Endpoint Security , Fraud Management & Cybercrime , Governance & Risk Management
Inside Look at an Ugly Alleged Insider Data Breach Dispute
Consolidated Texas Court Case Alleges Trade Secret Theft, Fraud and IntimidationA consolidated legal case slated for jury trial in April that includes allegations of embezzlement, fraud, trade secret theft and intimidation offers an inside look at a complicated and messy alleged insider breach reported last year by a Texas-based accountable care organization.
See Also: Using the Netskope HIPAA Mapping Guide
The case, filed in a Dallas district court, consists of two main lawsuits.
One is a lawsuit filed in April 2021 by Carrollton, Texas-based Sybrid Health, which does business as Premier Management Co., against its former CIO, Mohammad Sohail. On its website, Premier says it works with more than 350 primary care practices. The company's lawsuit against Sohail seeks damages of over $1 million, as well as other relief.
The lawsuit alleges that Sohail stole company "trade secrets" through his continued access to Premier data after he resigned as CIO from the company in September 2019 and that an IT administrator disabled Premier security settings to allow Sohail his continued access to Premier data.
The consolidated case's other lawsuit was filed in July 2020 by Sohail against Wiseman Innovations LLC and several of its executives. In that lawsuit, Sohail is also seeking damages.
Wiseman Innovations, a Carrollton, Texas-based healthcare software and services firm that Sohail co-founded in 2017, provides IT services to Premier.
Court documents in the consolidated case say that during most of his approximately three-year tenure as CIO of Premier, which began in 2016, Sohail also served as CEO of Wiseman Innovations, which was a spinoff company of Premier.
In his lawsuit against Wiseman Innovations, Sohail alleges that Wiseman Innovations fraudulently "cheated" him out of his job and investments in the company, inducing him with threats into resigning from his position as CEO at that company in June 2020 - 10 months after he had resigned as CIO from Premier.
Red Flags
Court filings in the case also allege that Sohail resigned from Wiseman Innovations after the company began to investigate and question him about "trails of money" allegedly moved from a Wiseman Innovations subsidiary and allegedly paid to Sohail family members in Pakistan "for unknown purposes."
Wiseman Innovations alleges the financial transactions raised red flags, especially because "Pakistan is country subject to the Financial Action Task Force watch list for money laundering, terrorist financing, and proliferation funding. [Wiseman] further became aware of possible HIPAA violations and the possibility that personal health information had been compromised."
But in his lawsuit against Wiseman Innovations, Sohail alleges that the company and its executives "schemed" to manipulate him into resigning as CEO by "falsely" accusing him of unlawful activities, including embezzlement and threatened him that those criminal accusations would prevent him and his family members from obtaining U.S. citizenship.
Court documents also say that Wiseman Innovations reported the alleged financial activity to Pakistani law enforcement authorities, resulting in a criminal investigation in Pakistan.
During Wiseman Innovation's own investigation into the alleged financial scheme, the company claims it discovered - through forensic examination of Sohail's company laptop and storage devices - a protected health information breach - and alleged trade secret theft involving Premier information allegedly downloaded by Sohail.
Data Breach Report
Premier alleges that on or about April 12, 2021, the company received a letter from its IT services provider, Wiseman Innovations, informing Premier that its data and confidential information may have been compromised.
In October 2021, Premier reported the incident to U.S. federal regulators as an "unauthorized access/disclosure" breach of PHI that affected nearly 38,000 individuals.
In a report filed to the Maine attorney general's office, Premier said the June 2020 breach was discovered in April 2021 and involved "insider wrongdoing, loss or theft of device or media (computer, laptop, external hard drive, thumb drive, CD, tape, etc.)." (See: Former Executive Accessed PHI of Nearly 38,000 Individuals).
Wiseman Innovations also says that a second, larger breach of Premier data - also allegedly potentially affecting tens of thousands of individuals - occurred as the case's litigation drama was playing out last year.
Wiseman alleges that Sohail's legal team, for its case, recovered and mined data that had been deleted from a hard drive containing Premier information, resulting in a second potential PHI breach.
In a statement to Information Security Media Group, the Department of Health and Human Services' Office for Civil Rights, the federal agency that enforces HIPAA, declined to comment on the Premier breach case because it "does not comment on open or potential investigations," the agency says.
Access Allegations
Premier alleges that for 10 months after his resignation as CIO, while still working as CEO as Wiseman Innovations, Sohail had access to and possession of Premier's confidential and proprietary information, which he allegedly failed to return to Premier upon termination of his employment, as required under prior agreements with the company.
This allegedly included Premier's "officially issued laptop," which he returned on July 29, 2020, about 10 months after he had resigned from Premier, the company says in court documents.
Premier also alleges that Sohail repurposed that laptop for personal use by him and his family members while the device still retained Premier's confidential data, including PHI.
It says that Wiseman Innovations' forensic examination of Sohail's company laptop - conducted as part of the legal dispute between Sohail and Wiseman - revealed that Sohail had connected his Wiseman-company issued laptop to two personal hard drives, one which he connected for approximately several hours on June 15, 2020.
Premier alleges that Wiseman's forensic report and second-level analysis revealed over 100 documents containing Premier's confidential information had been "illegally" in Sohail's possession.
It says the forensic examination found that Sohail had connected at least three personal computers to his hard drive prior to handing it over for forensic analysis.
"Sohail's mere possession of Premier information on his personal computer systems and hard disks amounts to breach of his contractual obligations to Premier. Sohail's use and disclosure of Premier's data is highly likely given his extensive involvement in the healthcare technological industry," Premier says, citing a couple other startup companies allegedly tied to Sohail.
"Sohail's unfettered access to Premier's confidential data provides him opportunities to interfere with Premier's business, unfairly compete with Premier and solicit its customers, and interfere with Premier's existing and prospective contractual relationships with its doctors," the lawsuit says.
Disabled Endpoint Security
The Premier lawsuit alleges that changes to the company's security controls - including disabling endpoint security - allowed Sohail's continued access to Premier "trade secrets" and other sensitive information after his resignation as CIO.
It says that Sohail "colluded with or coerced" Pakistan-based Sajid Fiaz, who served as Premier's IT administrator while also being employed at Wiseman Innovations as an IT infrastructure manager and HIPAA officer.
Premier alleges that Fiaz's actions related to its data security provided Sohail "unfettered access to the master password for endpoint security that enabled that data theft and misuse through USB drives connected to secure IT systems."
It says Sohail had unrestricted access to copying data to and from the company laptops and that a forensic report showed that he retained and accessed .PST files of emails from Premier after resigning as CIO in.
".PST files are an aggregated archive of all emails sent to and from an email address including all attachments," Premier says in court documents. It alleges that the emails found in the .PST files Sohail accessed "had company confidential information for Wiseman and its customer, Premier, which included pricing, physician rosters, investor and customer decks, valuation financials, customer contracts, proposals sent to prospective customers and company financials."
Threat Allegations
Sohail alleges that officials at Wiseman Innovations threatened him and Fiaz, including threatening Fiaz into making false statements about Sohail and his access to Premier information.
A Texas court of appeals ruling on Jan. 24, 2022, includes a summary of testimony provided by Fiaz during a June 2021 court hearing in which he said he had been threatened by "Wiseman agents" in Pakistan to fabricate evidence and lie about helping Sohail violate company protocols, steal confidential information and gain access to emails and data belonging to Premier.
The appeals court upheld a temporary injunction order by a Dallas trial court against Wiseman Innovations and several company executives, enjoining them from "harassing, intimidating, or influencing any witness or potential witness" involved in the lawsuits.
When asked to comment on the lawsuit allegations, Fiaz referred ISMG to his June 2021 testimony.
Sohail declined to comment on the litigation, referring ISMG to his attorney.
Jonathan Bridges, an attorney at law firm Sbaiti & Co., which is representing Sohail in the litigation, says in a statement to ISMG regarding the alleged second breach involving "mining" Premier data: "We have not, to our knowledge, viewed any documents that contain any of Premier’s PHI. Nor do we believe that there is any Premier PHI on any document we have."
He says that Premier's lawyers "either refused or were unable to" "identify the files they believe contain their PHI," causing Bridges to believe the files don't exist.
"There is also a court order placing protections on the use and distribution of such information in our possession - an order requested by Premier. We agreed to the order and have abided by it. Calling our handling of documents in litigation a 'data breach' strikes us as misleading," Bridges says.
An attorney representing Premier and Wiseman Innovations tells ISMG: "My clients continue to devote a significant amount of time and resources to addressing the claims in the litigation, including the data breaches, and are working to ensure that the data is secure."
Role-Based Access
Regulatory attorney Rachel Rose, who is not involved in the Sohail litigation, says a "wall" should have been erected after Sohail's departure as CIO, and the company should have ensured that adequate checks and balances existed from the outset.
"A third-party auditor should have addressed this as part of an annual HIPAA risk analysis or SOC2 audit," she says, adding that Texas regulations allow a wall to be erected to avoid conflicts of interest.
Rose also says the fact that a CEO had roles at two entities at the same time - and those entities had a business relationship with each other - raises potential issues around data access controls.
"Just because someone is the CEO does not mean they need access to everything," she says. "Role-based access, as well as consideration of the facts and circumstances of a situation, is critical."
In any health data breach, she says, "the illicit taking and use of PHI for one's personal gain" violates the HIPAA privacy rule and is criminal - "leading to indictments and sentencing."