(Reuters) - New York Attorney General Letitia James said Monday that midsize law firm Heidell, Pittoni, Murphy & Bach has agreed to pay $200,000 to the state over data security lapses that led to a 2021 data breach.

An investigation into the breach, which compromised the private data of nearly 115,000 hospital patients, including more than 61,000 New Yorkers, found the law firm failed to comply with health information privacy and security rules and state law, the New York attorney general's office said.

The Heidell firm represents hospitals and hospital networks in litigation and has electronic health information and other data related to patients of its clients, the New York attorney general's office said.

The law firm neither admitted nor denied the allegations as part of the agreement.

In response to a request for comment, the firm provided an update on the cybersecurity incident that said it "does not have any evidence to indicate that any personal information has been or will be misused as a result of this incident." The firm said the incident exposed the Social Security numbers of less than one percent of the individuals, and the affected data was "largely limited" to names and birth dates.

Law firms and other legal services providers that hold sensitive and confidential data have increasingly faced cybersecurity attacks involving their clients' data and their own business information.

Heidell, Pittoni, Murphy & Bach has 85 lawyers in four offices in New York and Connecticut, according to its website. It primarily handles medical and products liability defense, healthcare law, civil rights and general and commercial litigation.

In late 2021, an attacker exploited vulnerabilities in the firm's Microsoft email server, gained access to its systems and later deployed malware and took files from the firm's systems, James' office said. The firm had left its server exposed to an attack after failing to apply patches for the vulnerabilities, which Microsoft had released several months before, it said.

A cybersecurity firm the law firm hired to conduct a forensic investigation got a list of "tens of thousands" of files the attackers claimed to have taken, including legal pleadings, patient lists and medical records the firm had in connection with litigation, the office said.

The Heidell firm paid a $100,000 ransom in exchange for the return and deletion of the data "but was not provided evidence the data was deleted," it said. An analysis showed information including names, birth dates, Social Security numbers and health data may have been exposed. The firm started to notify affected people in May 2022.

