[BreachExchange] Bansley and Kiener CPA firm sued over delayed breach notification, data theft

Mon Dec 27 11:25:21 EST 2021

https://www.scmagazine.com/analysis/breach/bansley-and-kiener-cpa-firm-sued-over-delayed-breach-notification-data-theft

A class-action lawsuit has been filed against certified public accountants
Bansley and Kiener (B&K), following its breach notice involving a data
theft and ransomware attack. The CPA firm provides payroll compliance
engagements for health, pension, and other benefit plans in the Midwest.

The ransomware was deployed on the B&K network in December 2020, prompting
incident response procedures. The computer security was upgraded following
the attack, once officials believed the attack was contained.

At the time, they found no evidence data was compromised. However, the firm
was notified in May that certain information was stolen prior to the
ransomware attack, including patient names and Social Security numbers,
which prompted yet another investigation.

B&K first discovered client-related health information had been exfiltrated
on May 24, but didn’t send The Health Insurance Portability and
Accountability Act notices until Dec. 20, far outside the 60-day timeframe
required by HIPAA.

Filed on Dec. 17 in the First Judicial Circuit Court of Cook County,
Illinois, the lawsuit sheds further light on the exfiltration incident and
alleged HIPAA violations. Gregg Nelson is seeking damages, injunctive
relief, and other equitable relief for himself and the more than 70,000
individuals impacted by the incident.

The lawsuit stems from the CPA firm’s “failure to properly secure and
safeguard personal identifiable information.”

According to the suit, the stolen data included unencrypted names, dates of
birth, SSNs, driver’s licenses or state-issued IDs, passports, tax ID
numbers, military IDs, financial accounts, payment card, and/or personal
health information.

The lawsuit argues that B&K failed to timely and accurately notify
individuals impacted by the data theft and the full extent of the data lost
during the hack.

“In December 2020, B&K chose not to notify affected [individuals] or, upon
information and belief, its clients, of its data breach, instead choosing
to address the incident in-house by making upgrades to some aspects of its
computer security,” according to the lawsuit.

“It then simply resumed its normal business operations,” it added. “Over
five months later, on May 24, 2021, B&K learned that Class Members’ PII had
been ‘exfiltrated’ from its network. Only then did B&K finally retain a
cybersecurity firm to investigate this data breach.”

In August, the cybersecurity firm re-confirmed the theft, and yet, breach
notices were not sent to the impacted individuals until Dec. 3, 2021 —
nearly a full year after the initial hack was discovered. The lawsuit also
claims the hacking incident lasted for three and a half months from Aug.
20, 2020, and Dec. 1, 2020, those details were not included in the breach
notification.

The lawsuit takes issue with the omitted details surrounding the delayed
notices, as well as the lack of specifics about the impacted data, which
put the individuals “at significant risk to identity theft and various
other forms of personal, social, and financial harm.”

The CPA firm is accused of failing to adequately protect consumers’
personal information, as well as failing to warn clients of its “inadequate
information security practices” and ineffective security monitoring of
vulnerabilities and incidents. The lawsuit argues that the B&K’s “conduct
amounts to negligence and violates federal and state statutes.”

Further, “the risks to these persons will remain for their respective
lifetimes.” The lawsuit claims the individuals have already suffered injury
as a result of the data theft, including related out-of-pocket expenses,
lost opportunity costs tied to mitigating actual consequences of the
breach, loss of time to prevent fraud, charges tied to fraudulent back
charges, and continued risks tied to the incident.

The firm “disregarded the rights of [individuals] by intentionally,
willfully, recklessly, or at the very least negligently failing to take and
implement adequate and reasonable measures to ensure that its customers’
PII was safeguarded… failing to follow applicable, required and appropriate
protocols, policies and procedures regarding the encryption of data, even
for internal use,” according to the suit.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211227/5957c323/attachment.html>