Aspen Am. Ins. Co. v. Blackbaud, Inc.
| Docket Number | 3:22-CV-44 JD |
| Decision Date | 31 May 2023 |
| Parties | ASPEN AMERICAN INSURANCE COMPANY, et al., Plaintiffs, v. BLACKBAUD, INC., Defendant. |
| Court | U.S. District Court — Northern District of Indiana |
This Court previously dismissed Plaintiffs Aspen American Insurance Company and Trinity Health Corporation's complaint without prejudice, finding that they failed to adequately allege causation for each of their claims. (DE 49.) The Plaintiffs then filed an amended complaint. Defendant Blackbaud, Inc., has now moved to dismiss that amended complaint. (DE 56.) The Court GRANTS the motion to dismiss in part, as to the claims of negligence, gross negligence, negligent misrepresentation, and breach of fiduciary duty. However, the Court DENIES the motion as to the contract claims.
In reciting the facts, the Court accepts as true the well-pleaded factual allegations in the amended complaint and makes all reasonable inferences in favor of the non-moving parties- here, the Plaintiffs Aspen American Insurance Company (“Aspen”) and Trinity Health Corporation (“Trinity Health”) (collectively, the “Plaintiffs”).
Trinity Health operates a multi-facility health system operating in northern Indiana and twenty-two other states. (DE 50 ¶ 3.) As a health system, Trinity Health possesses sensitive data of patients and donors, including protected health information (“PHI”) and names, addresses, and other information (“PII”).[1](Id. ¶ 5.) Sometime prior to June 17, 2015, Trinity Health began meeting with Blackbaud, Inc. (“Blackbaud”) which touts itself as a world leading software company that non-profits rely on to secure highly sensitive information. (Id. ¶¶ 2, 26.) During these meetings, Blackbaud gave presentations and written materials to Trinity Health in which it made representations indicating that it “provided robust cybersecurity services.” (Id. ¶ 26-28.) Trinity Health alleges that it was “based on these representations” that it entered into two agreements with Blackbaud on June 17, 2015. (Id. ¶¶ 7-8, 29.)
The first agreement was a Master Application Services Provider Agreement (“MSA”). In the MSA, Blackbaud represented that it had the “skills, expertise, and resources to” supply application services (including software and support services) and professional services, “in a timely, professional, and workmanlike manner” and “in accordance with industry standards with respect to level of skill, care, and diligence ....” (DE 50-1 §§ 1, 5.1.) The MSA requires Blackbaud to keep Confidential Data “in strictest confidence using the same or greater degree of care it uses with its own most sensitive information (but in no event less than a reasonable degree of care)” and to “effect a comprehensive information security program that includes reasonable and appropriate technical, administrative, and physical security measures aimed at protecting such information from unauthorized access, disclosure, use, alteration or destruction, and that reflects industry-leading practices ....” (Id. §§ 7.1, 7.5.) The agreement also specified that Blackbaud had to comply with federal, state, and local laws, had to take measures to promptly remedy any violations of applicable law and its obligations under the MSA, and had to notify Trinity Health promptly of any violations of its obligations. (Id. § 8.1.)
The second agreement that Trinity Health and Blackbaud entered was a Business Associate Agreement (“BAA”). (DE 50 ¶ 39.) Under the BAA, Blackbaud agreed to comply with the “obligations of a business associate under HIPAA, HITECH and any implementing regulations ....” (DE 50-3 § B.) Blackbaud also agreed to “implement reasonable administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of all PHI.” (Id. § G.1.) If there was an actual or suspected privacy incident or breach of security, then Blackbaud had to notify Trinity Health within ten business days. (Id. § G.2.). The content of such report had to include, “to the extent reasonably possible, the identification of each individual whose PHI or ePHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, or disclosed in connection with an actual or suspected breach of privacy, security, or HITECH.” (DE 50-3 § G.3.) The BAA also required Blackbaud to “cooperate to the extent practical with [Trinity Health] in mitigating . . . any harmful effect that is known to [the] Business Associate of a use or disclosure of PHI . . .” (Id. G.4.)
According to the Plaintiffs, Blackbaud maintained Trinity Health's Confidential Data on an obsolete server. (DE 50 ¶ 71.) Various analysts and team members warned Blackbaud that the system was vulnerable, (Id. ¶ 79-81), and Blackbaud had plans to eventually update these older servers and upgrade them. (Id. ¶ 77.) Before Blackbaud had a chance to implement these plans, on February 7, 2020, a third-party bad actor bypassed Blackbaud's security and penetrated Blackbaud's systems. (Id. ¶¶ 35, 82.) This actor then “copied” data, but ultimately failed to block Blackbaud from accessing its own systems. (Id. ¶ 93.)
Blackbaud did not discover that its systems had been compromised until May 14, 2020. (Id. ¶ 83.) That day, Blackbaud retained Kudelski Security to investigate the “unauthorized activity” on its systems. (Id. ¶ 96.) Kudelski Security issued a report on July 14, 2020, regarding the incident. (Id. ¶ 97.) Two days later, Blackbaud contacted Trinity Health to inform it about the incident. (Id. ¶ 97.)
After being informed of the incident, Trinity Health met with Blackbaud multiple times, requested a copy of the Trinity Health data involved in the incident, and was delivered a copy of the Trinity Health data in early august. (Id. ¶ 110.) In the meetings, Blackbaud “reported that their analysis did not include specific detail related to the level of compromise that would be needed to facilitate individual notifications.” (DE 50 ¶ 109.) Blackbaud also “declined to participate or assist with individual notifications.” (Id.) Trinity Health determined that PHI was included in the impacted information. Based on applicable regulations under HIPAA and a Guidance Document issued from HHS entitled “FACT SHEET: Ransomware and HIPAA,” Trinity Health determined that it had to report the breach to impacted individuals. (Ids. ¶¶ 114, 119.)
In order to report the breach, Trinity Health hired Kroll, a company specializing in cybersecurity and breach notifications. Kroll determined that the data accessed during the incident contained unencrypted information of around 3,289,937 patients. (Id. ¶ 120.) Trinity Health then notified these patients using first class mail, notices to statewide media, and substitute notice on its website. (Id. ¶ 122.) Trinity Health also began to offer credit monitoring to mitigate the harmful effect of disclosing the PHI, in line with its belief that it had a duty to do so under the applicable regulations and under certain state laws. (Id. ¶¶ 136-137.)
On December 15, 2021, Plaintiffs filed a complaint against Blackbaud. (DE 6.) Blackbaud then moved to dismiss the complaint for failure to state a claim (DE 9), which the Court granted with leave to amend. (DE 49.) On September 28, 2022, Plaintiffs filed an amended complaint against Blackbaud containing six causes of action:
(DE 50.) Plaintiffs seek damages for the costs of retaining legal experts, computer experts, providing notice, maintaining a call center for patient and donor inquiries, and providing credit monitoring (collectively, “Remediation Damages”). Blackbaud then filed a motion to dismiss this amended complaint (DE 56), which is now ripe for review.
In reviewing a motion to dismiss for failure to state a claim upon which relief can be granted under Federal Rule of Civil Procedure 12(b)(6), the Court construes the complaint in the light most favorable to the plaintiff, accepts the well-pleaded factual allegations as true, and draws all reasonable inferences in the plaintiff's favor. Calderon-Ramirez v. McCament, 877 F.3d 272, 275 (7th Cir. 2017). A complaint must contain only a “short and plain statement of the claim showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2). That statement must contain sufficient factual matter, accepted as true, to state a claim for relief that is plausible on its face, Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009), and raise a right to relief above the speculative level. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). However, a plaintiff's claim need only be plausible, not probable. Indep. Trust Corp. v. Stewart Info. Servs. Corp., 665 F.3d 930, 935 (7th Cir. 2012). Evaluating whether a plaintiff's claim is sufficiently plausible to survive a motion to dismiss is “‘a context-specific task that requires the reviewing court to draw on its judicial experience and common sense.'” McCauley v. City of Chicago, 671 F.3d 611, 616 (7th Cir. 2011) (quoting Iqbal, 556 U.S. at 678).
Blackbaud argues that Plaintiffs' amended complaint must be dismissed for several reasons. First, Blackbaud argues that Plaintiffs' negligence and gross negligence claims do not state a plausible claim because there is no common law duty to safeguard the public from the risk of data exposure. Second, Blackbaud argues that Plaintiffs' negligent misrepresentation claim fails because it is barred by the economic loss rule. Third, Blackbaud argues that Plaintiffs' breach of...
To continue reading
Request your trial