In March 2023, the international law firm Orrick, Herrington & Sutcliffe (“Orrick”) suffered a cyberattack, exposing the sensitive information of over 637,000 individuals. The impact of the breach spread beyond the law firm as data from Orrick customers, many in the healthcare industry who shared Protected Health Information (“PHI”) with Orrick, was also exposed as part of the breach. Orrick is a somewhat unique target for a cyberattack as the firm specializes in cybersecurity and assists companies in handling security incidents and data breaches. The compromised data included names, dates of birth, addresses, email addresses, government-issued identification numbers, medical treatment and diagnosis information, insurance claims, and healthcare insurance numbers and provider details.
The breach has had a profound impact on Orrick’s operations and reputation. The firm has faced a number of class action lawsuits as a result of the breach. The lawsuits were consolidated into a single class action, raising questions about Orrick’s cybersecurity measures and timeliness in addressing the breach. Despite the firm’s expertise in helping companies address security incidents and data breaches, the scale and severity of the breach challenged its preparedness and response mechanisms. In December, Orrick reached a settlement in to resolve these lawsuits, emphasizing its commitment to protecting client data and systems. Orrick’s situation shows that even firms with expertise in cybersecurity can fall prey to sophisticated cyberattacks. This underscores the need for continuous improvement in cybersecurity measures, including regular updates to security protocols, employee training, and investment in advanced security technologies.
The Orrick breach also reflects a growing trend in cyber incidents where third-party vendors become gateways to larger data breaches. A staggering 60%+ of data breaches originate from third-party vendors. In Orrick’s case, the stolen data pertained to several high-profile clients, including EyeMed Vision Care, Delta Dental of California, MultiPlan, Beacon Health Options, and the U.S. Small Business Administration. The breach’s scope demonstrates how interconnected and vulnerable our digital ecosystems are, and how a single breach can have far-reaching consequences. When sharing sensitive information with vendors, organizations must conduct comprehensive assessments, continuously monitor vendors, and develop robust contingency plans to mitigate risks associated with third-party vendors.
In addition to needing to grapple with the reputational damage from the exposure of sensitive PHI, Orrick’s customers could be held liable for the breach if they haven’t established robust practices for managing vendor risk. Third-party breaches can lead to class action lawsuits brought by affected individuals and can result in severe compliance violations, inviting scrutiny and fines from regulatory authorities for insufficient oversight of vendor risks. For example, HIPAA encompasses several provisions pertaining to vendor risk management, and organizations may face violations of HIPAA if they neglect to manage vendor risks effectively in accordance with these standards.
This breach is a wake-up call for all organizations to reevaluate and fortify their vendor risk management strategies.
How ProcessBolt Can Help
ProcessBolt offers a fully integrated, AI-driven vendor risk management platform that uniquely enables organizations to assess and continuously monitor their vendor networks, while also leveraging the latest generative AI technology to extract intelligence from vendor corporate documentation.
Get in touch today to learn more about how ProcessBolt can help you effectively and efficiently manage vendor risk.