3rd Party Risk Management , Governance & Risk Management , Incident & Breach Response

Managed Service Provider Denies Being Source of Breach

Health Analytics Firm Said Hackers Stole Data on 1 Million by Hacking MSP's Network
Managed Service Provider Denies Being Source of Breach
A managed service provider and its client each blame the other for a data breach. (Image: Shutterstock)

A managed service provider says a customer is wrongly trying to shift blame for a data breach that exposed 1.1 million individuals' personal details.

See Also: Cyber Insurance Assessment Readiness Checklist

A Maine consulting firm with a medical data analytics business on April 25 submitted a data breach notification stating that it will notify 1.1 million U.S. residents that hackers compromised identifying data stored by its Health Analytics Practice Group (see: Health Analytics Firm Reports Breach Affecting 1.1 Million).

In a notice posted to the Berry, Dunn, McNeil & Parker website late last year, the consultancy fingered its managed service provider, Reliable Networks of Maine, for the breach.

Reliable now says the blame lies the other way: The company says its now-former customer has opted to "cast aspersions" in an "effort to control the narrative" by blaming the MSP for the breach.

BerryDunn's notification states that after BerryDunn hired outside experts to probe the breach, "the investigation found that an unauthorized actor gained access to Reliable's network and took some data stored on the HAPG systems." BerryDunn commissioned a third party to review the exposed data and identify affected individuals, and that process concluded on April 2, after which it began notifying victims and regulators.

That's BerryDunn's version of events, which Reliable Networks disputes on multiple fronts. Reliable said it first directly notified BerryDunn about the apparent breach and that it didn't involve any system or network owned or secured by Reliable.

"Contrary to Berry Dunn's baseless allegations, BerryDunn's own network and system were breached by a third-party, through no fault of Reliable Networks," says a statement shared with Information Security Media Group by Chris Provencher, president of Reliable Networks.

Reliable said it worked with BerryDunn "for years, providing technology consultation services, on-demand IT support and training, and maintenance and monitoring services for BerryDunn's own networks." The MSP said BerryDunn "did not retain Reliable Networks to serve as its cybersecurity protection/prevention vendor."

Contrary to what BerryDunn's data breach notification claims, Reliable said "the data breach did not occur on Reliable Networks' own network, nor its internal systems." In addition, "none of Reliable Networks' other clients' networks or systems were impacted by this data breach."

BerryDunn didn't respond to multiple requests for comment.

The company's website says its analytics group works with government regulatory and healthcare policy agencies, insurers and providers to help them test policies and programs, backed in part by analyzing health insurance claims data.

Which specific clients of BerryDunn - and by extension, their members or customers - may have been affected by the breach isn't clear.

Last year, UPMC Health Plan, which has 3.9 million members and is owned by the University of Pittsburgh Medical Center, flagged BerryDunn's initial breach notification and warned that the breach "may have impacted some members' protected health information."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.