Breach cyber

Barracuda Networks, Inc.

Jun 16, 2018 2 min read
Barracuda Networks, Inc.

In 2018, **Barracuda Networks, Inc.** experienced a data breach that exposed **protected health information (PHI)** of patients belonging to **Zoll Services LLC**, a subsidiary of Zoll Medical Corporation. The breach occurred due to vulnerabilities in Barracuda’s email archiving services, which were resold to Zoll via a third-party vendor, **Fusion, LLC**. The exposed PHI included sensitive patient data, leading to a **class-action lawsuit** against Zoll. While Zoll settled with affected customers, the legal dispute extended to Barracuda, with **Axis Insurance Company** (acting as Zoll’s assignee and Fusion’s subrogee) filing tort and contract claims. The court ultimately ruled in favor of Barracuda, dismissing claims of **equitable indemnification, breach of contract, and breach of the covenant of good faith and fair dealing** due to lack of evidence proving derivative liability or contractual obligations. The breach highlighted gaps in **third-party risk management** and **HIPAA compliance**, particularly regarding subcontractor safeguards for PHI.

Source: https://masslawyersweekly.com/2025/11/25/contract-data-breach-2/

Barracuda cybersecurity rating report: https://www.rankiteo.com/company/barracuda-networks

"id": "BAR5995259112525",
"linkid": "barracuda-networks",
"type": "Breach",
"date": "6/2018",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Patients whose PHI was exposed '
                                              '(exact number unspecified)',
                        'industry': 'Healthcare (Medical Devices)',
                        'name': 'Zoll Services LLC',
                        'type': 'Subsidiary'},
                       {'industry': 'Healthcare (Medical Devices)',
                        'name': 'Zoll Medical Corporation',
                        'type': 'Parent Company'},
                       {'industry': 'Data Security Services',
                        'name': 'Fusion, LLC',
                        'type': 'Service Provider'},
                       {'industry': 'Cybersecurity (Email Archiving Services)',
                        'name': 'Barracuda Networks, Inc.',
                        'type': 'Technology Provider'}],
 'data_breach': {'data_exfiltration': 'Yes (exposed to unauthorized third '
                                      'party)',
                 'personally_identifiable_information': 'Yes (PHI includes '
                                                        'PII)',
                 'sensitivity_of_data': 'High (Healthcare data subject to '
                                        'HIPAA)',
                 'type_of_data_compromised': ['Protected Health Information '
                                              '(PHI)']},
 'description': 'A 2018 data breach at Barracuda Networks exposed the '
                'protected health information (PHI) of patients of Zoll '
                'Services LLC, a subsidiary of Zoll Medical Corporation. The '
                "breach occurred due to vulnerabilities in Barracuda's email "
                'archiving services, which were resold to Zoll by Fusion LLC '
                'under an OEM agreement. The lack of proper liability '
                "limitations and indemnification clauses in Fusion's contract "
                'with Zoll, as required by the OEM agreement, led to legal '
                'disputes. Zoll settled a class-action lawsuit with affected '
                'customers, and its insurer, Axis Insurance Company, sought '
                'indemnification from Barracuda, which was ultimately denied '
                'by the courts due to insufficient evidence of a derivative or '
                'vicarious liability relationship.',
 'impact': {'customer_complaints': ["Class-action lawsuit filed by Zoll's "
                                    'affected customers'],
            'data_compromised': ['Protected Health Information (PHI) of Zoll '
                                 "Services' patients"],
            'legal_liabilities': ['Zoll settled with customers; Axis Insurance '
                                  '(as Zoll’s assignee and Fusion’s subrogee) '
                                  'filed tort and contract claims against '
                                  'Barracuda, which were dismissed on summary '
                                  'judgment'],
            'systems_affected': ["Barracuda Networks' email archiving "
                                 'services']},
 'initial_access_broker': {'high_value_targets': ["Zoll Services' PHI"]},
 'investigation_status': 'Resolved (Court affirmed summary judgment in favor '
                         'of Barracuda)',
 'post_incident_analysis': {'root_causes': ['Failure of Fusion to include '
                                            'required limitation of liability '
                                            'and indemnification clauses in '
                                            'its contract with Zoll (as '
                                            'mandated by the OEM agreement '
                                            'with Barracuda)',
                                            'Lack of evidence that Fusion '
                                            'ensured Barracuda’s compliance '
                                            'with the HIPAA Business Associate '
                                            'Agreement (BAA)',
                                            'Barracuda’s email archiving '
                                            'services exposed PHI to '
                                            'unauthorized third parties']},
 'references': [{'date_accessed': '2025-11-20',
                 'source': 'Axis Insurance Company v. Barracuda Networks, '
                           'Inc., et al. (1st Circuit, 2025)'}],
 'regulatory_compliance': {'legal_actions': ['Class-action lawsuit against '
                                             'Zoll by affected customers '
                                             '(settled)',
                                             'Axis Insurance (as Zoll’s '
                                             'assignee and Fusion’s subrogee) '
                                             'filed tort and contract claims '
                                             'against Barracuda (dismissed on '
                                             'summary judgment)'],
                           'regulations_violated': ['Health Insurance '
                                                    'Portability and '
                                                    'Accountability Act '
                                                    '(HIPAA)']},
 'title': "Barracuda Networks Data Breach (2018) Exposing Zoll Services' "
          'Protected Health Information (PHI)',
 'type': 'Data Breach'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.