An IT consulting firm being sued in federal court for a data breach says it is not at fault. Instead it is pointing the finger at a managed service provider (MSP) for failing to secure its network, exposing it to the breach that affected more than one million people.
Berry, Dunn, McNeil & Parker, a Portland, Maine-based IT and accounting consultancy that operates a medical data analytics business, blames Reliable Networks, an MSP based in Biddeford, Maine. At issue is the failure to protect 1.1 million individuals’ personally identifiable information (PII) stored by Reliable's Health Analytics Practice Group (HAPG). Some 3,100 Maine residents were affected in the security breach.
BerryDunn receives PII from its customers to conduct analytics services. However, it is BerryDunn, not Reliable, that is being sued in U.S. District Court in Portland, Maine by nine customers. Those customers are accusing BerryDunn of negligence, unjust enrichment, and breach of fiduciary duty owing to the data theft.
In the BerryDunn action, the plaintiffs hope to form a class-action lawsuit, complaining that it took BerryDunn seven months after the September 2023 breach to notify them of the theft. Whether BerryDunn intends to sue Reliable remains to be seen.
According to BerryDunn, there is no evidence the stolen information has been misused. Which specific clients were hit by the intrusion isn’t clear and at this point, and there’s no word on how the hackers gained entry into BerryDunn’s network.
Neither is it clear if BerryDunn or Reliable has cybersecurity insurance or if a contract between the two parties stipulated that Reliable was responsible for BerryDunn’s cybersecurity protection. It's not clear if there was a contract. Reliable said it was hired to manage BerryDunn’s healthcare data but not to provide cybersecurity protection.
Attorneys representing BerryDunn and Reliable did not return requests for comment.
The two companies have worked together “for years,” Reliable said in a post on its website. The MSP has provided the consultancy with “technology consultation services, on-demand IT support and training, and maintenance and monitoring services” for BerryDunn’s own networks.
BerryDunn did not retain Reliable for cybersecurity protection and prevention, the MSP said.
Businesses Point Fingers Over Hack
The hack, which occurred from September 12-14, 2023, was confirmed on April 2, 2024 by a third party that BerryDunn commissioned to conduct a forensic review of the impacted data to identify what had been stolen and individuals to whom the information belonged, the company said in a post on its website.
A separate investigation conducted immediately following the break-in determined that an “unauthorized actor” had breached Reliable’s network and made away with some data stored on its HAPG systems.
According to BerryDunn, on September 14, 2023, HAPG systems, managed by Reliable on BerryDunn’s behalf, had shown some “suspicious” network activity. Reliable is contending that BerryDunn is solely responsible for the breach, arguing that the exploit did not occur on its systems. Reliable claims that BerryDunn is “casting aspersions” to control the “narrative” of the incident.
In its open notice, Reliable alleged that the data breach had not occurred on its “own network nor its internal systems.” No other clients’ network or systems of Reliable’s were impacted by the breach, the MSP said.
“Contrary to Berry Dunn’s baseless allegations, BerryDunn’s own network and system were breached by a third party, through no fault of Reliable Networks,” the company wrote in the post. “Reliable Networks remains confident that once all forensic investigations are completed and all facts are discovered, BerryDunn’s allegations will prove to be devoid of any merit whatsoever.”
BerryDunn's Actions Following Breach
In a breach notification to customers filed with the Maine Attorney General's office, BerryDunn said upon learning of the unauthorized activity, it “immediately implemented its incident response protocols, and engaged cybersecurity experts to assist with determining what occurred and whether any data was compromised.”
On April 11, 2024, BerryDunn notified its customers that certain PII data had been compromised, including individuals’ names, addresses, dates of birth, Social Security numbers, health insurance policy numbers, Medicare or Medicaid numbers, state or governmental ID numbers, passport numbers and medical information.
“While we have no evidence that your personal information was misused, we wanted to inform you about this incident out of an abundance of caution,” the company wrote.
BerryDunn said that it has taken steps to secure the HAPG data, such as decommissioning all systems under Reliable’s control and migrating all HAPG data to secure networks that it monitors on its own.
Reliable believes that BerryDunn’s network and systems were breached by a third party, although it did not provide any evidence to support its claim.
The BerryDunn/Reliable conflict bears some resemblance to a case in which an MSP was sued by a prominent Sacramento, California law firm alleging that it failed to protect it from a ransomware attack that took down its systems.
The lawsuit, which has generated a significant amount of chatter in the channel community, filed by the law firm Mastagni Holstedt in Sacramento Superior Court, claims that LanTech LLC, a privately-owned Sacramento company, failed to adequately protect it from the attackers. That case is ongoing.