Orrick, Herrington & Sutcliffe Pay $8 Million to Settle Class Action Data Breach Lawsuit
The law agency Orrick, Herrington & Sutcliffe based in San Francisco, CA is paying $8 million to settle a class action lawsuit associated with a cyberattack and data breach in 2023.
The law agency that is experienced in helping businesses deal with security breaches discovered on March 13, 2023 that hackers have acquired access to its system. The forensic investigation revealed they got access for about two weeks from February 28 to March 13, 2023, prior to discovering the attack. The personal data and protected health information (PHI) of 637,620 people were compromised. The agency took months to know the number of individuals that were impacted by this HIPAA violation and mailed the last set of notification letters to the affected persons in January 2024. The impacted persons received 2 years of free credit monitoring services.
Orrick, Herrington & Sutcliffe is facing a lawsuit filed in the U.S. District Court for the Northern District of California immediately after the breach announcement. The lawsuit presented several accusations, which include the inability to protect its systems, the inability to avoid and stop the breach, the inability to identify the breach promptly, and the inability to share information that sufficient system security measures were lacking to avoid data breaches. The lawsuit additionally claimed Orrick, Herrington & Sutcliffe failed to carry out promises and representations to safeguard the data of the breach victims and was unable to offer prompt notifications. Some other lawsuits with similar claims were filed against the company and were combined into one class action lawsuit – In re Orrick Herrington & Sutcliffe LLP Data Breach Litig.
The plaintiffs claimed they suffered harm as a result of the data breach, which included getting many spam emails and telephone calls, attempted and actual identity theft, and other personal data misuse. Orrick, Herrington & Sutcliffe did not confess to any liability or wrongdoing and stated it is sorry for the trouble and interruption caused by the malicious incident. The offered settlement was considered to be acceptable and fair by the class lawyer and has obtained initial court approval. According to the conditions of the settlement, class counsel could claim around 25% of the settlement amount after the deduction of expenditures of around $50,000 and lead plaintiffs’ service awards of around $2,500. The rest of the settlement covers claims from persons impacted by the data breach.
The settlement consists of around 5 hours of payment for lost time worth $25 hourly, repayment of around $2,500 for unreimbursed out-of-pocket costs, refund of around $7,500 for extraordinary losses like identity theft and fraud, and 3 years of three-bureau credit monitoring services. Residents in California can claim a cash payment of $150. When class members opt not to file a claim for lost time and refund for out-of-pocket costs and extraordinary deficits, a claim may rather be filed for a payment of $75 cash.
Ernest Health Faces Lawsuit Due to a Ransomware Attack and Data Breachin 2024
The Texas health system Ernest Health is being sued by patients whose protected health information was exposed in a recent cyberattack. This is possibly a lawsuit associated with the theft of at least 97,078 patients’ data. Ernest Health manages hospitals in Arizona, Colorado, California, Montana, New Mexico, Indiana, Idaho, South Carolina, Ohio, Texas, Utah, Wyoming, and Wisconsin. On February 1, 2024, Ernest Health detected suspicious activity in its networks. The investigation confirmed there was unauthorized access to its network from January 16, 2024 to February 4, 2024. The LockBit ransomware group stated it was responsible for the attack and threatened to post the stolen information on its leak site. Ernest Health stated the breached information included names, contact information, birth dates, health plan IDs, health information, Social Security numbers, and driver’s license numbers.
A lawsuit was filed by Joe Lara and Lauri Cook on behalf of themselves and individuals in similar situations who had their personal information and PHI breached in the Ernest Health cyberattack. The lawsuit claims that Ernest Health lost command of the files of current and former patients because of inadequate cybersecurity safeguards and insufficient cybersecurity training for its workers, which meant it had no efficient means to identify, avoid, or stop the attack. The plaintiffs state that it took 73 days from the initial breach for Ernest Health to send individual notifications, which denied them the chance to offset their injuries quickly.
Although Ernest Health stated it enforced extra safety measures in response to the breach, the plaintiffs assert the health system has an insufficient and late response to the breach. Providing complimentary credit monitoring and identity theft protection services is not enough. The lawsuit alleges breach of implied contract, negligence, negligence per se, invasion of privacy, unjust enrichment, and breach of fiduciary duty and seeks a jury trial, declaratory and other equitable relief, injunctive relief, statutory damages, and compensatory, exemplary, and punitive damages. The plaintiffs and class legal representatives are Joe Kendall of the Kendall Law Group, and Samuel J. Strauss and Raina Borrelli of the law firm, Turke & Strauss.
Photo Credit: MQ-Illustrations / Adobe Stock