An IT consulting firm sued in federal court over data breaches says it is not at fault. Instead, the company is blaming its managed service providers (MSPs) for failing to secure their networks and exposing them to a breach that affected more than 1 million people.
Berry Dunn McNeil & Parker, an IT and accounting consultancy based in Portland, Maine, that operates a healthcare data analytics business, has acquired Reliable Networks, an MSP based in Biddeford, Maine. I'm blaming. At issue is Reliable's Health Analytics Practice Group (HAPG)'s failure to protect the 1.1 million pieces of personally identifiable information (PII) it stores. Approximately 3,100 Maine residents were affected by the security breach.
BerryDunn receives PII from Customers to perform analytical services. But it is BerryDun, not Reliable, that is being sued by nine customers in U.S. District Court in Portland, Maine. These customers have accused BerryDan of negligence, unjust enrichment, and breach of fiduciary duty due to data theft.
In the BellyDan lawsuit, the plaintiffs hope to file a class action lawsuit, alleging that it took BellyDan seven months after the September 2023 breach to notify them of the theft. It remains to be seen whether Bellydan intends to sue Reliable.
Berrydan said there is no indication that the stolen information was misused. At this time, it is not clear which specific clients were affected by the breach, and there is no word on how the hackers gained access to BellyDan's network.
It is also unclear whether BerryDunn or Reliable carry cybersecurity insurance, or whether the agreement between the parties provides that Reliable is responsible for BerryDunn's cybersecurity protections. It is unclear whether there was a contract. Reliable said it was hired to manage BellyDan's medical data, but not to provide cybersecurity protections.
Attorneys representing Berrydan and Reliable did not respond to requests for comment.
Reliable said in a post on its website that the two companies have been working together “for years.” MSP provided the consultancy with “technology consulting services, on-demand IT support and training, and maintenance and monitoring services” for BerryDan's own network.
According to MSP, BellyDan did not maintain Reliable for cybersecurity protection and prevention.
Companies criticized over hacking
The hack occurred between September 12th and 14th, 2023, and on April 2nd, 2024, BellyDan commissioned a forensic review of the compromised data to identify what was stolen and the owner of the information. confirmed. the company said in a post on its website.
A separate investigation conducted shortly after the breach revealed that “fraudsters” had infiltrated Reliable's network and made off with some of the data stored on the company's HAPG systems.
According to BerryDunn, on September 14, 2023, a HAPG system managed by Reliable on behalf of BerryDunn exhibited “suspicious” network activity. Reliable maintains that BerryDan is solely responsible for the breach and that the exploit did not occur on its systems. A credible claim is that Berry Dan is “throwing blame” in order to control the “narrative” of the incident.
Reliable claimed in its public notice that the data breach did not occur on its “networks or internal systems.” MSP said other customers' networks and Reliable's systems were not affected by the breach.
“Contrary to Mr. Berry Dunn's baseless claims, Mr. Berry Dunn's own network and systems were compromised by a third party through no fault of Reliable Networks,” the company wrote in a post. “Reliable Networks remains confident that once all forensic investigations are completed and all the facts are discovered, BerryDan's allegations will be found to have no merit.”
Belly Dan's actions after violation
In a customer breach notification filed with the Maine Attorney General's Office, Berrydan said that upon learning of the fraud, it “immediately implemented incident response protocols to determine what had happened and whether any data had been compromised.” “We have hired cybersecurity experts to assist in our decision.”
On April 11, 2024, BerryDan announced that certain PII data, including individuals' names, addresses, dates of birth, Social Security numbers, health insurance policy numbers, Medicare or Medicaid numbers, state or government ID numbers, and passports, was compromised. The customer was notified of this. Numbers and medical information.
“While we have no evidence that your personal information was misused, we wanted to inform you about this incident out of an abundance of caution,” the company wrote.
Berrydan said it has taken steps to protect HAPG data, including decommissioning all systems under Reliable's control and migrating all HAPG data to a secure network that it monitors in-house.
Reliable believes BellyDan's network and systems were compromised by a third party, but has not provided any evidence to support that claim.
The dispute between Berrydan and Reliable is similar to one in which an MSP was sued by a prominent Sacramento, Calif., law firm for failing to protect it from a ransomware attack that brought down its systems.
The lawsuit, filed in Sacramento Superior Court by the law firm Mastani Halstead, has generated considerable buzz in the channel community, alleging that LanTech LLC, a privately owned Sacramento company, failed to adequately protect itself from attackers. There is. The case is ongoing.