Zoll Sues IT Vendor for 277,000-Record Server Migration Data Breach

A lawsuit has been filed in the US District Court in Massachusetts by the medical device vendor Zoll which alleges its IT service vendor, Campbell, CA-based Barracuda Networks, was negligent for botching a server migration which resulted in the exposure of the protected health information of 277,139 patients.

The breach in question involved archived emails that were being migrated to a new email archiving service. A configuration error resulted in the exposure of those emails for more than 2 months between November 8, 2018 and December 28, 2020. The configuration error was corrected, but Zoll was not informed about the breach until January 24, 2019. The breach investigation revealed the exposed emails contained patient information such as names, contact information, birth dates, medical information, and for certain patients, Social Security numbers.

Zoll had contracted with a company called Apptix – now Fusion Connect – in 2012 and entered into a business associate agreement to provide hosted business communication solutions. Apptix then entered into a contract with a company called Sonian to provide services such as email archiving. Sonian was acquired by Barracuda Networks in 2017.

According to the lawsuit, Barracuda Networks learned of the breach on January 1, 2019. Its investigation revealed an error had been made and a data port had been left open, which exposed the email search function of the migration tool on a small portion of the indices. The port remained open for almost 7 weeks before the error was identified and the port was closed. While the port was open an unauthorized individual gained access to email data and “consistently executed an automated search of the archive.”

A breach of protected health information of this nature has implications for patients. Affected patients suffered injury and damages as a result of the exposure and theft of their personal and healthcare data. A lawsuit was filed against Zoll in April 2019 on behalf of patients affected by the breach. Zoll sought indemnification from Apptix; however, the company did not respond. The lawsuit has since been settled.

In addition to settlement and legal costs incurred, Zoll expended internal and external resources investigating and mitigating the breach, sending breach notification letters to affected patients, and providing free access to services to protect patients against loss and harm. The lawsuit seeks to recover those costs from Baracuda Networks.

Zoll alleges Barracuda Networks was negligent for failing to implement reasonable precautions and safeguards to protect Zoll’s data and that Barracuda Networks did not fully cooperate with Zoll’s investigation. Zoll alleges its investigators were not provided with access to Barracuda Networks’ online environment and that many of the investigators’ questions were not answered. Zoll said it was not told the dates when patient data was exposed, the types of data accessed, and whether any information had been exfiltrated by the attackers.

The lawsuit states that Barracuda Networks did respond to the breach and implemented additional safeguards, policies and procedures to prevent similar incidents from occurring in the future, but breached its duties to implement reasonable protections prior to the breach to protect Zoll data. Zol also alleges a breach of implied warranty of merchantability, as the email archiving solution was warranted to be suitable for secure email archiving, when security flaws allowed unauthorized individuals to access confidential archived data. Zoll also alleges the email archiving solution was flawed and not fit for purpose and consequently Barracuda Networks breached the implied warranty for fitness for a particular purpose.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.