ASPEN Am. Ins. Co. v. Blackbaud, Inc.

Decision Date30 August 2022
Docket Number3:22-CV-44 JD
PartiesASPEN AMERICAN INSURANCE COMPANY, et al., Plaintiffs, v. BLACKBAUD, INC., Defendant.
CourtU.S. District Court — Northern District of Indiana


Now before the Court are three motions. Aspen American Insurance Company and Trinity Health Corporation (collectively, the Plaintiffs) have filed a motion to remand this case to the St. Joseph Superior Court. (DE 22; DE 25.) Blackbaud, Inc., the defendant, has filed a motion to dismiss the Complaint for failure to state a claim on which relief can be granted. (DE 9.) Plaintiffs have also filed a cross motion in which they seek to amend their Complaint if the Court decides to grant Blackbaud's motion to dismiss. (DE 43.) For the reasons explained below, the Court will deny the motion to remand, but grant the remaining two motions.

A. Factual Background

Trinity Health Corporation (“Trinity Health”) is an Indiana not-for-profit corporation with a multi-facility health system that serves multiple counties across northern Indiana. (DE 6 ¶ 3.) As a multi-facility health system, Trinity Health possesses records containing highly sensitive information, including personal information from donors and patients. (Id. ¶¶ 2, 4, 5, 6) Among the data contained in these records is Personally Identifiable Information (“PII”) and Protected Health Information (“PHI”).[1] (Id. ¶ 5.) PII includes information that can be used to distinguish or trace an individual's identity, while PHI includes individually identifiable health information relating to the provision of health care. (Id. ¶¶ 6, 43.) On June 17, 2015, Trinity Health executed two contracts with Blackbaud, Inc., (Blackbaud) to help consolidate its existing databases into one system of records and protect this sensitive data. (Id. ¶¶ 2, 4, 34.)

The first agreement was a Master Application Services Provider Agreement (“MSA”). (Id. ¶ 28.) Under the MSA, Blackbaud agreed to maintain servers holding Trinity Health's donor and patient data, including PII and PHI. (DE ¶¶ 2, 5, 30.) The MSA specifies, in relevant part, that the data must be kept by Blackbaud “in strictest confidence using the same or greater degree of care it uses with its own most sensitive information (but in no event less than a reasonable degree of care) and also requires Blackbaud to “effect a comprehensive information security program that includes reasonable and appropriate technical, administrative, and physical security measures aimed at protecting such information from unauthorized access, disclosure, use, alteration or destruction, and that reflects industry-leading practices.” (Id. ¶ 30.)

The second agreement that Trinity Health and Blackbaud entered on June 17, 2015, was a Business Associate Agreement (“BAA”). (Id. ¶ 34.) Under the BAA, Blackbaud agreed to comply with its obligations as a “business associate” under HIPAA, HITECH, and any implementing regulations. (Id. ¶ 36.) Blackbaud also agreed to implement reasonable administrative, physical, technical, and electronic safeguards to protect the confidentiality, integrity, and availability of all PHI. (Id. ¶¶ 37, 38.) If there was a security breach or suspected breach, then Blackbaud was required to report this to Trinity Health within ten business days. (Id. ¶ 39.)

On February 7, 2020, a third party hacked into Blackbaud's systems and deployed ransomware. (Id. ¶ 9.) These cybercriminals were able to gain access to the Private Information that Trinity Health had stored with Blackbaud. (Id. ¶ 12.) The cybercriminals copied data from Blackbaud's systems and held this copied data for ransom. (Id. ¶ 81.) However, the cybercriminals were unable to block Blackbaud from accessing its own systems. (Id. ¶¶ 81, 82.) Even though Blackbaud discovered that the ransomware attack occurred on May 14, 2020, it did not notify Trinity Health of the Incident until July 16, 2020. (Id. ¶¶ 11, 13.) After learning about the incident, Trinity Health notified affected patients and donors of the breach, set up credit monitoring for such individuals, and also established an information call center. (Id. ¶14.)

Plaintiffs allege that this security breach occurred as a result of Blackbaud failing to reasonably safeguard Trinity Health's database of Private Information. (Id. ¶¶ 80, 90.) According to Plaintiffs, even though Blackbaud represented itself as a “world leading software company,” and promised to implement reasonable security measures in the MSA, its security program was actually “woefully inadequate[.] (Id. ¶¶ 2, 10.) The system Blackbaud used was purportedly “obsolete,” ran “multiple applications,” and was based on a “patch schedule” which multiple employees at Blackbaud warned their supervisors about. (Id. ¶¶ 62-69.) Plaintiffs claim that “had Blackbaud maintained a sufficient security program, including properly monitoring its network, security, and communications, it would have discovered the cyberattack sooner or prevented it altogether.” (Id. ¶¶ 10, 16.)

After the breach, Trinity Health incurred various expenses, which included credit monitoring services and call centers, legal counsel, computer systems recovery, and data recovery and data migration services (the “Remediation Damages”). (Id. ¶ 92.) Trinity Health was insured by Aspen American Insurance Company (Aspen).[2] (Id. ¶ 91.) Pursuant to the insurance policy, Aspen agreed to “pay, on behalf of the Insured, Expense incurred in connection with a Privacy and Network Security Incident ....” (Exhibit B, DE 6, at 1.) “Expense” under the policy included “Data Forensics, Public Relations, Notification, Fraud Monitoring and Resolution Services, Call Center Services, and Incident Response Consultation.” (Id. at 2.) There was also a subrogation clause allowing Aspen the right to step into the shoes of Trinity Health as a subrogee and recover against a third party. (Id. ¶ 94.) Plaintiffs allege that, in accordance with the policy, Aspen made payments on behalf of Trinity Health for the Remediation Damages. (DE 6 ¶ 15.)

On December 15, 2021, the Plaintiffs filed the instant case against Blackbaud in Indiana state court, bringing six claims for relief:

Count I: Breach of Contract
Count II: Negligence
Count III: Gross Negligence
Count IV: Negligent Misrepresentation
Count V: Fraudulent Misrepresentation
Count VI: Breach of Fiduciary Duty

(DE 6.) Blackbaud then removed the case from state court, invoking the Court's diversity jurisdiction. (DE 1; DE 8.) On February 11, 2022, Blackbaud filed a motion to dismiss Plaintiffs' Complaint in its entirety for failure to state a claim upon which relief could be granted. (DE 9.) Plaintiffs filed a response to this motion (DE 42), and Blackbaud filed its reply (DE 46.).

Accordingly, this motion is now ripe for review. Also ripe for review are Plaintiffs' motion to remand and cross motions to amend their Complaint, which have been fully briefed.[3] (DE 22; DE 42; and DE 43.)

B. Standard of Review

In reviewing a motion to dismiss for failure to state a claim upon which relief can be granted under Federal Rule of Civil Procedure 12(b)(6), the Court construes the complaint in the light most favorable to the plaintiff, accepts the well-pleaded factual allegations as true, and draws all reasonable inferences in the plaintiff's favor. Calderon-Ramirez v. McCament, 877 F.3d 272, 275 (7th Cir. 2017). A complaint must contain only a “short and plain statement of the claim showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2). That statement must contain sufficient factual matter, accepted as true, to state a claim for relief that is plausible on its face, Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009), and raise a right to relief above the speculative level. BellAtl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). However, a plaintiff's claim need only be plausible, not probable. Indep. Trust Corp. v. Stewart Info. Servs. Corp., 665 F.3d 930, 935 (7th Cir. 2012). Evaluating whether a plaintiff's claim is sufficiently plausible to survive a motion to dismiss is ‘a context-specific task that requires the reviewing court to draw on its judicial experience and common sense.' McCauley v. City of Chicago, 671 F.3d 611, 616 (7th Cir. 2011) (quoting Iqbal, 556 U.S. at 678).

C. Discussion

The motion to remand is based on a forum selection clause in the MSA. (DE 23 at 2.) The Court will first consider this motion to remand, prior to addressing the motion to dismiss. Holmes v. F.D.I.C., No. 11-CV-211, 2011 WL 1498824, at *1 (E.D. Wis. Apr. 19, 2011) (noting that courts have a “great deal of discretion to decide the order in which they will dispose of multiple motions” and deciding to rule on a motion to remand prior to a motion to dismiss).

(1) Motion to Remand

The parties do not dispute that this is an action with complete diversity of citizenship between the parties and an amount in controversy in excess of $75,000, and is thus within this Court's original subject matter jurisdiction. 28 U.S.C. § 1332(a). Further, there is no dispute that Blackbaud's notice of removal was timely filed. 28 U.S.C. § 1446. Rather, Plaintiffs argue that the case must be remanded to the St. Joseph Circuit Court pursuant to a forum selection clause in the MSA. (DE 23 at 2.) According to Plaintiffs, the forum selection clause included in the MSA provided Trinity Health the “contractual right to prosecute these claims against Blackbaud in the St. Joseph Circuit Court.” (Id. at 3.) By removing the case to federal court, Plaintiffs claim that Blackbaud breached the forum selection clause, warranting remand.

Enforcing a forum selection clause in a contract is a permissible basis for remand. Roberts & Schaefer Co. v. Merit Contracting, Inc., 99 F.3d 248, 252 (7th Cir. 1996). While...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT