Orrick Herrington & Sutcliffe LLP Breach Incident
High-Level Summary of the Security Advisory
Orrick Herrington & Sutcliffe LLP, an international law firm specializing in finance, corporate and technology law, compensation and benefits, global infrastructure, litigation, and real estate, recently experienced a data breach.
According to an official filing (dated December 28, 2023) with the Office of the Maine Attorney General and reported by sources like TheCyberExpress, SecurityWeek, The Orrick, Herrington & Sutcliffe LLP data breach discovered in March 2023, exposed sensitive health information belonging to more than 637,620 individuals. The incident, detected on March 13, 2023, involved an unauthorized third party gaining remote access to a segment of Orrick’s network, including a file share used to store certain client files. Upon detection, Orrick promptly blocked the unauthorized access, initiated a response process, and launched an investigation with the assistance of third-party cybersecurity experts. No further unauthorized activity has been identified since the incident’s detection on March 13. It was determined that the unauthorized actor obtained files containing personal information primarily between February 28 and March 13, 2023.
Orrick notified impacted Clients and where relevant its Clients’ customers as well. As reported by Orrick, depending on the individual, the information affected may have included:
Name, address, email address, date of birth, Social Security number, driver’s license or other government-issued identification number, passport number, financial account information, tax identification number, medical treatment and/or diagnosis information, claims information (date, cost of services, and claims identifiers), health insurance identification number, healthcare provider, medical record number, prescriber name, healthcare provider license number, incidental health reference, online account credentials, and credit or debit card number.
Should I be concerned?
Maybe. It depends on if you have a relationship with Orrick. Do your due diligence by checking with internal teams if there is a relationship in place, and gain an understanding of its capacity.
What to do if you or your vendors have an active relationship with Orrick
According to the notice, Orrick has deployed additional security measures and tools with the guidance of third-party experts to strengthen the ongoing security of its Network. Further, it has established a dedicated call center to answer questions of impacted Clients or individuals.
Orrick has advised its customers to remain vigilant against attempts at identity theft or fraud, which includes carefully reviewing online and financial accounts, credit reports, and Explanations of Benefits (“EOBs”) from your health insurers for suspicious activity.
We recommend that you promptly reach out to the Orrick team and conduct a thorough investigation to assess any potential impact on your organization’s data. Subsequently, implement the requisite remedial actions.
Send an AI-powered assessment for free
VISO’s freemium offering and tap into our robust database of 2.5 million companies to deploy a fast and simple AI-powered vendor risk assessment.
Stay informed on third-party breaches and what you can do to reduce risk by subscribing to this newsletter.