Blackbaud Had No Common Law Duty to Ensure the Confidentiality of Trinity Health’s Data
A district court judge in Indiana has ruled in favor of the plaintiff in a lawsuit alleging negligence for failing to prevent a breach of protected health information, ruling that there is no common law duty in Indiana to ensure the confidentiality of data provided to a vendor.
The lawsuit was filed by Trinity Health and its insurer, Aspen American Insurance Company (AAIC), against Blackbaud, a provider of software and support services. In order to perform the contracted duties, Blackbaud was provided with the protected health information of patients and donors. In 2020, Blackbaud was the victim of a ransomware attack that affected more than 13,000 customers. Trinity Health was one of the worst affected customers and had more than 3.2 million records stolen in the attack.
There has been a long-running legal battle to recover losses incurred due to the data breach. The same district court previously dismissed Trinity Health/AAIC’s complaint against Blackbaud due to a lack of alleged causation for each of their claims. Trinity Health and AAIC filed an amended complaint which Blackbaud also sought to have dismissed, but on May 31, 2023, District Court Judge Jon E. DeGuilio of the U.S. District Court for the Northern District of Indiana allowed the lawsuit to proceed.
Trinity Health had entered into a Master Application Services Provider Agreement (MSA) with Blackbaud, which also signed a HIPAA business associate agreement (BAA). in the MSA and BAA, Blackbaud agreed to treat Trinity Health’s data in the strictest confidence, exercise reasonable care with the data, and implement reasonable physical, technical, and administrative safeguards to keep the data private and confidential. However, the issue that needed to be resolved was whether Blackbaud had a common law duty to prevent data breaches under Indiana law.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Judge DeGuilio ruled that the amended Trinity Health/AAIC complaint provided a sufficient basis for the claims that it had incurred expenses due to the failure of Blackbaud to comply with its contractual obligations under the MSA and BAA and that most of the incurred expenses were compensable and denied the motion to dismiss on two counts – breach of the MSA and breach of the BAA; however, granted the motion to dismiss the remaining claims of negligence, gross negligence, negligent misrepresentation, and breach of fiduciary duty.
Blackbaud argued that the negligence and gross negligence claims do not state a plausible claim, as there is no common law duty to safeguard the public from the risk of data exposure. Blackbaud argued that the negligent misrepresentation claim is barred by the economic loss rule and that the breach of fiduciary duty claim should be dismissed as no fiduciary duty was plausibly alleged.
With regard to the negligence and gross negligence claims, Judge DeGuilio ruled that there are no laws or statutes in Indiana that call for the prevention of data breaches. Even the data breach notification law in Indiana only creates a duty to issue notifications about data breaches when they occur, not prevent them from occurring. While the lawsuit has been allowed to proceed, the tossing of the negligence and gross negligence claims will severely limit the damages that could be awarded, which will be limited to economic damages suffered by Trinity Health and AAIC.
