June 9, 2023
In a recent ruling, Chief Judge Jon DeGuilio cleared Blackbaud of any legal obligation to safeguard confidential data following a data breach on Trinity Health. This comes after Trinity Health and its insurer, Aspen American Insurance Company (AAIC), filed a lawsuit against the software company after a ransomware attack that affected around 3,289,937 patients.
Table of Contents
Trinity Health and Aspen American Insurance Company Files Lawsuit Against Blackbaud
Trinity Health contracted Blackbaud, a cloud computing provider, to consolidate its databases and protect sensitive information. According to the case file on Buckley, the two entities entered into two agreements in 2015. The first agreement, the Master Application Services Provider Agreement (MSA), outlined Blackbaud’s responsibility to maintain Trinity Health’s data securely. The second agreement, the Business Associate Agreement (BAA), required Blackbaud to comply with the Health Insurance Portability and Accountability Act (HIPAA) and implement safeguards to protect personally identifiable information (PII) and protected health information (PHI) of donors and patients.
In February 2020, Blackbaud’s systems were hacked by a third party who gained unauthorized access to Trinity Health’s private information. The breach involved deploying ransomware and copying sensitive data, which the hackers held for ransom. Blackbaud detected the attack in May 2020 but only notified Trinity Health in July 2020.
In a press release, Trinity Health claimed it took immediate action after being informed of the ransomware attack on Blackbaud. The not-for-profit healthcare organization conducted its own investigation, informed potentially impacted donors and patients through the mail, and notified the concerned federal and state agencies. They also continued to work with Blackbaud to implement further security measures.
Previous Ruling on the Trinity vs Blackbaud Lawsuit
Trinity Health and AAIC filed a lawsuit against Blackbaud seeking to recover losses resulting from the data breach. The plaintiffs sought damages for remediation expenses, including legal and computer experts, notice provision, call center operations, and credit monitoring. Initially, the district court dismissed their complaint due to a lack of alleged causation.
District Court Judge Allows Lawsuit to Proceed
As seen on Casetext, Trinity Health and AAIC subsequently filed an amended complaint for Blackbaud’s alleged breach of HIPAA BAA and MSA. Blackbaud responded to the complaint with a motion to dismiss.
In his May 31, 2023 ruling, Judge DeGuilio allowed the lawsuit to proceed. He determined that the amended complaint provided a sufficient basis for claims regarding expenses incurred due to Blackbaud’s alleged breach of MSA and HIPAA BAA contractual obligations.
Absence of Common Law Duty Lets Blackbaud off the Hook
However, Judge DeGuilio granted the software company’s motion to dismiss other claims, including negligence, gross negligence, negligent misrepresentation, and breach of fiduciary duty. Blackbaud argued that the negligent misrepresentation claim could not be pursued because of the economic loss rule. They also claimed that the breach of fiduciary duty claim lacks sufficient evidence to support the existence of fucidiary duty, thus warranting dismissal.
On the negligence and gross negligence claims, Blackbaud argued that there is no common law duty to safeguard the public from data exposure risks. They contended that negligence and gross negligence claims should be dismissed because there is no common law duty to protect the public from the risk of data exposure. They argued that the plaintiffs’ claims extended beyond the boundaries of existing legal obligations and attempted to impose a duty not recognized under Indiana law. They asserted that the scope of their obligations should be confined to the terms outlined in the contractual agreements with Trinity Health, namely the MSA and BAA.
In support of their argument, the court found that no Indiana case law directly addresses a common law duty to safeguard private information. Other courts considering the same issue found that Indiana’s Data Breach Notification statute and similar statutes indicate no common law duty to compensate the public for data exposure.
Implications and impact
This ruling underscores the importance of legislative developments and legal frameworks in defining the responsibilities of organizations in safeguarding sensitive information. Without adequate laws protecting the public from data breaches, confidential information will be at risk from privacy attacks. Moreover, The HIPAA Journal points out that the ruling limits the awarded compensation for Trinity Health. While Trinity Health’s lawsuit can proceed, the dismissal of negligence and gross negligence claims significantly limits the potential damages that could be awarded. The damages will be restricted to the economic losses suffered by Trinity Health and AAIC.
The Need for Effective State Laws to Prevent Data Breaches
The recent ruling by Judge DeGuilio has allowed Trinity Health’s lawsuit against Blackbaud to push through, focusing on claims related to contractual obligations under the MSA and BAA. However, this case underscores the need for legislative developments regarding data breach prevention. The outcome of the lawsuit will ultimately determine the extent of the economic damages that Trinity Health and AAIC may be entitled to receive.
