3rd Party Risk Management , Governance & Risk Management , Incident & Breach Response
Managed Service Provider Denies Being Source of Breach
Health Analytics Firm Said Hackers Stole Data on 1 Million by Hacking MSP's NetworkA managed service provider says a customer is wrongly trying to shift blame for a data breach that exposed 1.1 million individuals' personal details.
See Also: Gartner Guide for Digital Forensics and Incident Response
A Maine consulting firm with a medical data analytics business on April 25 submitted a data breach notification stating that it will notify 1.1 million U.S. residents that hackers compromised identifying data stored by its Health Analytics Practice Group (see: Health Analytics Firm Reports Breach Affecting 1.1 Million).
In a notice posted to the Berry, Dunn, McNeil & Parker website late last year, the consultancy fingered its managed service provider, Reliable Networks of Maine, for the breach.
Reliable now says the blame lies the other way: The company says its now-former customer has opted to "cast aspersions" in an "effort to control the narrative" by blaming the MSP for the breach.
BerryDunn's notification states that after BerryDunn hired outside experts to probe the breach, "the investigation found that an unauthorized actor gained access to Reliable's network and took some data stored on the HAPG systems." BerryDunn commissioned a third party to review the exposed data and identify affected individuals, and that process concluded on April 2, after which it began notifying victims and regulators.
That's BerryDunn's version of events, which Reliable Networks disputes on multiple fronts. Reliable said it first directly notified BerryDunn about the apparent breach and that it didn't involve any system or network owned or secured by Reliable.
"Contrary to Berry Dunn's baseless allegations, BerryDunn's own network and system were breached by a third-party, through no fault of Reliable Networks," says a statement shared with Information Security Media Group by Chris Provencher, president of Reliable Networks.
Reliable said it worked with BerryDunn "for years, providing technology consultation services, on-demand IT support and training, and maintenance and monitoring services for BerryDunn's own networks." The MSP said BerryDunn "did not retain Reliable Networks to serve as its cybersecurity protection/prevention vendor."
Contrary to what BerryDunn's data breach notification claims, Reliable said "the data breach did not occur on Reliable Networks' own network, nor its internal systems." In addition, "none of Reliable Networks' other clients' networks or systems were impacted by this data breach."
BerryDunn didn't respond to multiple requests for comment.
The company's website says its analytics group works with government regulatory and healthcare policy agencies, insurers and providers to help them test policies and programs, backed in part by analyzing health insurance claims data.
Which specific clients of BerryDunn - and by extension, their members or customers - may have been affected by the breach isn't clear.
Last year, UPMC Health Plan, which has 3.9 million members and is owned by the University of Pittsburgh Medical Center, flagged BerryDunn's initial breach notification and warned that the breach "may have impacted some members' protected health information."