Medical Device Maker Sues a Subcontractor After Misconfiguration Incident
A medical device maker has sued an IT vendor in the wake of an email server migration mishap that exposed the health data of more than 277,000 individuals. The case illustrates the complexities of vendor risk management – especially after mergers and acquisitions.
In its lawsuit, Zoll Medical Corp. alleges that Campbell, Calif.-based Barracuda Networks was negligent in “failing to take reasonable precautions and safeguards” to protect Zoll’s data from disclosure to unauthorized third parties.
Zoll says that in 2012, it contracted with Apptix, Inc. – now Fusion Connect – to provide hosted business communications solutions.
In the course of performing its obligations, Apptix engaged another vendor, Sonian Inc., which subsequently merged with Barracuda Networks, Zoll says in the lawsuit.
“During a standard migration of data within [Barracuda’s] network environment, [Barracuda] left open a data port, allowing an unauthorized third party to access [Zoll’s] email communications containing patient health information and other confidential information,” Zoll alleges in its lawsuit.
The lawsuit alleges that Barracuda left the data port open from Nov. 8 through Dec. 28, 2018.
“During this time, plaintiff’s data was accessed by an unauthorized party that consistently executed an automated search. As a result of Barracuda’s failure to implement adequate security safeguards, Zoll Services is now liable to its patients for any injury and/or damages resulting from the data breach event,” Zoll alleges.
Class Action Lawsuit Settlement
Zoll’s complaint against Barracuda also notes that on April 9, 2019, a class action lawsuit against Zoll was filed in the Circuit Court of Kanawha County, West Virginia by individuals alleging that their PHI had been compromised in the data breach.
“When that action was filed, Zoll demanded indemnification from Apptix, but Apptix failed to respond,” Zoll says in its complaint. That lawsuit has been settled, with Zoll responsible for payment of damages to the class members, the medical device firm notes.
“Zoll’s current claim against Barracuda and Sonian is rooted in a tangled history of business mergers and subcontracts.”
—Paul Hales, Hales Law Group
Zoll’s complaint against Barracuda does not specify the amount that Zoll is seeking from the network vendor or the amount that Zoll agreed to pay in its West Virginia class action lawsuit settlement.
Zoll did not immediately reply to Information Security Media Group’s request for additional details.
In its lawsuit against Barracuda, Zoll says it “has suffered investigation, mitigation and remediation costs associated with the incident, as well as harm to its reputation with hospitals, prescribers and patients.”
Barracuda declined to comment on the lawsuit and Apptix, now Fusion Connect, did not immediately respond to a request for comment.
The Breach Report
Zoll reported the mishap on March 18, 2019 as a hacking/IT incident affecting more than 277,300 individuals, according the Department of Health and Human Services’ HIPAA Breach Reporting Tool website, which lists health data breaches impacting 500 or more individuals.
In a March 2019 statement about the incident, Zoll noted that its email was archived by a third-party service provider to comply with record retention and maintenance requirements, policies and procedures.
“During a server migration, some data from Zoll emails was exposed,” the company said. Information potentially exposed included patient names, addresses, dates of birth and limited medical information. A small percentage of patients also had Social Security numbers exposed, Zoll said in the statement.
Third-Party Risk Management
HIPAA attorney Paul Hales, who is not involved in the Zoll case, notes that the lawsuit illustrates the importance of keeping service level agreements and business associate agreements current and performing ongoing due diligence investigations of third parties entrusted with protected health information.
“Covered entities need to do a better job of due diligence when engaging vendors and during the course of the relationship.”
—Marti Arvin, CynergisTek
“Zoll’s current claim against Barracuda and Sonian is rooted in a tangled history of business mergers and subcontracts,” he notes. “The devil is in details that are yet to be made clear,” he says.
“At each step someone should have paid attention to due diligence of new vendors, terms of service level agreements and BAAs, indemnification provisions and insurance coverage.”
“Covered entities need to do a better job of due diligence when engaging vendors and during the course of the relationship,” notes regulatory attorney Marti Arvin of the security and privacy consultancy CynergisTek. “Too many covered entities are in a trust mode rather than a trust but verify mode when it comes to vendor due diligence.”
Privacy attorney David Holtzman of consultancy HITprivacy offers a similar assessment.
“Look carefully at the information security and privacy safeguards that a prospective vendor has in place when outsourcing a service that will create or maintain healthcare data,” he suggests.” Review the risk assessment and risk management plans for each vendor so that you can know going into your vendor selection process which vendors have the information security strategy that best fits your needs and expectations.”
The HHS Office for Civil Rights’ HIPAA breach reporting website is littered with other reports of incidents involving IT misconfigurations.
“Investigations into unauthorized access to consumer information due to the misconfiguration of web servers, firewalls and file transfer protocol sites can be traced back to the lack of policies and procedures for changes to information systems … which interferes with information security technologies that had been put into place to safeguard sensitive data,” Holtzman says.
“It is crucial for organizations that handle sensitive personally identifiable information to put into place change management policies and procedures that include the testing of the security of the information system before putting the system into production.”
Vulnerability scans can help identify open ports and help avoid mishaps like the one in Zoll’s data breach, Arvin notes.
“Data loss prevention software, if appropriately configured, might have caught the data leakage earlier and minimized the breach. Newer technologies are also available that allow organizations to check on and verify that controls are still in place and operating as intended.”