Are you trustworthy? It’s a fair question, not an insult. Recent headlines are raising doubts about the trustworthiness of IT service providers. First, a managed security service provider (MSSP) owner was arrested for allegedly installing malware in a hospital computer. Then, a client sued its MSP after a ransomware attack compromised protected health information.
Here’s what happened — and what you must learn to protect your business.
MSSP Owner Arrested for Malware Installation
In Edmond, OK, law enforcement authorities arrested Jeffrey Bowie on April 14, 2025. According to KOCO TV News, the owner of cybersecurity firm Veritaco was caught on hospital security cameras wandering St. Anthony Hospital, attempting to access multiple offices. He eventually found two unattended computers — one reserved for employees, the report said.
Authorities said Bowie allegedly installed malware designed to take screenshots every 20 minutes and send them to an external IP address, per the news report. When confronted by a hospital employee, he falsely claimed he needed the computer because a family member was undergoing surgery.
Bowie faces two felony charges under the Oklahoma Computer Crimes Act, each carrying up to 10 years in prison and/or a $100,000 fine. Veritaco’s website is now offline.
Fortunately, the hospital stated that no patient data was accessed.
MSP Sued over Ransomware Breach
MSSP owner Jeffrey Bowie faces two felony charges, according to news reports.
MSP Ntirety was sued by client Molecular Testing Labs (MTL) after a ransomware attack allegedly compromised MTL’s sensitive health data at Ntirety’s data center in Austin, TX.
MTL, a HIPAA Covered Entity in Vancouver, WA, claimed Ntirety as its Business Associate failed to comply with HIPAA Security Rule requirements. The two entities had a signed 2018 HIPAA Business Associate Agreement (BAA) that required Ntirety to:
- Safeguard MTL’s data
- Comply with the HIPAA Security Rule
- Indemnify MTL against liability
- Fully cover costs associated with any data breach of its systems without any financial limits
Contractual Obligations to Watch
The indemnification and financial requirements are not required in a BAA. However, they were added by MTL and Ntirety agreed to them.
Even if MTL had not asked Ntirety to sign a BAA, Ntirety’s services qualified it as a Business Associate, requiring implementation of the HIPAA Security Rule. Note: If your client fails to have you sign a BAA, you still must comply.
Even if Ntirety had MTL sign a master services agreement (MSA) that limited Ntirety’s financial liability, the MSA and the BAA have conflicting financial liability terms. A judge could determine the MSA is superseded by the unlimited financial liability in the HIPAA Business Associate Agreement. That’s because a BAA is required by federal regulation, while the MSA is voluntary.
All MSPs supporting clients subject to HIPAA are required to implement the HIPAA Security Rule and can be held directly liable for incidents. Even in the absence of a signed HIPAA Business Associate Agreement, you are required to comply because the services MSPs provide to HIPAA Covered Entities qualify them as a Business Associate.
Massive Financial Exposure
When MTL received a ransomware demand in March 2025, it began a forensic investigation and contacted Ntirety for assistance. MTL claims Ntirety delayed its response and even attempted to charge for assistance.
The lawsuit seeks unlimited financial damages including, but not limited to:
- Forensic investigation costs
- Data breach notification compliance expenses
- Credit monitoring services
- Legal fees
- Business interruption losses
- Reputational harm
- Future harm stemming from the breach
Given that MTL’s website says it processes “hundreds of thousands” of tests monthly, Ntirety’s financial exposure could be massive.
This isn’t the first time an MSP has been sued by a client. And likely won’t be the last. So, it’s important for MSPs to be ready.
Mike Semel
Key Lessons for MSPs
These types of incidents can damage the reputation of all MSPs — even the 99.99% who act with integrity. You must assume prospects and clients are questioning your trustworthiness. Here are some tips to protect yourself:
1. Proactively Build Trust
Require all employees to annually sign a Code of Professional Conduct committing to client confidentiality, legal compliance, and zero tolerance for malicious acts.
Include the Code of Professional Conduct with your company logo and your signature in all client-facing proposals and agreements.
Train employees on the criminal consequences of system sabotage. A former Las Vegas MSP employee thought he was just retaliating against the MSP that fired him when he compromised client computers — until the moment handcuffs clicked around his wrists.
2. Strengthen Security and Documentation
Use tools like RMM and PAM solutions that log every time one of your employees accesses a client system and can be tracked to the individual. This is a requirement in regulations but something we often see violated by MSPs. This is because it’s often inconvenient to manage individual logins and access logs across their group of clients.
Provide clear, auditable reports showing services delivered and compliance maintained.
3. Validate Your MSP’s Trustworthiness
Get employees certified. Undergo independent cybersecurity assessments (e.g., GTIA Cybersecurity Trustmark) and compliance assessments by a compliance assessor with multiple certifications.
Perform annual criminal and financial background checks on technicians and leadership.
4. Clarify Client and MSP Responsibilities
You may think you are fully responsible for your clients’ cybersecurity but that is only for the systems you manage, like the local network, email, and backups. Your client is fully responsible for the cybersecurity of cloud services that you don’t manage and operational technology you don’t secure. That can include computer-controlled manufacturing machines and medical devices, connected test and lab equipment, and other connected systems like surveillance, door locks, video surveillance, alarms, etc.
Always use detailed contracts that limit your financial liability and a Shared Responsibility Matrix outlining client and provider obligations.
Ensure that incident response plans align with insurance and legal requirements. Never act impulsively after a breach. Contain it by shutting down systems, then waiting for your client to share legal and insurance guidance.
5. Use Careful Language
Remember: All emails, tickets, voicemails, and other communications may be subpoenaed after an incident.
Train your team to be very careful about what they say, send, and document because their words may come back to haunt you in a deposition or in front of a jury.
Avoid calling an incident a “breach” prematurely; “breach” has specific legal implications.
6. Involve Legal Counsel Familiar with MSP Operations
Not all lawyers understand the MSP business. Find one that “speaks MSP” and understands how to handle incidents. Your attorney should be experienced in the services you deliver, how cybersecurity responsibility is shared with your clients and vendors, and incident management.
Your attorney should write or review your existing MSA to ensure it adequately protects you against risks, limits your exposure to systems you manage, and limits your financial liability.
The Ntirety lawsuit is a good example of contracts that people sign and file away until something bad happens. Pay your attorney to review contracts you are asked to sign to identify risky requirements buried in legal language you may not understand.
An attorney that wrote Ntirety’s MSA and then read the MTL BAA likely would have identified the conflicting financial obligations. Paying an attorney thousands of seems like a hefty investment, but it pales in comparison to millions of dollars in legal fees and potential liability.
Resist the temptation and the pressure of an incident to run in and immediately start restoring systems, which could contaminate or erase evidence required for a civil or criminal investigation.
Prepare to have your best client become your biggest adversary. When a client is attacked, talk to your attorney to ask what you should/should not do or say. Your client’s attorney may tell your client — even a long-term client you know very well — that you are responsible for the incident and that they should sue you.
7. Prepare for Scrutiny
Assume that every compromised system will be forensically analyzed and that your services will be scrutinized as part of an investigation.
Maintain thorough, defensible documentation and incident procedures.
The Bottom Line
The overwhelming majority of MSPs operate ethically. However, the very few who aren’t ethical tarnish our industry’s reputation through alarming headlines. MSPs can’t avoid the “Are you trustworthy?” question, even if it’s just in your prospect’s head. You must actively and consistently answer it with your actions, policies, and professionalism.
Stay ahead of the doubts. Answer the trust question before someone asks you.
Mike Semel, the Complianceologist, is the owner of cybersecurity compliance consulting firm Semel Consulting. He is a former MSP and CIO for a hospital and a K-12 school district. He has created a set of training and service delivery toolboxes to help MSPs deliver compliant services without having to learn regulations, add compliance as a service, and help defense contractors implement CMMC compliance.
Images: iStock
