Skip to main content
Patient Protect circular logo mark in purple and white used for site navigationPatient Protect

Breach analysis · Patient Protect

Outside counsel holds PHI too: vendor risk management when law firms get breached

When your outside counsel holds patient data, their breach is your breach — here's how to manage vendor risk before a law firm incident triggers your notification clock.

Patient Protect ResearchMay 3, 2026First reported in HIPAA Pulse →

What this incident exposes

Professional services firms — law firms, billing companies, transcriptionists — sit in a blind spot for many independent practices. They hold protected health information, they qualify as business associates under HIPAA, and they are rarely subject to the same vendor scrutiny as clinical software vendors. The breach of Orrick, Herrington & Sutcliffe LLP, in which Silent Ransom Group gained unauthorized access and publicly leaked data in January 2026, makes that blind spot visible. Because the initial access vector appears to have been social engineering rather than a software vulnerability, technical controls at the firm level were only part of the story — and the covered entities whose PHI Orrick may have held had no direct control over any of those defenses.

The compliance gap here is not exotic. Under 45 C.F.R. § 164.314, covered entities are responsible for ensuring their business associates implement adequate safeguards. Under the Breach Notification Rule at 45 C.F.R. § 164.410, a breach at a business associate can start a covered entity's 60-day notification clock regardless of where the intrusion occurred. If you cannot name which outside legal or professional services vendors hold copies of your patients' data today, a third-party incident creates an unmanageable response problem. First reported in HIPAA Pulse → https://hipaapulse.com/silent-ransom-group-breached-orrick-herrington-and-sutcliffe-exposing-client-data-held-b4a0043a

The HIPAA Security Rule provision in play

The primary provision is § 164.314(a) — Business Associate Contracts and Other Arrangements, which requires covered entities to obtain satisfactory assurances that business associates will appropriately safeguard PHI. Closely related: § 164.308(b), which requires written contracts with business associates covering required Security Rule safeguards. When PHI transits to an outside vendor — legal counsel included — the covered entity's obligation to document and periodically verify those assurances does not transfer with the data.

How Patient Protect addresses this

  • BAA Management tracks which vendors have signed, current business associate agreements. An incomplete or lapsed BAA with outside legal counsel is both a compliance gap and a notification-risk gap. Patient Protect surfaces missing and expiring agreements before an incident forces the question.
  • Vendor Risk Scanner extends oversight beyond the BAA document itself, helping practices assess whether third-party partners present ongoing exposure — appropriate due diligence that OCR guidance explicitly encourages.
  • Information Systems Inventory maintains a current record of where PHI travels outside practice systems. Knowing which vendors hold patient data is a prerequisite for responding effectively when a third-party incident is reported.
  • Office Training (80+ modules) addresses the human-layer failure that incidents like this often exploit. SRG's documented method relies on employees completing a social engineering sequence; workforce training that includes phishing awareness reduces that probability across every organization in the data chain.
  • Security Risk Assessment (SRA) ensures third-party data-sharing arrangements are factored into the practice's periodic risk analysis, not treated as outside its scope.

Practical next steps

  • Audit every active outside vendor relationship — legal counsel included — and confirm a current, signed BAA exists for each one that touches PHI.
  • Ask legal and professional services vendors directly for a summary of their security practices and incident response procedures; this is reasonable HIPAA due diligence, not an unusual request.
  • Document a written protocol for what your practice will do if a business associate reports a breach — including who is notified, who makes the regulatory determination, and when the 60-day clock starts.
  • Assign a staff member to complete phishing-awareness training this week; social engineering threats are workforce-layer problems, not IT-only problems.
  • Update your information systems inventory to include non-clinical vendors holding PHI, so a third-party incident does not require building that map under pressure.

Try Patient Protect

  • Start a free trial at hipaa-port.com → https://hipaa-port.com
  • Run a free Security Risk Assessment at patient-protect.com/risk-assessment → https://patient-protect.com/risk-assessment

This commercial companion is published by Patient Protect and may be co-written with editorial AI assistance, drawing on the source HIPAA Pulse article. First reported in HIPAA Pulse → https://hipaapulse.com/silent-ransom-group-breached-orrick-herrington-and-sutcliffe-exposing-client-data-held-b4a0043a