Between February 28 and March 13, 2023, cybercriminals gained unauthorized access to parts of the Orrick network, including file sharing systems containing client-related files. Orrick said no further unauthorized activity was observed after the security incident was discovered on March 13.
Orrick’s analysis of the exposed files revealed that the hack compromised personal information about Orrick’s clientele. From June 2023, notification letters are being sent to affected individuals, some of whom were customers of the companies affected by the data breach. This information was provided to Orrick to facilitate the provision of legal advice to these businesses.
Compromised personal data included names, addresses, dates of birth, social security numbers, driver’s licenses, other government identification numbers, passport numbers, email addresses, financial account details, taxpayer identification numbers, medical information, health insurance and provider information, online -account information and credit and debit card numbers.
In response to the breach, Orrick implemented additional security measures and tools led by third-party experts to continually improve the security of its network. The company was not aware of any misuse of personal data.
Orrick told the Maine Department of Justice that approximately 638,000 people affected by the incident are customers of Carelon (formerly Beacon Health Options), Delta Dental, iMed Vision Care, Multiplan and the US Small Business Administration.
In December, Orrick reached a preliminary settlement in four class-action lawsuits related to the data breach, according to Reuters. Founded in San Francisco in 1863, Orrick Law Firm provides transactional, litigation and regulatory counsel to financial, government, infrastructure, technology and other types of organizations.