Between April 1, 2020 and June 25, 2020, cybercriminals managed to steal personal health information (PHI) and personally identifiable information (PII) from over 36,000 patients at the University of Pittsburgh Medical Center (UPMC). The hackers did not, however, obtain this information by hacking into UPMC. In 2020, hackers managed to access the email of one of UPMC’s law firms, Charles J. Hilton and Associates, an eight-member firm focused on billing-related services. The hackers have allegedly generated over $2,000,000 in fraudulent financial transactions. There is now a large class action lawsuit hitting both UPMC and the law firm regarding the breach. The lesson: Law firms that lack good cybersecurity hygiene create cyber risk for corporate legal departments and their companies.