Breach Lawsuit Spotlights Complex Vendor Issues

Breach Lawsuit Spotlights Complex Vendor Issues

Governance & Risk Management , Incident & Breach Response , IT Risk Management

Medical Device Maker Sues a Subcontractor After Misconfiguration Incident Marianne Kolbasuk McGee (HealthInfoSec) • November 11, 2020    

A medical device maker has sued an IT vendor in the wake of an email server migration mishap that exposed the health data of more than 277,000 individuals. The case illustrates the complexities of vendor risk management - especially after mergers and acquisitions.

See Also: Palo Alto Networks Ignite 20: Discover the Future of Cybersecurity, Today

In its lawsuit, Zoll Medical Corp. alleges that Campbell, Calif.-based Barracuda Networks was negligent in "failing to take reasonable precautions and safeguards" to protect Zoll's data from disclosure to unauthorized third parties.

Zoll says that in 2012, it contracted with Apptix, Inc. - now Fusion Connect - to provide hosted business communications solutions.

In the course of performing its obligations, Apptix engaged another vendor, Sonian Inc., which subsequently merged with Barracuda Networks, Zoll says in the lawsuit.

"During a standard migration of data within [Barracuda's] network environment, [Barracuda] left open a data port, allowing an unauthorized third party to access [Zoll's] email communications containing patient health information and other confidential information," Zoll alleges in its lawsuit.

The lawsuit alleges that Barracuda left the data port open from Nov. 8 through Dec. 28, 2018.

"During this time, plai ..