Blackbaud Had No Common Law Duty to Ensure the Confidentiality Trinity Health’s Data

Posted by Steve Alder

A district court judge in Indiana has ruled in favor of the plaintiff in a lawsuit alleging negligence for failing to prevent a breach of protected health information, ruling that there is no common law duty in Indiana to ensure the confidentiality of data provided to a vendor.

The lawsuit was filed by Trinity Health and its insurer, Aspen American Insurance Company (AAIC), against Blackbaud, a provider of software and support services. In order to perform the contracted duties, Blackbaud was provided with the protected health information of patients and donors. In 2020, Blackbaud was the victim of a ransomware attack that affected more than 13,000 customers. Trinity Health was one of the worst affected customers and had more than 3.2 million records stolen in the attack.

There has been a long-running legal battle to recover losses incurred due to the data breach. The same district court previously dismissed Trinity Health/AAIC’s complaint against Blackbaud due to a lack of alleged causation for each of their claims. Trinity Health and AAIC filed an amended complaint which Blackbaud also sought to have dismissed, but on May 31, 2023, District Court Judge Jon E. DeGuilio of the U.S. District Court for the Northern District of Indiana allowed the lawsuit to proceed.

Trinity Health had entered into a Master Application Services Provider Agreement (MSA) with Blackbaud, which also signed a HIPAA business associate agreement (BAA).  in the MSA and BAA, Blackbaud agreed to treat Trinity Health’s data in the strictest confidence, exercise reasonable care with the data, and implement reasonable physical, technical, and administrative safeguards to keep the data private and confidential. However, the issue that needed to be resolved was whether Blackbaud had a common law duty to prevent data breaches under Indiana law.

Judge DeGuilio ruled that the amended Trinity Health/AAIC complaint provided a sufficient basis for the claims that it had incurred expenses due to the failure of Blackbaud to comply with its contractual obligations under the MSA and BAA and that most of the incurred expenses were compensable and denied the motion to dismiss on two counts – breach of the MSA and breach of the BAA; however, granted the motion to dismiss the remaining claims of negligence, gross negligence, negligent misrepresentation, and breach of fiduciary duty.

Blackbaud argued that the negligence and gross negligence claims do not state a plausible claim, as there is no common law duty to safeguard the public from the risk of data exposure. Blackbaud argued that the negligent misrepresentation claim is barred by the economic loss rule and that the breach of fiduciary duty claim should be dismissed as no fiduciary duty was plausibly alleged.

With regard to the negligence and gross negligence claims, Judge DeGuilio ruled that there are no laws or statutes in Indiana that call for the prevention of data breaches. Even the data breach notification law in Indiana only creates a duty to issue notifications about data breaches when they occur, not prevent them from occurring. While the lawsuit has been allowed to proceed, the tossing of the negligence and grows negligence claims will severely limit the damages that could be awarded, which will be limited to economic damages suffered by Trinity Health and AAIC.

The post Blackbaud Had No Common Law Duty to Ensure the Confidentiality Trinity Health’s Data appeared first on HIPAA Journal.

HC3 Raises Awareness of Diverse Threat Actors Targeting the HPH Sector

Posted by Steve Alder

The HHS’ Health Sector Cybersecurity Coordination Center has issued a threat brief to highlight the types of cyber threat actors that target the health and public health sector (HPH), and their differing objectives, tactics, techniques, and procedures.

The HPH sector is a relatively easy target for cybercriminals compared to other industry sectors. There is a complex supply chain involving many different vendors, a large attack surface with many IoT and IoMT-connected devices that are difficult to secure, reliance on outdated software and operating systems that have reached end-of-life, and HPH sector organizations often find it difficult to recruit and retain skilled cybersecurity staff.

HPH sector organizations also store large quantities of data that can be easily monetized and used for a range of nefarious purposes such as identity theft, blackmail, and insurance fraud. Since the sector is highly regulated, there are often costly legal ramifications for healthcare organizations that suffer data breaches, and successful attacks can cause significant reputational damage which makes the HPH sector an ideal target for extortion. Nation-state actors often target HPH sector organizations to steal research data to gain a technological advantage and collect sensitive data and cause disruption in line with national priorities.

The HPH sector is targeted by financially motivated cybercriminals, politically motivated hacktivists and nation-state actors, malicious insiders for financial gain or retaliation, cyberterrorists who wish to cause harm, and script kiddies who seek attention, want to create chaos, gain kudos within the hacking community, or simply have fun. Regardless of the threat actor, the attacks can have serious financial and reputational implications and often put patient safety at risk.

While the motivations behind healthcare cyberattacks are varied, there are common initial access vectors that are used by the different types of threat actors. Phishing and social engineering attacks exploit human weaknesses to gain initial access to healthcare networks and sensitive data. Vulnerabilities in software and operating systems are targeted for initial access, man-in-the-middle attacks intercept sensitive data, and Distributed-Denial-of-Service attacks and wiper malware are used to cause disruption to critical systems. Attacks often involve malware that steals data and provides persistent access to networks, adware is used for tracking, information theft, and driving traffic to websites, and ransomware is often deployed for data theft and extortion.

The threat brief provides information on the different types of threat actors and their motivations to help network defenders gain a better understanding of their adversaries, and includes information on the most active threat groups that are known to target the HPH sector.

The post HC3 Raises Awareness of Diverse Threat Actors Targeting the HPH Sector appeared first on HIPAA Journal.