There is an interesting lawsuit stemming from an incident that had previously been claimed to be a rogue insider’s doing. Now Marc Stolowitz, the former employee, is suing the firm, Nuance Communications, claiming that the firm falsely accused him of hacking them to cover up the fact that he was in the process of blowing the whistle on the fact that they had unremediated vulnerability exposing patient data that they had known about since 2014 but chosen not to fix. According to the complaint, Nuance not only falsely accused him of hacking them in 2017 when he was downloading proof of the vulnerability to provide the government, but Nuance also allegedly made false filings with the SEC in 2018 about the incident.
As seen on law.com:
Lawyers at Bradley Arant Boult Cummings on Thursday removed a defamation lawsuit against Nuance Communications Inc. to Florida Southern District Court. The complaint accuses Nuance of retaliating against a whistleblower who identified and disclosed a cybersecurity breach in Nuance’s computer systems, resulting in the public availability and disclosure of protected health information of more than 45,000 patients. The suit was filed by Andrew Grosso & Associates and Stephen J. Bagge PA on behalf of Marc Stolowitz. The case is 1:22-cv-20234, Stolowitz v. Nuance Communications, Inc.
They make the complaint available here (as a pop-out).
DataBreaches.net attempted to check HHS’s public records to see how Nuance had reported this to HHS in 2018 but could find no entry from Nuance itself. There was an incident report from one of the covered entities, however, that described the breach as occurring during 2017. OCR’s investigator wrote the closing note:
The electronic protected health information (ePHI) involved in the breach consisted of approximately 864 patients’ names, dates of birth, diagnoses, and other treatment information. OCR opened an investigation of the CE to determine compliance with the Privacy Rule’s BA contract requirements. The CE provided the BA Agreement (BAA) with Nuance and OCR determined that the BAA appears to comply with the requirements specified in the Privacy Rule. OCR opened a separate review of the BA.
The entry does not state what the outcome or findings of their review of Nuance Communications found.
DataBreaches.net reached out to Stolowitz’s lawyers to ask whether he ever actually filed the whistleblower complaint with HHS and/or the SEC, and if so, when, but received no reply by the time of this publication. This site also submitted an inquiry to Nuance Communications to ask if they had any response to the lawsuit, but received no reply by publication time.
According to the docket, the lawsuit was referred to mediation by the court on February 22.