3rd Party Risk Management , Governance & Risk Management , HIPAA/HITECH
Data Breach Lawsuit Alleges Mismanagement of 3rd-Party Risk
Proposed Class Action Filed Against Intellihartx in Wake of Fortra GoAnywhere HackA proposed federal class action lawsuit alleges that patient debt collection software firm Intellihartx was negligent in its handling of third-party risk, contributing to a breach affecting nearly 490,000 individuals and involving a recent hack on its file transfer software vendor Fortra.
See Also: Identity Security Trailblazers - Health First
The lawsuit, filed in an Ohio federal court on Wednesday by plaintiff Lauren Perrone on behalf of herself and others similarly affected, alleges that, among other failures, Intellihartx did not adequately supervise its business associates, vendors and suppliers that collected and maintained sensitive personal information.
Tennessee-based Intellihartx, a healthcare revenue cycle software vendor also as known at ITx, is one of 130 Fortra customers affected by the Clop ransomware group's hack of a zero-day vulnerability. Clop has been exploiting two file-sharing services, GoAnywhere MFT and MOVEit, since February (see: Federal Lawsuits in Fortra Health Data Breach Piling Up).
ITx on June 8 reported a health data breach affecting nearly a half-million individuals and involving a hack on its secure file transfer protocol provider Fortra (see: Another Healthcare Vendor Reports Big Fortra GoAnywhere Hack).
Affected patient information included name, address, medical billing and insurance information, medical information such as diagnoses and medication, and demographic information such as birthdate and Social Security number, ITx said.
The rise in software supply chain attacks and third-party vulnerabilities is a growing concern in the healthcare industry. Business associates were involved in about 40% of major health data breaches reported so far in 2023 and accounted for half of all individuals affected by breaches, according to the Department of Health and Human Services. Class action suits have followed many of these third-party breaches.
The latest GoAnywhere-related lawsuit alleges that ITx could have prevented the theft of sensitive data "had it limited the patient information it shared with its business associates and employed reasonable supervisory measures to ensure that adequate data security practices, procedures and protocols were being implemented and maintained by business associates."
ITx's "collective inadequate safeguarding and supervision of class members' private information that they collected and maintained, and its failure to adequately supervise its business associates, vendors and/or suppliers" has put the plaintiffs and class members at risk for ID fraud and theft crimes, the complaint also alleges.
The lawsuit says victims will be at higher risk for phishing, data intrusion and other illegal schemes through the misuse of their private information. It also points out that their data is still held by ITx and could be exposed to future breaches without the court's corrective action.
The lawsuit seeks monetary damages, lifetime credit and identity monitoring for the plaintiff and class members, as well as a court order for ITx to take measures to prevent any future similar data security incidents.
"Injunctive relief is necessary to ensure defendant's approach to information security, especially as such approach relates to the supervision of its business associates, vendors and/or suppliers, is adequate and appropriate going forward," the lawsuit says.
Neither ITx nor the plaintiff's attorney immediately responded to Information Security Media Group's requests for comment on the lawsuit and data breach.
Vetting Vendors
Regulatory attorney Paul Hales of the Hales Law Group, who is not involved in the ITx litigation, predicted the plaintiff and class members will face challenges in their lawsuit.
"The first hurdle - and it is a very high hurdle - plaintiffs face in the ITx lawsuit is whether they even can bring this lawsuit in federal court. The complaint focuses on potential risks of harm to plaintiffs but offers no examples of actual monetary or physical harm - what the Supreme Court calls 'concrete harm,'" he told ISMG.
"If plaintiffs overcome this basic jurisdictional issue, ITX's liability for Fortra's breach would be based on its contractual terms with Fortra and the degree of due diligence it exercised in contracting with Fortra and using Fortra's GoAnywhere software, particularly after security issues in the software were widely publicized," he added.
Hales recommended that HIPAA-covered entities perform due diligence with all business associates - or revisit previous talks. "For example, did the business associate do risk analysis recently and does it have policies and procedures in place to manage the risks it identified?" he said.
Covered entities also must make sure they have up-to-date business associate agreements in place with all their third parties handling protected health information.