In Aspen Am. Ins. Co. v. Blackbaud, Inc., the plaintiff health system filed suit alleging claims of negligence, negligent misrepresentation, breach of fiduciary duty, and breach of contract against the defendant service provider/business associate after the health system’s confidential data, including PHI, maintained on the defendant’s obsolete server was accessed by a “bad actor.”
The parties previously contracted and agreed to a business associate agreement whereby the defendant agreed to comply with HIPAA/HITECH and adopt many required safeguards to protect PHI. However, the plaintiff health system alleged that the defendant failed to meet its obligations under the business associate agreement before and after the defendant became aware of a data breach against its server. Specifically, the plaintiff alleged that the defendant was aware that this server was vulnerable to attack and that the defendant lacked the data to provide individualized notices to affected individuals and did not assist the health system with furnishing the individualized notifications.
In response to the service provider’s motion to dismiss, the district court dismissed many of the health system’s claims but allowed its breach of contract claim to proceed with litigation. The district court found that the health system adequately alleged that the data breach caused the health system to incur various damages in order to identify and notify individuals of the data breach and provide remediation services to those affected by the breach.
Comments