Business Associate Sued By HIPAA-Covered Entity over Alleged HIPAA Security Rule Failures
A HIPAA-covered entity is suing one of its business associates over an alleged failure to comply with the terms of its business associate agreement (BAA), including not implementing appropriate HIPAA Security Rule safeguards. Molecular Testing Labs (MTL), a Vancouver, Washington-based laboratory specializing in precision laboratory diagnostics, discovered on March 12, 2025, that patient data had been compromised in a cyberattack on its managed service provider business associate, Ntirety. According to MTL’s investigation, a cybercriminal group, potentially of Russian origin, breached Ntirety’s network in a ransomware attack.
MTL conducted a forensic investigation and determined that there were “significant deficiencies, shortcomings, and omissions” in Ntirety’s security practices and procedures, which were exploited by the threat actor to access its computer systems and sensitive MTL data. Further, as a result of the ransomware attack, Ntirety was unable to provide material support to MTL for several weeks, and when support was provided, it was conducted “slowly and incompetently.” MTL claims that the BAA required Ntirety to provide support to MTL and assist with the response to the breach and help mitigate harmful effects; however, Ntirety told MTL that any such services would incur a charge.
MTL entered into a business associate agreement with Ntirety in September 2018. The terms of the BAA required Ntirety to establish and implement appropriate safeguards for any protected health information handled by the firm in connection with the services it provided to MTL, and those safeguards were also a requirement of the HIPAA Security Rule. MTL’s forensic investigation uncovered evidence that HIPAA Security Rule safeguards had not been implemented.
As reported by Roma Petel of the law firm Robinson & Cole LLP, MTL stated in the lawsuit that expenses have been or will be incurred related to the forensic investigation, breach notifications, credit monitoring services, remediation efforts, potential regulatory actions, and defending potential litigation costs, should the breach victims take legal action over the data breach. Also at issue is the BAA’s indemnification provision, whereby Ntirety is required to indemnify, defend, and hold harmless MTL against losses and expenses incurred as a result of a data breach caused by Ntirety’s negligence. MTL has sent formal demands for indemnification but has not received a substantive response from Ntirety; therefore has opted to take legal action over the matter.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
