The US District Court in Massachusetts filed a legal action on behalf of the medical device supplier Zoll against its IT service vendor Barracuda Networks in Campbell, CA. Purportedly, Barracuda Networks was at fault for botching a server migration that led to the breach of the protected health information (PHI) of 277,139 individuals.
The breach concerned archived emails that were being moved to a new email storage service. A configuration problem led to the breach of those email messages for over 2 months between November 8, 2018 and December 28, 2020. The settings error was resolved, but Zoll did not get any notification concerning the breach until January 24, 2019. The breach investigation revealed that the exposed emails comprised the following patient information: names, contact details, birth dates, health data, and Social Security numbers for a number of patients.
Zoll partnered with a business called Apptix – presently known as Fusion Connect – in 2012 and signed a business associate agreement to deliver hosted business communication services. Apptix after that contracted with a firm named Sonian to give services that include email archiving. Barracuda Networks got Sonian in 2017.
Based on the lawsuit, Barracuda Networks found out about the email breach on January 1, 2019. The investigation showed that Barracuda Networks made an error that left a data port accessible to anyone, which compromised the email search feature of the migration tool on a small section of the directories. The port continued to be open for more or less 7 weeks before the error was found and the port was secured. While the port was accessible, an unauthorized person accessed email information and did repeated automated search of the archive.
A PHI breach of this type has consequences for patients. Impacted patients sustained injury and problems because of the disclosure and theft of their private and healthcare data. In April 2019, legal action was filed versus Zoll on behalf of individuals impacted by the breach. Zoll sought indemnity from Apptix; but, the business didn’t take action. The legal case has since been resolved.
Along with the settlement and legal charges sustained, Zoll spent internal and external sources for investigation and mitigation actions, sending of breach notification letters to impacted patients, and free access to solutions that take care of patients against loss and damage. The lawsuit attempts to get back those expenses from Baracuda Networks.
Zoll claims that Barracuda Networks was negligent for implementing sensible safeguards to take care of Zoll’s information and that Barracuda Networks failed to totally help with Zoll’s investigation. Zoll states that Barracuda Networks did not provide the investigators with access to its web platform and didn’t respond to lots of the investigators’ issues. Zoll mentioned that Barracuda Networks did not give information about the dates when patient information was compromised, the types of data exposed, and if the hackers exfiltrated any data.
The lawsuit says that Barracuda Networks did answer to the breach and put in place more safety measures, policies and procedures to avert identical occurrences later on, however, breached its responsibilities to apply reasonable protections before the breach to safeguard Zoll data. Zol likewise states a breach of implied warranty of merchantability, because the email archiving solution was warranted to be appropriate for safe email archiving, when security vulnerabilities granted unauthorized people to access sensitive archived information. Zoll moreover claims the email storage service was problematic and not in shape for the purpose and as a result, Barracuda Networks broke the intended guarantee for fitness for a specific reason.