Roma Patel writes:
We often cover consumer class action complaints against companies regarding the privacy and security of personal information. However, litigation can also arise from alleged breach of contract between two companies. This week, we will analyze a medical diagnostic testing laboratory’s April 2025 complaint against its managed services provider for its alleged failure to satisfy its HIPAA Security Rule and indemnification obligations under the HIPAA Business Associate Agreement (BAA) between the parties.
Complaint Background
According to the complaint, the laboratory – Molecular Testing Labs (MTL) – is a Covered Entity under HIPAA, and Ntirety is its Business Associate. Reportedly, the parties entered into a BAA in September 2018. The BAA’s intent was to “ensure that [Ntirety] will establish and implement appropriate safeguards” for protected health information (PHI) it handles in connection to the functions it performs on behalf of MTL. The complaint points to various provisions of the BAA related to Ntirety’s obligations, including complying with the HIPAA Security Rule. According to MTL, the BAA also includes an indemnification provision that requires Ntirety to indemnify, defend, and hold harmless MTL against losses and expenses due to a breach caused by Ntirety’s negligence.
Alleged HIPAA Violations
MTL asserts that around March 12, 2025, it received information about a material data breach involving data “that was required to have been secured by Ntirety under the BAA.” The complaint is unclear about how or from whom MTL received that information.
The complaint asserts that MTL’s forensic investigation determined that Ntirety had faced a ransomware attack, potentially from Russian threat actors. MTL’s forensic investigation determined that Ntirety had “significant deficiencies, shortcomings, and omissions” in its procedures and practices that enabled the threat actors to access Ntirety’s computer systems and MTL’s confidential information.
In addition, MTL alleges that “Ntirety failed to provide material support to MTL for weeks” and that the support offered was conducted “slowly and incompetently.” Allegedly, Ntirety informed MTL that it would charge MTL for such efforts. MTL argues that under its BAA obligations, Ntirety was required to support MTL in its efforts to respond to and mitigate the security incident’s harmful effects.
Read more about the litigation at Robinson + Cole.