A New York lawyer is learning a hard lesson in cybersecurity after criminals broke into her AOL email and used it to trick her wealthy real estate clients into wiring nearly $2 million to Chinese hackers. Now, those clients are suing the lawyer for malpractice.
In a lawsuit filed on Monday, New York City couple Robert and Bethany Millard accuse their former lawyer, Patricia Doran, of failing to take basic steps to secure her computer and protect them from an elaborate wire fraud.
According to the complaint, AOL (VZ) email accounts are “notoriously vulnerable” to hacking, yet Doran relied on AOL for sensitive communications involving the Millards’ purchase of a $19,380,000 condo. These allegedly poor security practices allowed hackers to impersonate Doran, according to the filing, tricking the Millards with a series of emails that persuaded them to wire a $1.9 million deposit into a fraudulent bank account.
Get Data Sheet, Fortune’s technology newsletter.
The Millards claim Doran should have done more to protect her email:
The lack of basic cybersecurity measures or awareness also meant that this hack was not detected by Doran. These cybercriminals then learned when and how the Millards intended to pay for the Apartment, knowledge that permitted them to pose as the seller’s attorneys and thereby steal the Millards’ money.
The couple also claims Doran failed to detect a fake confirmation email from the scammers even though it contained several “red flags,” including misspelling of attorney names and a message that it would be impossible to reach the sellers’ lawyers. Doran did not spot the fraud, the suit notes, but instead simply forwarded the email to the Millards. Nor, the plaintiffs say, did she react upon receiving a fax from the seller’s real attorneys that mentioned the contract would not be complete until receipt of a down payment.
For cybersecurity tips from an ex-con, watch:
The couple say they learned about the fraud from the bank a day after they transferred the money, at which point they informed Doran what had happened.
The Millards were able to recover most of the stolen money, except for $196,200, which they say has vanished forever into a Chinese bank account. They are asking the court to order Doran, who did not respond to a voicemail request for comment, to make up that amount and to pay punitive damages amid various legal fees.
It is hard not to feel for Doran in this situation. It was a sophisticated scam, and she is hardly the only lawyer in the country behind the curve when it comes to cybersecurity.
Still, in the age of data breaches, every law firm should be taking steps to harden its computer defenses—and better management of email accounts is only the first step.