reached. The law firm said it expects to present the settlement to U.S. District Judge Susan Illston for approval in early January. Orrick, Herrington & Sutcliffe issued a statement saying it regretted the “inconvenience and distraction that this malicious incident caused,” and that the law firm is happy to have reached a settlement within a year to bring the matter to a close. Details of the settlement have yet to be made public; however, attorney William Federman, who is representing the plaintiffs, confirmed that the settlement is reasonable and fair and will resolve all pending litigation.
In April 2024, a proposed $8 million settlement received preliminary approval from the court.
