[BreachExchange] Medical Device Vendor Zoll Sues IT Firm Over Breach Affecting 277K

[Destry Winant]

https://healthitsecurity.com/news/medical-device-vendor-zoll-sues-it-firm-over-breach-affecting-277k

November 12, 2020 - Medical device vendor Zoll filed a lawsuit with
the US District Court of Massachusetts against IT service vendor
Barracuda Networks, after an error during a server migration breached
the personal and medical data of 277,139 patients in 2018.

Zoll initially contracted with Apptix in 2012 to provide hosted
business communications solutions, entering into a business associate
agreement with the entity in 2014. Apptix thenb contracted with a
company called Sonian to provide various services like email
archiving. Sonian merged with Barracuda Networks in 2017.

The complaint stems from a configuration error that occurred in late
2018 in the enviornment of Zoll's third-party vendor, which was tasked
with records retention and maintenance requirements.

However, a botched server migration exposed a trove of archived emails
online for nearly two months between November 8 and December 28, 2018.
The error was not revealed to Zoll until January 24, 2019.

A review led with assistance from an external forensics firm
determined that the compromised emails contained patient names,
contact details, dates of birth, medical information, and Social
Security numbers, for some patients.

The lawsuit revealed that the error was not discovered by Barracuda
Networks until January 1, 2019. Barracuda found the exposure occurred
due to a network configuration error that externally exposed the email
search function of the migration tool “on a very small portion of the
indices.”

The incident was a direct result of human oversight or error, the
lawsuit explained. Notably, the breach was one of the largest reported
in healthcare in 2019.

Filed on November 6, Zoll’s lawsuit claims Barracuda failed to
implement adequate data security safeguards, which led to the
inevitable exposure.

“During a standard migration of data within Barracuda’s network
environment, [the vendor] left open a data port, allowing an
unauthorized third-party to access Zoll’s email communications
containing patient health information and other confidential
information,’ according to the lawsuit.

The port remained open for more than seven weeks, and during that
time, Zoll’s data was accessed by an unauthorized party “that
consistently executed an automated search.”

As a result of those failures, Zoll is now liable for injury and
damages incurred by its patients as a result of the breach. Those
costs include a settlement with the breach victims reached in April
2019, as Zoll demanded indemnification from Apptix, but the company
failed to respond.

The device vendor has also “expended internal and external resources
to investigate and mitigate the data breach event, as well as provide
adequate notifications to ZOLL Services’ patients under HIPAA and
other data privacy laws.”

“As a direct and proximate result of [Barracuda’s] negligence, ZOLL
Services has suffered injuries and damages, including but not limited
to the costs of defense, costs of investigation, mitigation and
remediation, settlement costs and costs of providing data privacy
services to its patients,” according to the lawsuit.

The lawsuit also claimed that Barracuda refused to fully cooperate
with their investigation, declining to provide investigators with
access to its online environment and declining to answer many of
Zoll’s questions about the incident.

The filing also provided new insights into the breach, which were not
previously disclosed to the public, including that the exposed data
was accessed on multiple occasions. The lawsuit claimed Barracuda did
not provide Zoll with the dates that the data was accessed, nor
whether it was copied or exfiltrated.

In response to the breach, the lawsuit explained that Barracuda took
several actions to address flaws found in its product and processes.

Those measures included changing processes to make data migrations
smaller in order to more readily identify issues, adding cloud IP
assets into its weekly vulnerability scanning processes, implementing
a cloud security guardian for ongoing migrations to flag issues, and
releasing a new archiving solution with enhanced security features.

Despite these security enhancements, the lawsuit alleged that
Barracuda breached their duties by failing to implement reasonable
precautions and safeguards to protect data from disclosure to
unauthorized parties prior to the incident.

The lawsuit also claimed a breach of implied warranty of
merchantability. Zoll argued that in providing them with its email
archiving product, Barracuda warranted that it would be suitable for a
secure archiving process.

However, they claim the product’s security flaws permitted
unauthorized parties to access the archived data, thus breaching “the
implied warranty of merchantability.”

A third cause of action alleges the email archiving product provided
to Zoll was not fit for the purpose of email archiving due to its
security flaws and, that in using the flawed product, Barracuda
breached the implied warranty of fitness for a particular purpose

The lawsuit also seeks to recover damages from Barracuda and or their
insurers, to recoup investigation, mitigation, and remediation costs
associated with the breach, “as well as harm to their reputations with
hospitals, prescribers and patients.”