Smith, Gambrell & Russell, LLP

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Smith, Gambrell & Russell, LLP (SGR), a law firm based in Atlanta, Georgia, experienced a significant cybersecurity breach in July 2021, which was discovered in August 2021. This breach led to the exposure of sensitive personal information of more than 19,000 individuals, including clients, customers, and employees of the firm. The compromised data included names, Social Security numbers, health information, and driver’s license numbers[1][2][3][4].

The firm faced criticism and legal action for its delayed response in notifying the affected individuals. While the breach occurred in July 2021, the firm began notifying affected individuals about a year later, in August 2022, according to one lawsuit. Another lawsuit claims that notifications did not start until January 2023[1]. The discrepancy in notification timelines has been a point of contention in the lawsuits filed against the firm.

Two proposed class action lawsuits were filed against SGR, alleging negligence, breach of implied contract, invasion of privacy, and violation of California law, among other claims. The lawsuits criticized the firm for failing to have adequate security procedures in place, allowing unrestricted access to sensitive information, failing to adequately train employees in data security, lacking measures to detect security breaches, and failing to encrypt sensitive information[1][3].

In response to the breach, SGR took several steps to address the incident and prevent future occurrences. These measures included deploying enhanced endpoint monitoring software, performing a global password reset, providing additional security training, and implementing several other security controls. The firm also cooperated with law enforcement and offered credit monitoring and identity theft protection services through IDX to the affected individuals[4].

The breach at Smith, Gambrell & Russell, LLP underscores the growing concern over cybersecurity in the legal industry, where firms are increasingly targeted due to the sensitive and valuable information they handle. This incident serves as a reminder of the importance of robust cybersecurity measures and prompt incident response protocols to protect client and employee data[1][3][10][12].

Citations:

  1. https://www.abajournal.com/news/article/smith-gambrell-faces-2-lawsuits-over-late-disclosure-of-hack-said-to-have-exposed-client-information
  2. https://apps.web.maine.gov/online/aeviewer/ME/40/df81bbd1-bc75-4a43-8141-71de14f7760d.shtml
  3. https://news.bloomberglaw.com/litigation/smith-gambrell-law-firm-hit-with-class-suits-over-data-breach
  4. https://www.sgrlaw.com/notice-of-data-security-incident/
  5. https://www.doj.nh.gov/consumer/security-breaches/documents/smith-gambrell-russell-20221213.pdf
  6. https://www.law.com/americanlawyer/2024/01/05/orricks-data-breach-was-bigger-than-previously-reported/?slreturn=20240016183309
  7. https://www.classaction.org/news/georgia-law-firm-to-blame-for-data-breach-affecting-19k-people-class-action-says
  8. https://www.law360.com/articles/1711096/smith-gambrell-can-t-shake-data-breach-suit-court-told
  9. https://www.law360.com/articles/1583774/smith-gambrell-hit-with-class-action-over-2021-data-breach
  10. https://news.bloomberglaw.com/business-and-practice/law-firm-cyberattacks-grow-putting-operations-in-legal-peril
  11. https://www.sgrlaw.com/georgia-supreme-court-looking-at-data-breach-liability/
  12. https://www.abajournal.com/news/article/law-firms-are-targeted-in-cyberattacks-and-hacking-lawsuits
  13. https://www.law360.com/articles/1683495/smith-gambrell-data-breach-suit-withdrawn-in-georgia
  14. https://www.law.com/americanlawyer/2023/09/28/orrick-data-breach-leads-to-another-class-action-investigation/?slreturn=20240016183308
  15. https://news.bloomberglaw.com
  16. https://www.sgrlaw.com/material-breach-and-the-consequences-of-being-wrong/
Breach Submission Date Sep 28, 2022
Converted Entity Name Smith, Gambrell & Russell, LLP
Converted Entity Type Business Associate
State GA
Individuals Affected 4,688
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes