Governance & Risk Management , Legislation & Litigation , Standards, Regulations & Compliance

Vendor Data Disclosure Mishap Leads to Lawsuit

Intellectual Property Dispute Spotlights Critical Issues
Vendor Data Disclosure Mishap Leads to Lawsuit

An intellectual property lawsuit filed by a medical tourism firm against its web hosting provider highlights issues that healthcare organizations need to consider in their relationships with business associates, including cloud services providers.

See Also: Live Discussion | The Toll of Identity Sprawl in the Complex Enterprise

"There's always the question of what a vendor is permitted to do with information and whether they actually follow the rules," says privacy attorney Kirk Nahra of the law firm Wiley Rein, who is not involved in the case. "Most vendors don't abuse their rights, but some do, and they may push the envelope."

Lawsuit Details

Sourcis, a medical tourism and internet marketing company, alleges in a federal lawsuit filed June 4 that its web hosting services provider, Bluehost, inappropriately disclosed 2 million confidential Sourcis files and trade secrets to a competing medical tourism firm that had been at the center of an earlier legal dispute with Sourcis.

Sourcis alleges that Bluehost disclosed "a half terabyte of confidential, proprietary, privileged and otherwise private email communications and other electronic data pertaining to [Sourcis] and [Sourcis clients] located in California," and provided that information to a Sourcis competitor, Bravo Development Group, which had a previous business relationship with Sourcis that went sour.

Back in July 2015, Sourcis sued Bravo in a dispute alleging that its competitor had improperly acquired Sourcis trade secrets that were used to "generate medical tourism leads." That case was settled in December 2015, and terms were not disclosed.

'Data Dump'

In its newly filed lawsuit, Sourcis is seeking damages from Bluehost, its web hosting provider. It alleges that Bluehost, in responding to a subpoena in the earlier case against Bravo, unlawfully provided to Bravo more than 2 million files of Sourcis data, including confidential trade secrets as well as email communications between Sourcis and clients, which included psychologists and attorneys.

"Contrary to Bluehost's claim of justification, the vast majority of the computer files in the 'data dump' were unresponsive to the subpoena and entirely irrelevant" to the lawsuit between Sourcis and Bravo, the Sourcis lawsuit alleges.

Bluehost stored on its systems and servers a large quantity of emails and other electronic data pertaining to Sourcis, its CEO Shahram Elli and its clients, the lawsuit alleges.

"On or about Oct. 10, 2014, Bluehost legal and compliance manager Shari Dixon, acting on behalf of Bluehost, mailed Bravo's California legal counsel an external computer hard drive containing a full backup of all the data relating to nine of Sourcis' hosting accounts," the suit alleges. That "data dump" provided to Bravo included 2.4 million computer files including "thousands if not hundreds of thousands of inbound and outbound email and other electronic communications as stored on Bluehost's servers," the suit alleges.

Bluehost did not immediately respond to an Information Security Media Group request for comment on the case.

Attorney Hank Burgoyne of the law firm Burgoyne Law Group, which is representing Sourcis, tells ISMG that the dispute "is just a reminder that as conscientious as most of us have become with information privacy and security, mistakes can and still do happen. Lightening does still strike, and when it does, it's important to react quickly and proactively."

The Sourcis suit alleges, among other claims, that Bluehost violated the Stored Communication Act, the Computer Fraud and Abuse Act, the California Comprehensive Computer Data Access and Fraud Act, and various other laws; misappropriated trade secrets; and intruded private "personal, financial and other intimate email."

Business Associate Concerns

While Sourcis' suit does not allege that Bluehost disclosed to Bravo protected health information as defined under HIPAA, the dispute shines a light on similar privacy and security concerns that often arise between covered entities and their business associates, including cloud services providers and web hosting firms, some security experts say.

"Ever since cloud services and other types of proprietary third-party services have been hired to handle data processing activities ... [these types of disputes have] been a concern, and a very real problem," says Rebecca Herold, CEO of The Privacy Professor and co-founder of the consulting firm SIMBUS Security and Privacy Services.

Herold says many business associates lack formal policies and procedures related to the handling of records in their clients' databases that are housed by the vendors.

The dispute between Sourcis and Bluehost focuses on the issue of what specific records could be collected and provided as part of a legal discovery action, Herold says. "Similarly, in the healthcare space, business associates that house records for covered entities must be able to extract specific records not only for legal discovery activities, but also to support accounting of disclosures requests," she says.

Some cloud hosting vendors, Herold says, contend "that it isn't their responsibility to separate such records from the others, but that their clients need to have the software on their side to perform those sorting and extraction activities."

Herold adds that many covered entities assume that their BAs who provide data warehousing services have capabilities to extract specific records. But she stresses that "every expectation and requirement needs to be documented."

Steps to Take

Herold suggests covered entities should ensure their web hosting providers have the following in place:

  • A fully documented information security and privacy management program;
  • Comprehensive policies and supporting procedures, including those covering the extraction of specific records from the data repositories upon each client's/CE's request;
  • Training for workers who will need to respond to such requests.

"It would also be good to ask for a HIPAA audit, or the results of a recent one, to ensure they also have procedures in place for related requests, such as logs for accounting of disclosures," she adds.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.