Breaches Within Breaches Contractual Obligations After a Security Incident Health Law Diagnosis

pMonitoring the Pulse of Health Care and Life SciencesppThis post was authored by Roma Patel Associate in RobinsonColes Data Privacy Cybersecurity TeamppWe often cover consumer class action complaints against companies regarding the privacy and security of personal information However litigation can also arise from alleged breach of contract between two companies This week we will analyze a medical diagnostic testing laboratorys April 2025 complaint against its managed services provider for its alleged failure to satisfy its HIPAA Security Rule and indemnification obligations under the HIPAA Business Associate Agreement BAA between the partiesppComplaint BackgroundppAccording to the complaint the laboratory Molecular Testing Labs MTL is a Covered Entity under HIPAA and Ntirety is its Business Associate Reportedly the parties entered into a BAA in September 2018 The BAAs intent was to ensure that Ntirety will establish and implement appropriate safeguards for protected health information PHI it handles in connection to the functions it performs on behalf of MTL The complaint points to various provisions of the BAA related to Ntiretys obligations including complying with the HIPAA Security Rule According to MTL the BAA also includes an indemnification provision that requires Ntirety to indemnify defend and hold harmless MTL against losses and expenses due to a breach caused by Ntiretys negligenceppAlleged HIPAA ViolationsppMTL asserts that around March 12 2025 it received information about a material data breach involving data that was required to have been secured by Ntirety under the BAA The complaint is unclear about how or from whom MTL received that informationppThe complaint asserts that MTLs forensic investigation determined that Ntirety had faced a ransomware attack potentially from Russian threat actors MTLs forensic investigation determined that Ntirety had significant deficiencies shortcomings and omissions in its procedures and practices that enabled the threat actors to access Ntiretys computer systems and MTLs confidential informationppIn addition MTL alleges that Ntirety failed to provide material support to MTL for weeks and that the support offered was conducted slowly and incompetently Allegedly Ntirety informed MTL that it would charge MTL for such efforts MTL argues that under its BAA obligations Ntirety was required to support MTL in its efforts to respond to and mitigate the security incidents harmful effectsppAlleged Breach of Contract Indemnification DemandppMTL also asserts that it has incurred or expects to incur various damages related to remediation efforts HIPAA notification requirements possible legal and regulatory actions and direct and indirect harm to MTLs business Specifically MTL claims it has already incurred damages related to the forensic investigation and anticipates further damages associated with fulfilling HIPAA PHI breach notifications and providing credit monitoring services MTL also expects to suffer harm to its business as a result of the breach and to be subject to lawsuits and regulatory actionppReportedly on March 25 2025 and April 3 2025 MTL sent formal demands to Ntirety for indemnification under the BAA for losses incurred as a result of the breach but Ntirety has provided no substantive response to MTLs indemnification demandsppLessons LearnedppAfter discovering a breach companies have numerous obligations such as determining whether data has been corrupted containing the incident conducting a forensic investigation and identifying individuals whose data may have been involved It can often take weeks or even months to understand the scope and extent of a breach but companies should also promptly assess their contractual obligations postbreach Whether in a BAA or another service agreement companies may be required to let their vendors and other partners know about an incidentppIn addition companies should consider whether to communicate about the incident at a high level to their vendors and partners even absent contractual requirements particularly if news about the incident has already leaked The risk of such communications includes potentially providing premature information that is likely to change as the forensic investigation unfolds On the flip side partners might appreciate the transparency and direct acknowledgment There can be many legal and regulatory consequences of a data breach but with adherence to contractual obligations and appropriate communication a breach of contract claim doesnt have to be one of themppThis post is also being shared on our Data Privacy Cybersecurity Insider blog If youre interested in getting updates on developments affecting data privacy and security we invite you to subscribe to the blogppThe RobinsonCole Health Law Group serves health care and life sciences clients regionally nationally and globally We are experienced lawyers trained to help clients meet their business objectives within complicated legal and regulatory environments Our team understands the challenges of competition regulation and resource allocation We focus on providing practical solutions and responsive counsel to our clientsppPlease note that as of January 1 2023 our Privacy Policy has changed Click here for details on our new termsppOKp