Smith, Gambrell & Russell, LLP
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
Smith, Gambrell & Russell, LLP (SGR), a law firm based in Atlanta, Georgia, experienced a significant cybersecurity breach in July 2021, which was discovered in August 2021. This breach led to the exposure of sensitive personal information of more than 19,000 individuals, including clients, customers, and employees of the firm. The compromised data included names, Social Security numbers, health information, and driver’s license numbers[1][2][3][4].
The firm faced criticism and legal action for its delayed response in notifying the affected individuals. While the breach occurred in July 2021, the firm began notifying affected individuals about a year later, in August 2022, according to one lawsuit. Another lawsuit claims that notifications did not start until January 2023[1]. The discrepancy in notification timelines has been a point of contention in the lawsuits filed against the firm.
Two proposed class action lawsuits were filed against SGR, alleging negligence, breach of implied contract, invasion of privacy, and violation of California law, among other claims. The lawsuits criticized the firm for failing to have adequate security procedures in place, allowing unrestricted access to sensitive information, failing to adequately train employees in data security, lacking measures to detect security breaches, and failing to encrypt sensitive information[1][3].
In response to the breach, SGR took several steps to address the incident and prevent future occurrences. These measures included deploying enhanced endpoint monitoring software, performing a global password reset, providing additional security training, and implementing several other security controls. The firm also cooperated with law enforcement and offered credit monitoring and identity theft protection services through IDX to the affected individuals[4].
The breach at Smith, Gambrell & Russell, LLP underscores the growing concern over cybersecurity in the legal industry, where firms are increasingly targeted due to the sensitive and valuable information they handle. This incident serves as a reminder of the importance of robust cybersecurity measures and prompt incident response protocols to protect client and employee data[1][3][10][12].
Citations:
- https://www.abajournal.com/news/article/smith-gambrell-faces-2-lawsuits-over-late-disclosure-of-hack-said-to-have-exposed-client-information
- https://apps.web.maine.gov/online/aeviewer/ME/40/df81bbd1-bc75-4a43-8141-71de14f7760d.shtml
- https://news.bloomberglaw.com/litigation/smith-gambrell-law-firm-hit-with-class-suits-over-data-breach
- https://www.sgrlaw.com/notice-of-data-security-incident/
- https://www.doj.nh.gov/consumer/security-breaches/documents/smith-gambrell-russell-20221213.pdf
- https://www.law.com/americanlawyer/2024/01/05/orricks-data-breach-was-bigger-than-previously-reported/?slreturn=20240016183309
- https://www.classaction.org/news/georgia-law-firm-to-blame-for-data-breach-affecting-19k-people-class-action-says
- https://www.law360.com/articles/1711096/smith-gambrell-can-t-shake-data-breach-suit-court-told
- https://www.law360.com/articles/1583774/smith-gambrell-hit-with-class-action-over-2021-data-breach
- https://news.bloomberglaw.com/business-and-practice/law-firm-cyberattacks-grow-putting-operations-in-legal-peril
- https://www.sgrlaw.com/georgia-supreme-court-looking-at-data-breach-liability/
- https://www.abajournal.com/news/article/law-firms-are-targeted-in-cyberattacks-and-hacking-lawsuits
- https://www.law360.com/articles/1683495/smith-gambrell-data-breach-suit-withdrawn-in-georgia
- https://www.law.com/americanlawyer/2023/09/28/orrick-data-breach-leads-to-another-class-action-investigation/?slreturn=20240016183308
- https://news.bloomberglaw.com
- https://www.sgrlaw.com/material-breach-and-the-consequences-of-being-wrong/