Law Firm Cyberattack Exposes Tens of Thousands of Patient Records

Cybercriminals prefer to target entities like law firms because of the enterprise data they possess.

Edward Gately, Senior News Editor

February 17, 2021

11 Min Read
Cybersecurity Roundup, security roundup

A law firm cyberattack potentially exposed the personal health information of more than 36,000 University of Pittsburgh Medical Center (UPMC) patients.

That’s according to a Text IQ analysis of the attack on Charles J. Hilton & Associates.

The law firm provides legal services to UPMC. According to Infosecurity, the firm discovered suspicious activity in its employee email system last June. An investigation determined hackers gained access to several employee email accounts between April 1 and June 25.

Cybercriminals prefer to target entities like law firms since they have enterprise data. In addition, law firms, unlike enterprises, may not spend tens of millions of dollars each year on cybersecurity.

We spoke with Apoorv Agarwal, Text IQ‘s co-founder and CEO, to find out more about the law firm cyberattack.

Channel Futures: How did cybercriminals carry out the law firm cyberattack? Why was this cyberattack successful?


Text IQ’s Apporv Agarwal

Apoorv Agarwal: Generally, digital forensics handles the cyber investigation of a data breach, and should identify the cause and scope of the attack. In this case, the specific details have not yet been released. But during the COVID-19 pandemic, we have seen a staggering 109% year-over-year increase in U.S. ransomware attacks in the first half of 2020. With employees working from home, away from the safety of office firewalls and strict protocols, companies have scrambled to bolster their cyber defenses and perpetrators have run rampant.

CF: What will be the likely impact of this law firm cyberattack?

AA: The sensitive information that was compromised included several employees and possibly patients who likely reside in different states and possibly countries. The current regulatory landscape includes a patchwork of data privacy and data breach laws. That means the notification obligations and corresponding penalties vary widely. For example, much of the exposed health care data is regulated by HIPAA, while the personal information that was exposed is covered by state-level data breach laws. Without understanding whose data has been breached, impacted entities are compelled to issue blanket notifications for all the people potentially impacted. This means the law firm will have to provide notifications to all the states in which the patients reside, as well as the U.S Department of Health and Human Services, even if the amount of data and information types do not meet the reporting threshold for some states.

CF: Are we seeing an increase in law firms targeted by cybercriminals? If so, why?

AA: According to the American Bar Association and the U.S. Department of Justice, 25% of all law firms have been subjected to or experienced some form of a data breach involving hackers. Law firms are a vulnerable target for cybercriminals for three reasons. First, they tend to have access to highly sensitive data. Generally, the kind of information you exchange with a law firm has a higher degree of sensitivity than that exchanged with other partners. Second, a law firm has access to data from several enterprise clients, which for a cybercriminal can mean more reward for a similar level of effort. Third, they invest much less in cybersecurity compared to enterprises. 

Deloitte estimates large enterprises such as major financial institutions spend on average about $2,300 per employee on cybersecurity. Microsoft alone will spend $1 billion annually for cybersecurity.

CF: What aren’t law firms doing that they should be doing to fend off these attacks?

AA: There are three things law firms should be doing to fend off these attacks. First, investing in their own cybersecurity capabilities, including processes, technologies and training for lawyers within the firm to boost awareness of the risks to sensitive information. Second, investing in technologies, including [machine learning], which operate in highly secure remote cloud environments and reduce the number of humans that are needed to review sensitive data. Each body that has access to sensitive information adds a degree of risk. An additional security precaution to limit access to sensitive data is to redact personal or health information in reports or other documents.

Finally, there are a number of vendors with highly secure data centers or cloud deployments which law firms can work with to …

… manage their client data. Although some law firms will justify the investment in internal cybersecurity protocols, for many firms the simpler path will be partnering with firms that have expertise and maturity in a highly secure environment.

CF: What can MSSPs and other cybersecurity providers do help stop law firm cyberattacks?

AA: Ultimately, cybersecurity can only do so much in helping law firms minimize their risk of data breaches. No matter how secure the locks on your door are, eventually, bad actors are going to get in. Law firms, as well as enterprises, have to have a robust understanding of what types of sensitive information they collect, where they are and what this information is being used for. Traditionally, this has been a huge ask because the volume of data firms collect has exploded exponentially. Nowadays, enterprises and law firms are increasingly turning to [artificial intelligence] technology companies to illuminate the areas of risk and sensitivity in their unstructured and structured data.

SolarWinds Hack: Many Detections ‘Largely Ignored’

A new report by ExtraHop shows the Sunburst exploit behind the massive SolarWinds hack went largely ignored for several months.

ExtraHop also released an expanded list of 1,700 Sunburst indicators of compromise (IOCs) it observed across affected environments protected by its Reveal(x).

The SolarWinds espionage campaign has heavily impacted the federal government and cybersecurity industry. Russian hackers reportedly carried out the attack. In a 60 Minutes interview, Microsoft president Brad Smith said more than 1,000 engineers likely worked on these attacks.

Sri Sundaralingam is vice president of security at ExtraHop.


Extrahop’s Sri Sundaralingam

“In looking back at the SolarWinds attack, the biggest surprise wasn’t who was behind it, or the method they used to gain entry,” he said. “It wasn’t even the amount of time they were able to fly under the radar. The biggest surprise for us was the fact that patterns of malicious activity stemming from Sunburst were, in fact, detected on the network. We saw a major spike in detections between March and October.”

Between late March and early October, detections increased 150%. That showed a “significant and suspicious change” in behavior on the network.

SolarWinds is trusted on the network, Sundaralingam said. Moreover, many traditional methods of detection weren’t picking up the activity.

Because of that, “these detections went largely ignored,” he said.

Sunburst was purpose-built to evade tools like endpoint detection and response (EDR) and antivirus, he said.

“Before resorting to unnecessary finger pointing, it’s important to remember that this was an incredibly sophisticated attack that would have been extremely difficult to prevent,” Sundaralingam said. “And secondly, it’s worth considering the challenging circumstances under which most security professionals are working. A busy SOC analyst often has to make a series of rapid decisions about what’s real, what isn’t, what deserves investigation and what doesn’t.”

Further complicating matters is SolarWinds is notoriously noisy on the network. Therefore, it frequently triggers alerts, including many that are false alarms.

The SolarWinds attack illustrates the vast attack surface of the ever-growing software supply chain, he said.

This event proves cybersecurity must be a top priority in national security, he said. These attacks have impacted the economy, government, citizens and critical infrastructure. Furthermore, there’s been relative impunity thus far for the attackers.

More attacks are coming if government and private organizations don’t improve their cybersecurity, Sundaralingam said.

There are a few takeaways from Sunburst for MSSPs and other cybersecurity providers, he said. First, advanced threats evade tried-and-true security tools.

“You can’t just rely on preventive-based security controls approach anymore,” Sundaralingam said. “Organizations around the world need best-of-breed detection and response solutions that don’t rely on any single vendor.”

Second, nation-state cybercriminals know how to disable agents, Sundaralingam said. Moreover, they know how to erase logs. When they can’t, they find other ways in.

But they can’t evade network-based detection. That’s because …

… their activity becomes part of that network activity. You can’t move laterally if you’re not on the network. You can’t evade privileges if you’re not on the network.

Finally, you need to find out the hackers compromised.

“Organizations need to start operating with a mindset that a breach investigation is going to require more than a few days or a few weeks of lookback,” Sundaralingam said.

New Simulation Training Mimics Supply Side Attacks

Cloud Range has developed and released new simulation training for detection of supply side attacks like the SolarWinds hack.

A supply chain attack needs only to find the weakest link in a network to be successful, the company said. This type of attack, as a result, proves difficult to prepare for without experiencing it in a live environment.

Debbie Gordon is Cloud Range’s founder and CEO.


Cloud Range’s Debbie Gordon

“Cloud Range has developed this new supply side compromise attack scenario to provide security teams with the opportunity to practice detecting and responding to this attack type in a safe, simulated environment in order to prepare them for a similar attack that may happen in real life in the future,” she said.

Cyber defenders can “build muscle memory” and gain skills to make decisions in a split second, Gordon said.

Cyber professionals are immersed in real world cyberattacks, like the SolarWinds attack, in a safe virtual environment.

“These attacks are especially difficult to identify because the attack is coming from an otherwise trusted source,” Gordon said. “As information security matures, attackers are finding fewer soft targets remain every year. But as the name suggests, a supply chain attack need only find the weakest link in a network to be successful.”

Every SOC relies on third-party tools to perform their work, she said. Frequently patching and updating software address the overwhelming majority of security vulnerabilities. They’re two of the most valuable tools in the workbench of security personnel.

“A supply side compromise occurs when an update or patch from a third party tool has trojanized malware buried within it, waiting to spring into action once installed within an organization,” Gordon said.

By leveraging Cloud Range’s cyber range simulation exercises, MSSPs are more effective and can establish market leadership by showing customers they are proactively preparing for cyberattacks, she said.

“Cloud Range helps MSSPs and other cybersecurity providers meet their customers’ expectations by ensuring their team is constantly practicing and honing their skills in order to keep up with the growing threat landscape,” Gordon said.

Approov: Mobile Health Care Apps Leaking Sensitive Data

Many popular mobile health care apps are leaking sensitive patient data through their APIs, potentially compromising millions of patients.

That’s according to new findings issued by Approov and cybersecurity researcher Alissa Knight.

The study tested 30 popular mobile health apps. The apps exposed a minimum of 23 million users. The average number of downloads for each app tested was more than 772,000. Analysts expect the number of users exposed by the apps now available on major app stores is likely far greater.

Among vulnerabilities detailed in the report:

  • One-half (50%) of the records accessed contained names, social security numbers, addresses, birthdates, allergies, medications and other sensitive patient data.

  • One-half of the APIs tested allowed users to access the pathology, x-rays and clinical results of other patients.

  • One-half of the APIs tested also did not authenticate requests with tokens.

David Stewart is Approov‘s CEO.


Approov’s David Stewart

“The value of health care records on the dark web is $1,000 or six times the value of credit cards,” he said. “It’s very sensitive information because you can learn a lot about someone by reading their health care record.”

Cybercriminals will be all over this, Stewart said. That’s because people are paying that much for the information.

The pandemic has pushed services delivered by mobile apps into the spotlight, Stewart said. Health care organizations need to up their game regarding app and related API security.

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like