A Tale of Two Breach LawsuitsNuance Sued Following NotPetya Attack; Solara Medical Supplies Sued for Exposing Patient Data
Two vendors serving the healthcare sector have been targeted with breach-related lawsuits.
See Also: HIPAA Audits: A Revised Game Plan
The 2017 NotPetya malware attack against medical transcription software vendor Nuance Communications has prompted a new lawsuit by one of its clients, which claims the malware spread to its systems, resulting in "millions in damages."
Meanwhile, another lawsuit seeking class action status targets Solara Medical Supplies, which was hit by a breach discovered in June that exposed data on more than 114,000 patients and employees. That suit alleges, among other claims, negligence and failure by Solara to protect personal and medical information.
"These lawsuits are poster children for two interrelated themes: First, that managed service providers are particularly attractive targets for threat actors, and need to take appropriate cybersecurity measures appropriate to the services they provide," says technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C.
"Second, health information remains extremely valuable, and if an MSP manages that information, the need for appropriate cybersecurity measures is heightened."
Neither Nuance nor Solara immediately responded to Information Security Media Group's requests for comment about the lawsuits.
Heritage Valley Health vs. Nuance
On Nov. 27, Beaver, Pa-based Heritage Valley Health, an integrated healthcare delivery network, filed a suit against Burlington, Mass.-based Nuance. The lawsuit alleges that a 2017 NotPetya malware attack on Nuance spread into Heritage Valley's computer network through a server that Nuance - a Heritage vendor - operated (see: Sizing Up NotPetya's Impact in the U.S. Healthcare Sector).
Heritage Valley claims it has suffered "millions of dollars in damages as a result of Nuance's negligence, including not only substantial business income loss but also the required repair and restoration of computer network systems, a significant amount of employee overtime and compensation, professional and third-party fees incurred in connection with responding to and remediating the incident, and intangible economic harm including the loss of goodwill."
Heritage Valley says its attempts to engage Nuance in settlement negotiations have been unsuccessful.
In its lawsuit, Heritage Valley alleges Nuance fell victim to the NotPetya malware attack through "a trusted development partner in the Ukraine."
Ultimately, the NotPetya malware attack affected 14,800 Nuance servers, of which 7,600 had to be replaced, and it also affected 26,000 computer workstations of which 9,000 had to be replaced, the suit alleges.
Nuance's business connections in the Ukraine and negligent information security practices led to the spread of NotPetya malware to numerous customers, including Heritage Valley, the lawsuit alleges.
"The outbreak ultimately affected a majority of Heritage Valley's servers and workstations by encrypting the file system and files, making the operating systems unbootable and the files contained on the drives inaccessible," the lawsuit states.
A forensics analysis from two independent data sources showed that the malware entered Heritage Valley's systems through a trusted virtual private network connection with Nuance, the lawsuit argues.
Some experts say the attack on Nuance spotlights the critical security risks that certain vendors can pose to their customers' operations.
"It should be kept in mind that managed service providers do not fall into the typical vendor of goods and services category," Teppler says.
"It follows that the primary consideration here is that Nuance is a managed service provider, and as such, the tendrils into clients' systems will likely run deep, escalating risks to the MSP client," he says.
The security risks posed by vendors can also potentially intensify when those vendors acquire other companies, Teppler adds.
"A preventive measure would entail, for any master service agreement, the inclusion of an appropriately worded information security addendum providing for not only the service of the MSP, but also of any of the MSPs acquisitions," he says.
Documentation and review in connection with any acquisition should include cybersecurity assessment; access controls; entitlement/privilege; information security program/incident response and notification to the client; password management and authentication controls; network security and monitoring; threat vulnerability management and security testing; certification and audit; and appropriate cyber insurance that covers the pre-acquisition period, Teppler suggests.
Lawsuit Against Solara Medical Supply
The second new breach-related lawsuit - filed Nov. 29 against Solara Medical Supplies - seeks class action status. It was filed on behalf of Juan Maldonado, a patient that used Solara medical devices to manage a health condition.
Solara reported to the Department of Health and Human Services on Nov. 13 a hacking/IT incident affecting more than 114,000 individuals, according to the HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website.
Maldonado was among of the individuals notified by Solara that his name, date of birth, medical information, and health insurance information was compromised in the data breach, according to court documents.
Maldonado in his lawsuit against Chula Vista, Calif.-based Solara alleges that as a result of the company's data breach, his and other victims' personal and medical information "is now in the hands of cybercriminals ... [putting them] imminently at risk of crippling identity theft and fraud."
In its notification statement, Solara says that on June 28, the company determined that "an unknown actor" gained access to a limited number of employees' Office 365 accounts from April 2 to June 20 as a result of a phishing email campaign.
The incident compromised current and former patient and employee information, Solara says, including names, addresses, dates of birth, Social Security numbers, employee identification numbers, medical information, health insurance information, financial information, payment card information, driver's license data, state ID data and passport information.
Among other allegations, the lawsuit against Solara claims that while the company notified impacted individuals in November, the risk to those individuals started months earlier - in June, when Solara discovered the incident.
The lawsuit states: "Despite knowing many patients were in danger, the defendant did nothing to warn breach victims until over four months later. During this time, the cybercriminals had free reign to defraud their unsuspecting victims."
The lawsuit is seeking "appropriate monetary relief, including actual damages, punitive damages, attorney fees, and such other and further relief as is just and proper."
'Failures' to Secure Data
The two newly filed breach-related lawsuits are both based on allegations of failure to secure protected health information, says independent HIPAA attorney Paul Hales.
"Maldonado takes advantage of California laws that authorize a private right to sue but also follows the now common practice of citing HIPAA as a 'professional standard of care' that Solara is alleged not to have met," he says. "Solara is subject to HIPAA as a supplier of medical equipment and supplies, not as a business associate."
On the other hand, Nuance is a BA that provided services to Heritage Valley Health that involved access to PHI, he says.
"HIPAA is not mentioned in the [Nuance] lawsuit, which is based on claims of negligence, implied contract and unjust enrichment. However, the negligence claims describe failure to meet BA standards required by the HIPAA Security Rule."
The issues raised in the two lawsuits point to the need for healthcare organizations to perform risk-based assessments of vendors' information security practices, says privacy attorney David Holtzman of the security consultancy CynergisTek.
"The more access an organization has to your information system or the sensitivity of the data, the more comprehensive and thorough the examination," he says.
Business associates have an obligation to perform an evaluation of information security threats and vulnerabilities created by changes to their operations or environment, Holtzman adds.
"Uncontrolled or poorly managed changes can lead to the vulnerabilities that allow introduction of malware or other types of cybersecurity incidents that expose data to the internet," he says.
Hales, the attorney says rapidly growing companies such as Nuance "must thoroughly examine security practices of potential acquisitions and have strong compliance controls in place for all subsidiaries. Healthcare providers like Heritage Valley Health must perform initial and ongoing due diligence to confirm BA HIPAA compliance and have a current business associate agreement in place."
Holtzman offers a similar assessment.
"It is a best practice to perform due diligence to assess the state of the security of information systems of organizations being acquired before integrating them into the acquiring organization's enterprise," he says.
Regulatory attorney Marti Arvin of security consulting firm CynergisTek offers additional advice to help prevent organizations - as well as their clients - from failing victim to cyberattacks and potential resulting legal headaches.
"They need to have a mature cybersecurity infrastructure which would likely include good intrusion detection, appropriate data segregation, effective workforce training and other measures as delineated in documents like the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity. This would minimize the likelihood of a cyber incident."