Two Maine companies are pointing fingers at each other over who is to blame for a cybersecurity breach last fall that resulted in the theft of personal information ranging from Social Security numbers to medical data of more than a million people.

BerryDunn, a prominent Portland accounting firm, says one of its vendors, Reliable Networks of Biddeford, got hacked. Reliable Networks says it was hired to manage BerryDunn’s health care data, not secure it, and that it spotted the hack of BerryDunn’s network.

“The investigation found that an unauthorized actor gained limited access to the vendor’s network and took some data,” BerryDunn said on its website.

Reliable fired back on its website: “BerryDunn’s own network and system were breached by a third party, through no fault of Reliable Networks.”

The company blasted BerryDunn for its “baseless allegations” and said it was confident that once forensic analysis was complete, its claims would be found “devoid of any merit whatsoever.”

A spokesperson for BerryDunn said the company was addressing Reliable’s accusations with “the utmost seriousness” and that it is working with outside legal counsel to respond.


“As is common in security incidents like these, claims are made despite a thorough forensics analysis,” the company said. “We always aim to work through issues, even complex and unfortunate ones, in a professional manner.”

Regardless of who is to blame, the companies agree that some combination of individuals’ names, addresses, birthdates, Social Security numbers, health insurance policy numbers, state or governmental ID numbers, passport numbers and medical information was stolen.

The dispute is likely to be hashed out in the U.S. District Court of Maine now that eight customers of BerryDunn came forward this week to accuse the company of negligence, unjust enrichment, and breach of fiduciary duty because of the September data theft.

According to BerryDunn, there is no evidence the stolen information has been misused. The company is offering credit monitoring and identity protection services from a third-party cybersecurity company to impacted individuals at no cost.

“We respect the privacy and security of information within our control, and sincerely apologize for any concern or inconvenience this may cause,” the company says in a message on its website. BerryDunn has 800 employees and is headquartered on outer Congress Street.

The plaintiffs, who hail from as far away as West Virginia and seek a jury trial and damages, say online thieves sometimes wait years to use stolen data. Social Security numbers are valuable because they can be used to fraudulently obtain credit cards, driver’s licenses and unemployment benefits.


Martin Walter, senior director at cybersecurity firm RedSeal, described the high value of this kind of data in a 2015 edition of IT World magazine, “Compared to credit card information, personally identifiable information and Social Security numbers are worth more than 10x on the black market.”

Some of the plaintiffs note the high value of the medical information stolen.

A 2010 study by credit ratings company Experian found that the average cost of medical identity theft is “about $20,000” per incident and that most victims of medical identity theft were forced to pay out-of-pocket costs for health care they did not receive to restore coverage.

Almost half of medical identity theft victims lost their health care coverage as a result, the plaintiffs noted.

The plaintiffs, who hope to form a class-action lawsuit, complained about the seven-month delay between the discovery of the theft and their notification letters. If they had known about the hack, they say they would have kept a closer watch over their finances during that time.

The hack occurred in September. BerryDunn posted an initial notification of a data breach on its website in November but waited until a hired cybersecurity expert could tell them what data had been stolen, and from whom before it sent out customer notification letters in April.

“As soon as BerryDunn learned of the suspicious activity, it began an investigation,” BerryDunn wrote in a Frequently Asked Questions guide sent to impacted customers. “This process took time to complete due to the size and complexity of the data that had to be reviewed.”

To guard against possible identity theft or fraud, BerryDunn urged impacted individuals to review bank accounts, financial statements and credit reports for suspicious activity. Incidents of suspected identity theft should be reported to law enforcement or the attorney general.

Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.