Enter to open, tab to navigate, enter to select
Court Allows Breach of Contract Claims Involving Alleged HIPAA Business Associate Agreement Violations to Proceed
Practical Law Legal Update w-039-6963 (Approx. 6 pages)
Court Allows Breach of Contract Claims Involving Alleged HIPAA Business Associate Agreement Violations to Proceed
by Practical Law Employee Benefits & Executive Compensation
| Published on 05 Jun 2023 • USA (National/Federal) |
A federal district court has allowed litigation involving a covered entity's breach of contract claims involving a business associate agreement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to proceed. The litigation resulted after the covered entity's confidential data, which included protected health information (PHI), maintained on a service provider's obsolete server was impermissibly accessed by a third party.
A federal district court has permitted a state-law breach of contract claim brought by a multistate health system of providers and facilities (and HIPAA covered entity (CE)) to proceed against its service provider (and HIPAA business associate (BA)) (Aspen Am. Ins. Co. v. Blackbaud, Inc., (N.D. Ind. May 31, 2023)). The litigation resulted after the health system's confidential data, which included protected health information (PHI), maintained on a service provider's obsolete server was impermissibly accessed by a third party. The CE later provided HIPAA breach notifications and undertook remediation efforts that included credit monitoring for affected individuals (see Practice Note, HIPAA Breach Notification Rules and HIPAA Privacy, Security, and Breach Notification Toolkit).
Data Breach of Information Maintained on Obsolete Server
In 2015, the plaintiff/health system in this case entered into a contractual relationship with the defendant/service provider, which had represented itself as a leading software company capable of securing its clients' sensitive health information and providing "robust" cybersecurity services. The parties entered into two agreements that gave the service provider access to the health system's confidential patient information. Under the first agreement, the service provider agreed to protect this information from unauthorized access or disclosure consistent with federal law and reflecting industry-leading practices. Under the second agreement, a HIPAA BA agreement (BAA), the service provider agreed to:
- Comply with its BA obligations consistent with HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act, and implementing regulations.
- Adopt administrative, physical, and technical safeguards for PHI (see Practice Note, HIPAA Security Rule: Overview and Administrative Safeguards).
- Timely notify the health system of breaches in a report that identified individuals whose PHI was accessed.
- Cooperate with the health system in mitigating the harmful effects of uses or disclosures of PHI.
(For more information, see Standard Document, HIPAA Business Associate Agreement.)
In February 2020, a third party "bad actor" impermissibly accessed the health system's PHI and other confidential information from a server belonging to the service provider that was, according to the health system, obsolete. The third party was able to copy data from the server. The service provider allegedly failed to upgrade its server despite warnings from analysts that the server was vulnerable to attack.
The service provider learned of the attack three months later. Two months after that, the service provider informed the health system of the incident, but stated that it lacked the data to provide individualized breach notifications to affected individuals. Despite the HIPAA BAA, the service provider also declined to help furnish these individual notifications (see Practice Note, HIPAA Breach Notification Rules). According to the health system, the service provider also may have misrepresented the extent to which the health system's PHI was accessed in the attack. A third-party cybersecurity specialist hired by the health system determined that information belonging to more than 3.2 million individuals was compromised. In response, the health system:
- Furnished HIPAA breach notifications to affected individuals by first-class mail, notice to statewide media, and substitute notice on its website.
- Offered affected individuals credit monitoring to reduce the effects of the PHI disclosures.
The health system later sued the service provider for state-law claims that included negligence, negligent misrepresentation, breach of fiduciary duty, and breach of contract (regarding both agreements). The service provider moved to dismiss the claims.
District Court Analyzes Three Types of Damages Under Breach of Contract Claim
Although the district court dismissed several of the health system's claims, it allowed the breach of contract claims to proceed. The court rejected the service provider's arguments that the contract claims should be dismissed for failure to show causation, compensable damages, and a contractual bar on recovering damages.
Health System Adequately Alleged Causation Regarding Remediation Damages
The court found that the health system's complaint (as amended) adequately alleged how the service provider's breaches caused the health system's remediation damages. Although the health system's original complaint lacked the detail to properly plead causation, its amended complaint adequately tied the health system's remediation damages to the service provider's conduct. The court grouped the health system's asserted damages into three general categories.
The first category of damages included identification damages that required the health system to comply with federal and state laws due to the service provider's misrepresentations and breaches. For example, the court observed, this included a duty to notify affected individuals of the breaches by written mail under HIPAA's breach notification requirements (45 C.F.R. § 164.404(d)(1)). Here, the health system alleged that the service provider:
- Failed to furnish it specific information to assist in providing individual notifications.
- Misrepresented the extent to which the health system was exposed to the breach.
The court concluded that the health system adequately pled causation as to the identification damages. The court reasoned that it was foreseeable to the parties in negotiating their agreements that if an impermissible disclosure of PHI occurred, the service provider's failure to exercise reasonable care in providing the health system the identities of affected individuals would cause the health system to expend funds to conduct its own investigation.
Second, the court determined that causation was adequately pled regarding notification damages. Here, the health system asserted that the service provider failed to take appropriate measures to protect the health system's PHI from unauthorized access. Given this obligation, the court observed, it was foreseeable that if the service provider breached its duty to secure the PHI, a data breach could result. In turn, this would trigger the health system's duty to notify—which would force the health system to spend funds to draft, print, and mail letters to affected individuals (see Standard Document, HIPAA Breach Notification Letter to Plan Participants and Other Individuals).
Third, regarding mitigation damages, the health system alleged that it had been required to consider its duty (under HIPAA's Privacy Rule) to mitigate the harmful effects of impermissible PHI disclosures (45 C.F.R. § 164.530(f); see Practice Note, HIPAA Privacy Rule). These mitigation damages included post-breach costs of:
- Maintaining a call center to respond to patient and donor inquiries.
- Providing credit monitoring for affected individuals.
According to the court, the health system's allegations adequately explained why the service provider's alleged breach caused the health system to incur these expenditures. Given the Privacy Rule's mitigation standards, the court reasoned, it was foreseeable that if the service provider failed to secure the health system's PHI, a data leak could occur that would trigger the health system's duty to mitigate (using measures such as credit monitoring). Moreover, the court observed, the BAA expressly referenced the health system's duty to mitigate and the service provider's obligation to cooperate in these efforts—which the service provider must have known upon entering into the agreement.
Other Compensable Damages; Consequential Damages
The court also rejected the service provider's argument that the health system's claims for remediation damages were not compensable. Applying Indiana state law, the court concluded that credit monitoring, call centers, and data-recovery damages were compensable—but not attorney's fees or goodwill.
The court also rejected the service provider's request to dismiss the health system's claims for consequential damages (that is, damages that do not flow directly from a breach, but only from results of the breach). Although a provision in the governing agreements expressly barred most consequential damages, the court concluded that determining whether alleged damages were direct or consequential would require analysis of BAA provisions that had not yet been addressed at this stage of the litigation. For example, if the service provider's concealment of information about the data leak was a breach of its obligation to report the identity of affected individuals, then the health system's remediation damages in determining those identities might be direct damages rather than consequential damages.
Practical Impact
Although HIPAA noncompliance routinely results in highly publicized settlement agreements with HHS, this case underscores the potential litigation exposure of failing to satisfy HIPAA's privacy, security, and breach notification requirements. As in the administrative enforcement context, a litigated dispute can place a spotlight on a party's business practices and ability to carry out its contractual obligations under a HIPAA BAA (including, as in this case, HIPAA breach notification requirements resulting from a data breach).
In a related HIPAA development, earlier this week HHS announced a settlement agreement with a health provider that has paid $30,000 to resolve a complaint that it improperly disclosed patient PHI in response to negative online reviews. Improper social media disclosures have been a trouble spot in recent years for CEs, who should avoid sharing individuals' PHI online (see Practice Note, HIPAA Enforcement: Settlement Agreements: Improper Disclosures to the Press and on Social Media or the Internet).