The US District Court in Massachusetts filed a lawsuit on behalf of the medical device vendor Zoll against its IT service vendor Barracuda Networks based in Campbell, CA. Allegedly, Barracuda Networks was responsible for botching a server migration which caused the compromise of the protected health information (PHI) of 277,139 patients.
The breach involved archived emails that were being transferred to a new email archiving solution. A configuration problem resulted in the exposure of those email messages for longer than 2 months from November 8, 2018 to December 28, 2020. The settings error was fixed, but Zoll did not get any information regarding the breach until January 24, 2019. The breach investigation revealed that the exposed emails included this patient information: names, contact data, dates of birth, medical data, and Social Security numbers for some patients.
Zoll contracted with a firm called Apptix – currently known as Fusion Connect – in 2012 and had a business associate agreement to supply hosted business communication solutions. Apptix subsequently signed a contract with a business named Sonian to deliver services including email storage. Barracuda Networks acquired Sonian in 2017.
As per the lawsuit, Barracuda Networks knew about the email breach on January 1, 2019. Its investigation showed that Barracuda Networks’ error left a data port open, exposing the email search functionality of the migration tool on a small part of the indices. The port stayed open for about 7 weeks before the error was determined and the port was shut. While the port was open an unauthorized individual acquired access to email data and “continually performed an automated search of the email archive.
A breach of PHI of this sort has effects on patients. Affected patients experienced injury and damages due to the exposure and theft of their personal and healthcare information. In April 2019, a case was filed versus Zoll on behalf of the victims of the breach. Zoll sought indemnification from Apptix; however, the firm didn’t give any response. The lawsuit has since been dealt with.
Besides the settlement and legal expenses suffered, Zoll expended internal and external resources for investigation and mitigation measures, issuance of breach notification letters to affected patients, and free access to services that shield patients against loss and harm. The lawsuit aims to retrieve those fees from Baracuda Networks.
Zoll claims that Barracuda Networks was negligent for being unable to implement acceptable safeguards to secure Zoll’s data and that Barracuda Networks didn’t completely support Zoll’s investigation. Zoll alleges that Barracuda Networks did not give the investigators access to its online environment and didn’t answer a lot of the investigators’ queries. Zoll stated Barracuda Networks did not give information such as the dates when PHI was compromised, the types of data compromised, and whether the attackers exfiltrated any data.
The lawsuit states that Barracuda Networks did reply to the breach and enforced extra safety measures, policies and procedures to avoid the same events in the future, however breached its obligations to employ reasonable protections prior to the breach to secure Zoll information. Zol additionally claims a breach of implied warranty of merchantability, since the email archiving service was guaranteed to be safe for email archiving when security problems permitted unauthorized persons to access private archived data. Zoll furthermore alleges the email archiving solution was flawed and not good for the purpose and therefore Barracuda Networks breached the supposed warranty for fitness for a particular purpose.