Medical Device Vendor Zoll Sues IT Firm Over Breach Affecting 277K
Barracuda Networks is being sued by its client Zoll, a medical device vendor, after a server migration error compromised the personal and medical data of 277,139 patients in 2018.
By - Medical device vendor Zoll filed a lawsuit with the US District Court of Massachusetts against IT service vendor Barracuda Networks, after an error during a server migration breached the personal and medical data of 277,139 patients in 2018.
Zoll initially contracted with Apptix in 2012 to provide hosted business communications solutions, entering into a business associate agreement with the entity in 2014. Apptix thenb contracted with a company called Sonian to provide various services like email archiving. Sonian merged with Barracuda Networks in 2017.
The complaint stems from a configuration error that occurred in late 2018 in the enviornment of Zoll's third-party vendor, which was tasked with records retention and maintenance requirements.
However, a botched server migration exposed a trove of archived emails online for nearly two months between November 8 and December 28, 2018. The error was not revealed to Zoll until January 24, 2019.
A review led with assistance from an external forensics firm determined that the compromised emails contained patient names, contact details, dates of birth, medical information, and Social Security numbers, for some patients.
READ MORE: Crafting Successful Business Associate Agreements, Breach Response
The lawsuit revealed that the error was not discovered by Barracuda Networks until January 1, 2019. Barracuda found the exposure occurred due to a network configuration error that externally exposed the email search function of the migration tool “on a very small portion of the indices.”
The incident was a direct result of human oversight or error, the lawsuit explained. Notably, the breach was one of the largest reported in healthcare in 2019.
Filed on November 6, Zoll’s lawsuit claims Barracuda failed to implement adequate data security safeguards, which led to the inevitable exposure.
“During a standard migration of data within Barracuda’s network environment, [the vendor] left open a data port, allowing an unauthorized third-party to access Zoll’s email communications containing patient health information and other confidential information,’ according to the lawsuit.
The port remained open for more than seven weeks, and during that time, Zoll’s data was accessed by an unauthorized party “that consistently executed an automated search.”
READ MORE: Key Elements for Secure Business Associate Agreements, Relationships
As a result of those failures, Zoll is now liable for injury and damages incurred by its patients as a result of the breach. Those costs include a settlement with the breach victims reached in April 2019, as Zoll demanded indemnification from Apptix, but the company failed to respond.
The device vendor has also “expended internal and external resources to investigate and mitigate the data breach event, as well as provide adequate notifications to ZOLL Services’ patients under HIPAA and other data privacy laws.”
“As a direct and proximate result of [Barracuda’s] negligence, ZOLL Services has suffered injuries and damages, including but not limited to the costs of defense, costs of investigation, mitigation and remediation, settlement costs and costs of providing data privacy services to its patients,” according to the lawsuit.
The lawsuit also claimed that Barracuda refused to fully cooperate with their investigation, declining to provide investigators with access to its online environment and declining to answer many of Zoll’s questions about the incident.
The filing also provided new insights into the breach, which were not previously disclosed to the public, including that the exposed data was accessed on multiple occasions. The lawsuit claimed Barracuda did not provide Zoll with the dates that the data was accessed, nor whether it was copied or exfiltrated.
In response to the breach, the lawsuit explained that Barracuda took several actions to address flaws found in its product and processes.
Those measures included changing processes to make data migrations smaller in order to more readily identify issues, adding cloud IP assets into its weekly vulnerability scanning processes, implementing a cloud security guardian for ongoing migrations to flag issues, and releasing a new archiving solution with enhanced security features.
Despite these security enhancements, the lawsuit alleged that Barracuda breached their duties by failing to implement reasonable precautions and safeguards to protect data from disclosure to unauthorized parties prior to the incident.
The lawsuit also claimed a breach of implied warranty of merchantability. Zoll argued that in providing them with its email archiving product, Barracuda warranted that it would be suitable for a secure archiving process.
However, they claim the product’s security flaws permitted unauthorized parties to access the archived data, thus breaching “the implied warranty of merchantability.”
A third cause of action alleges the email archiving product provided to Zoll was not fit for the purpose of email archiving due to its security flaws and, that in using the flawed product, Barracuda breached the implied warranty of fitness for a particular purpose
The lawsuit also seeks to recover damages from Barracuda and or their insurers, to recoup investigation, mitigation, and remediation costs associated with the breach, “as well as harm to their reputations with hospitals, prescribers and patients.”
