Orrick, Herrington & Sutcliffe, a well-known global law firm recognized for its expertise in managing data breaches, has unfortunately become a victim of cyber attacks, failing to safeguard itself and its clients from unseen adversaries of hackers. The cyberattack occurred early last year, exposing the sensitive health information of hundreds of thousands affected by the data breach.
The San Francisco-based law firm confirmed last week that hackers had successfully stolen personal information and sensitive health data of more than six hundred thousand data breach victims from a file share on its network during an intrusion in March 2023.
The breach involved unauthorized access to a vulnerable file share, compromising the personal information of 637,620 individuals, including clients, employees, and those connected to previous data breach litigation. This incident, known for its ironic twist, not only revealed personal data but also raised serious concerns about Orrick’s security practices and the overall cybersecurity landscape.
Orrick, which typically assists companies facing security incidents like data breaches, acknowledged the breach in a series of notification letters sent to affected individuals. The hackers had stolen extensive data from Orrick’s systems related to security incidents at other companies where Orrick provided legal counsel.
The aftermath prompted a swift and comprehensive response from Orrick, involving notifications to affected individuals and relevant regulators, an internal investigation, and the implementation of additional security measures. The firm also faced litigation and public scrutiny, with clients questioning the effectiveness of their chosen data guardian.
Orrick revealed that the breached data included information from clients who had vision plans with EyeMed Vision Care, dental plans with Delta Dental, as well as data from health insurance company MultiPlan, behavioral health giant Beacon Health Options (now known as Carelon), and the U.S. Small Business Administration. The stolen data encompassed names, dates of birth, addresses, email addresses, government-issued identification numbers, medical treatment details, insurance claims information, healthcare insurance numbers, provider details, online account credentials, and credit or debit card numbers.
The repercussions were significant, causing damage to Orrick’s reputation, resulting in lost business and facing lawsuits alleging negligence and inadequate data security practices. In response, Orrick has invested heavily in cybersecurity tools and personnel, implemented stricter data access controls, and intensified employee training. The firm has also engaged in ongoing communication with affected individuals and regulators, providing updates on the investigation and offering remediation services.
The Orrick data breach serves as a cautionary tale, emphasizing the persistent threat of cyberattacks and the vulnerability of even well-resourced organizations. It underscores the importance of robust cybersecurity practices, continuous vigilance, and clear communication in the aftermath of such events. Moreover, it raises questions about the effectiveness of current data privacy regulations and the need for stronger protections for individuals in the digital age.
While the incident undoubtedly had a significant impact on Orrick’s reputation, the firm’s ongoing efforts to address the breach and enhance its security posture reflect a commitment to learning from the experience and emerging stronger. As the narrative unfolds, the lessons from this event are likely to shape the practices and policies of organizations navigating the increasingly complex digital landscape.
In December, Orrick informed a San Francisco federal court that it had reached an agreement in principle to settle four class action lawsuits, which accused Orrick of failing to promptly inform victims of the breach. An Orrick spokesperson expressed satisfaction with the settlement, emphasizing the ongoing focus on protecting their systems and client information.
“We are pleased to reach a settlement well within a year of the incident, which brings this matter to a close, and will continue our ongoing focus on protecting our systems and the information of our clients and our firm,” Orrick’s spokesperson added.
Below is the information Orrick, Herrington & Sutcliffe LLP submitted to the Maine Attorney General’s Office.
Data Breach Notifications
- Type of Organization: Other Commercial
- Entity Name: Orrick, Herrington & Sutcliffe LLP (updated)
- Street Address: 405 Howard Street
- City: San Francisco
- State, or Country if outside the US: CA
- Zip Code: 94105
- Name: Aravind Swaminathan
- Title: Partner
- Firm name (if different than entity):
- Telephone Number: (206) 639-9157
- Email Address: firstname.lastname@example.org
- Relationship to entity whose information was compromised: Partner
- Total number of persons affected (including residents): 637,620
- Total number of Maine residents affected: 830
- If the number of Maine residents exceeds 1,000, have the consumer reporting agencies been notified: No
- Date(s) Breach Occured: 02/28/2023
- Date Breach Discovered: 03/13/2023
- Description of the Breach:
- External system breach (hacking)
- Information Acquired – Name or other personal identifier in combination with: Social Security Number
Notification and Protection Services
- Type of Notification: Written
- Date(s) of consumer notification: 9/14/2023, 11/16/2023, 11/17/2023
- Copy of notice to affected Maine residents: Orrick, Herrington & Sutcliffe LLP – Individual Notices and Supplemental Notice of Security Incident – Combined.pdf
- Date of any previous (within 12 months) breach notifications: 7/20/2023, 8/18/2023
- Were identity theft protection services offered: Yes
- If yes, please provide the duration, the provider of the service and a brief description of the service: Two year Kroll identity monitoring services