On November 6, 2020, another MSSP was served with a federal suit by a former client following a data breach. Zoll Medical Corporation filed suit in the United States District Court in Massachusetts against Barracuda Networks, Inc. and Sonian, Inc. after Zoll Medical suffered a data breach in 2018 that resulted in the protected health information (“PHI”) of over 277,000 patients becoming exposed to an authorized third-party.
Zoll Medical manufacturers medical devices such as resuscitation and acute critical care solutions like ventilators and defibrillators for hospitals and emergency medical personnel. It hired Apptix, Inc. and entered into a Business Associate Agreement therewith, which required Apptix to safeguard the PHI of Zoll Medical’s patients. In turn, Apptix hired defendant Sonian, which later merger co-defendant Barracuda Networks, to perform data security services.
According to the complaint, Barracuda and Sonian (who advertise as data security experts) left a data port open in their own network, which then allowed unauthorized parties access to Zoll’s email communications and PHI. The data port remained open from November 8, 2018 until December 28, 2018, during which time the hacker consistently executed automated searches.
On January 8, 2019, Barracuda contacted Apptix to advise that “a very small number of user emails stored in Sonian’s EA solution were compromised as a result of unauthorized access to our system by a third party.” The Federal Court complaint further alleges that Barracuda discovered the incident during a server migration on January 1, 2019, caused by human error.
Zoll Medical notified its subsidiaries of the breach and hired an independent forensics firm to investigate the matter, namely Kroll, Inc. Zoll Medical alleges that Barracuda failed to cooperate with Kroll in any manner but that Barracuda conducted its own investigation and implemented remediation practices. Zoll Medical notified the affected patients and offered them free credit and identity monitoring services to prevent identity theft.
On April 9, 2019, Zoll Medical was served with a class action lawsuit in West Virginia by the victims whose PHI was lost during the 2018 data breach. Zoll Medical demanded indemnification from Apptix, which was denied. Zoll Medical settled the class action.
As a result of the breach and follow on lawsuits, Zoll Medical now asserts 5 civil claims against Barracuda and Sonian:
Negligence/Negligence Per Se;
Breach of Implied Warranty and Merchantability;
Breach of Implied Warranty of Fitness;
Breach of Written Contract – Third Party Beneficiary for Barracuda and Sonian breaching its agreement Apptix; and
Equitable Indemnity for the settlement with the data breach victims in West Virginia.
Zoll Medical is demanding reimbursement for the class action settlement, the costs of forensic services provided by Kroll, Inc., the cost of all data breach remediation and monitoring services provided to the victims, as well as all defense costs in the class action, and all injuries and damages sustained by Zoll Medical.
Moral of this federal complaint? Have an attorney negotiate and draft MSSP agreements with clients. Waivers of warranty of merchantability and fitness should be in all MSSP/MSP contracts. Also, all contracts with vendors should contain no Stipulation pour autrui clauses (no third-party beneficiaries) and disclaimer of any and all indemnities by the MSP/MSSP.