Breach, Blame, and Bad Behavior – Ep 509 

When a cybersecurity CEO strolls into a hospital and decides to play malware magician with a couple of unlocked computers, you’ve got yourself a plot twist worthy of a Netflix docuseries. In this episode, we dive headfirst into bizarre breaches, finger-pointing fiascos, and the kind of contractual confusion that’ll make you want to reread your SLAs before breakfast. It’s a rollercoaster of responsibility, reputation, and really bad behavior. But at the heart of it all is the million-dollar question: who’s actually responsible when it all goes sideways?

In this episode:

Breach, Blame, and Bad Behavior – Ep 509

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Breach, Blame, and Bad Behavior

A hospital device infected with malware — by the CEO of the cybersecurity firm, A BA being sued, and MSPs blamed for client-side breaches. Where does blame end and criminal liability begin?

CEO Accused

• A cybersecurity firm’s CEO allegedly installed malware on a hospital employee’s device. Jeffrey Bowie CEO of Oklahoma City-based Veritaco, a “cybersecurity and private intelligence” firm.
• Charges include violating Oklahoma’s Computer Crimes Act in an incident on Aug. 6, 2024.
• The only motive we could come up with: demonstrate security gaps or justify further engagement.
• This flips the narrative — this isn’t an MSP being blamed unfairly, this is an MSP actively causing harm.
• Cautionary tale: When you misuse access, it’s not a risk issue — it’s criminal.

Security camera footage apparently shows Bowie wandering around the hospital last August trying to enter multiple offices until he stumbled on two computers, on which he allegedly installed malware designed to take a screenshot every 20 minutes and to send the images to an outside IP address, according to local media outlet News 9.

MSP Blamed

• An IT consulting firm blamed its MSP for a client data breach that impacted patient records.
• The MSP had been tasked with providing network security — but the IT firm claimed the MSP failed in that duty.
• Accounting and consulting firm BerryDunn faced a class action after a data breach exposed sensitive personal info.
• BerryDunn turned around and blamed their MSP for failing to prevent or detect the intrusion.
• A $7.25 million settlement followed — showing the serious financial consequences of vendor-related breaches.
• Highlights the multi-layered nature of vendor environments — who was really responsible? Who can prove it!
• Shows how MSPs are often caught in the middle of complex vendor-client relationships.

Key takeaway: If you don’t have clear, limited scope of responsibility — you might take the fall when things go wrong.

In a reddit discussion MSP was blamed and was able to drop a pile of signed quarterly reports telling them they need to add VPN for their RDP and the client had turned it down repeatedly. BOOM!

MSP Sued

• A business associate (BA) was sued by its client, a HIPAA-covered entity, over alleged failure to secure protected health information (PHI). Not the difference here is that Ntirety sells HIPAA compliance services.
• The lawsuit includes claims of negligence, breach of contract, and violation of the BA agreement.
• Notably, the lawsuit is not from OCR — this is a private legal action, showing clients won’t wait for regulators.
• The core issue: The BA allegedly failed to implement proper safeguards, which the CE claims contributed to a breach.
• Lesson: Even if you’re “HIPAA compliant,” you can still be sued for perceived failures — especially if expectations weren’t clearly managed.

Who owns the risk?

• Risk can’t be outsourced — “You can outsource the function, not the risk.”
• There’s often confusion between responsibility and accountability in vendor relationships.
• Even when an MSP or BA performs security tasks, the client (or CE) often still holds ultimate legal risk.
• Contracts and SLAs must be crystal clear about who is doing what — otherwise, everyone points fingers post-breach.
• Clients often assume full protection comes with hiring a vendor — but that’s only true if the contract explicitly says so.

“MSPs and their customers must work together to meet security standards and expectations. Working with an MSP doesn’t remove the risk from the customer, it shifts it.”

All of these articles are sources for this episode:

CEO: Cyber Firm CEO Accused of Placing Malware on Hospital Device

Reliable Networks: Managed Service Provider Denies Being Source of Breach

IT Consulting Firm Blames MSP for Data Breach | MSSP Alert

$7.25M Berry Dunn McNeil & Parker data breach class action settlement (It included Reliable Networks in the class action – not sure how they have resolved this point between the two of them.)

Ntirety: Business Associate Sued By HIPAA-Covered Entity over Alleged HIPAA Security Rule Failures

Draw the line where: Who Owns the Risk? – Managed Service Providers (MSP) | KirkpatrickPrice

Who Owns The Breach? Lessons from BerryDunn v. MSP

So what did we learn today? Maybe not to let strangers near unlocked hospital computers. Maybe to read our contracts before signing them. But most importantly, we learned that risk doesn’t disappear just because someone else said they’d “handle it.” Whether you’re the client, the vendor, or the bystander holding the digital mop after a breach, understanding who owns what part of the mess is crucial — because no one wants to find out mid-crisis that the “other guy” was never actually on the hook.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.