Breach, Ransomware

Bansley and Kiener CPA firm sued over delayed breach notification, data theft

A view from the 360 Chicago observation deck shows the city skyline on May 12, 2020, in Chicago. (Photo by Scott Olson/Getty Images)

A class-action lawsuit has been filed against certified public accountants Bansley and Kiener (B&K), following its breach notice involving a data theft and ransomware attack. The CPA firm provides payroll compliance engagements for health, pension, and other benefit plans in the Midwest.

The ransomware was deployed on the B&K network in December 2020, prompting incident response procedures. The computer security was upgraded following the attack, once officials believed the attack was contained.

At the time, they found no evidence data was compromised. However, the firm was notified in May that certain information was stolen prior to the ransomware attack, including patient names and Social Security numbers, which prompted yet another investigation.

B&K first discovered client-related health information had been exfiltrated on May 24, but didn’t send The Health Insurance Portability and Accountability Act notices until Dec. 20, far outside the 60-day timeframe required by HIPAA.

Filed on Dec. 17 in the First Judicial Circuit Court of Cook County, Illinois, the lawsuit sheds further light on the exfiltration incident and alleged HIPAA violations. Gregg Nelson is seeking damages, injunctive relief, and other equitable relief for himself and the more than 70,000 individuals impacted by the incident.

The lawsuit stems from the CPA firm’s “failure to properly secure and safeguard personal identifiable information.”

According to the suit, the stolen data included unencrypted names, dates of birth, SSNs, driver’s licenses or state-issued IDs, passports, tax ID numbers, military IDs, financial accounts, payment card, and/or personal health information.

The lawsuit argues that B&K failed to timely and accurately notify individuals impacted by the data theft and the full extent of the data lost during the hack.

“In December 2020, B&K chose not to notify affected [individuals] or, upon information and belief, its clients, of its data breach, instead choosing to address the incident in-house by making upgrades to some aspects of its computer security,” according to the lawsuit.

“It then simply resumed its normal business operations,” it added. “Over five months later, on May 24, 2021, B&K learned that Class Members’ PII had been ‘exfiltrated’ from its network. Only then did B&K finally retain a cybersecurity firm to investigate this data breach.”

In August, the cybersecurity firm re-confirmed the theft, and yet, breach notices were not sent to the impacted individuals until Dec. 3, 2021 — nearly a full year after the initial hack was discovered. The lawsuit also claims the hacking incident lasted for three and a half months from Aug. 20, 2020, and Dec. 1, 2020, those details were not included in the breach notification.

The lawsuit takes issue with the omitted details surrounding the delayed notices, as well as the lack of specifics about the impacted data, which put the individuals “at significant risk to identity theft and various other forms of personal, social, and financial harm.”

The CPA firm is accused of failing to adequately protect consumers’ personal information, as well as failing to warn clients of its “inadequate information security practices” and ineffective security monitoring of vulnerabilities and incidents. The lawsuit argues that the B&K’s “conduct amounts to negligence and violates federal and state statutes.”

Further, “the risks to these persons will remain for their respective lifetimes.” The lawsuit claims the individuals have already suffered injury as a result of the data theft, including related out-of-pocket expenses, lost opportunity costs tied to mitigating actual consequences of the breach, loss of time to prevent fraud, charges tied to fraudulent back charges, and continued risks tied to the incident.

The firm “disregarded the rights of [individuals] by intentionally, willfully, recklessly, or at the very least negligently failing to take and implement adequate and reasonable measures to ensure that its customers’ PII was safeguarded… failing to follow applicable, required and appropriate protocols, policies and procedures regarding the encryption of data, even for internal use,” according to the suit.

prestitial ad