Orrick, Herrington & Sutcliffe, a popular San Francisco-based international law firm, recently fell victim to a data leak operation that resulted in the Orrick data breach incident.
The Orrick, Herrington & Sutcliffe data breach, discovered in March 2023, exposed sensitive health information belonging to more than 637,000 data breach victims.
The intrusion into Orrick’s network compromised a file share, revealing personal information and sensitive health data of victims. The affected individuals, numbering 637,620, included 830 residents from Maine.
The Orrick data leak, classified as an external system breach caused by hacking, occurred on 02/28/2023, with discovery reported on 03/13/2023.
Orrick Data Breach Explained
The stolen data encompassed a vast array of information, including names, dates of birth, addresses, email addresses, and government-issued identification numbers like Social Security, passport, driver’s license, and tax identification numbers.
Additionally, medical treatment details, insurance claims information, healthcare insurance numbers, provider details, online account credentials, and credit/debit card numbers were compromised.
According to the official filing, Orrick took prompt action by notifying affected individuals through written notifications on 9/14/2023, 11/16/2023, and 11/17/2023. Identity theft protection services were offered in the form of a two-year Kroll identity monitoring service.
The Orrick data leak implicated data related to security incidents at other companies for which Orrick provided legal counsel. Clients affected included individuals with vision plans from EyeMed Vision Care, dental plans from Delta Dental, and data from health insurance company MultiPlan, behavioral health giant Beacon Health Options (now known as Carelon), and the U.S. Small Business Administration.
Ongoing Investigations and Legal Implications
The Cyber Express has reached out to the law firm to learn more about the nature of the Orrick, Herrington & Sutcliffe data breach and if there were any ransomware groups involved.
The organization, in a response to TCE, said, “We regret the inconvenience and distraction that this malicious incident caused. We made it our priority to resolve it as quickly as possible for our clients, the individuals whose data was impacted, and our team. We are pleased to reach a settlement well within a year of the incident, which brings this matter to a close, and will continue our ongoing focus on protecting our systems and the information of our clients and our firm. ”
The law firm is also in the process of settling the class-action lawsuit stemming from the data breach, where clients’ personal information was compromised. The firm, admitting to the inconvenience caused, reached an initial agreement in principle to settle four consolidated lawsuits involving hundreds of thousands of alleged victims.
Although settlement details remain undisclosed, Orrick aims to finalize terms within 15 days. The proposed resolution, pending approval from U.S. District Judge Susan Illston, seeks to address all claims related to the breach, which exposed sensitive information of thousands of individuals, including names, addresses, dates of birth, and Social Security numbers.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
