BlogLine

Economic loss doctrine bars medical device company’s negligence claim against IT vendor arising out of personal health information data breach

12/9/21

By: William E. Gildea

In Zoll Medical Corp. v. Barracuda Networks, Inc., et al, United States District Court, District of Massachusetts Civil Action No. 20-11997-NMG, (D. Mass. Sept. 21, 2021) (Gorton, J) (“Zoll”), Plaintiff Zoll Medical Corp. (“Zoll Medical”) sued a third-party IT vendor over a data breach that exposed protected health information (“PHI”). Zoll Medical did not directly contract with the third-party IT vendor. The District Court of Massachusetts granted the Defendants’ motion to dismiss as to Zoll Medical’s negligence claim based on the economic loss doctrine. This decision affirms the validity of the economic loss doctrine under Mass. Law where no “special relationship” exists, the viability of the defense in data breach actions against third-party IT vendors, and that the Health Insurance Portability and Accountability Act (“HIPAA”) does not create a tort duty.  

Zoll Medical is a Massachusetts-based corporation which markets and develops medical software and devices and is the indirect parent of a Nevada-based LLC that commercializes a “LifeVest wearable cardioverter defibrillator.” Zoll Medical receives PHI from various physicians via email. Zoll Medical entered into a hosting agreement and Business Associate Agreement, pursuant to HIPAA, with Apptix, Inc. (“Apptix”) to maintain and secure its email communications, including those with physicians. Apptix, in turn, entered into a contract with Sonian Inc., who was later acquired by Barracuda Networks, Inc., (“Barracuda”) to provide email management services and software to its customers, including Zoll Medical.  Barracuda, among other things, archived emails in a secure environment to protect PHI.  

A data breach occurred on November 28, 2018 when a Barracuda employee left a data port open during a standard migration of data.  Zoll Medical alleges Barracuda did not detect its error until December 28, 2018. Emails containing PHI stored in Barracuda’s software were compromised in the data breach. A class action lawsuit was filed against Zoll Medical in 2019 by individuals claiming their PHI was accessed in the data breach, which was ultimately settled. 

Zoll Medical, thereafter, filed the present suit against Baracuda alleging negligence, breach of implied warranties, breach of contract, and equitable indemnity.  In the negligence claim, Zoll Medical claimed that Barracuda breached its duty to implement appropriate safeguards to protect the confidentiality, integrity and availability of PHI. Zoll Medical sought to recover defense, investigation, mitigation and remediation, and settlement costs.   

Barracuda filed a motion to dismiss arguing that the economic loss doctrine barred Zoll Medical’s negligence claim.  Zoll Medical counter-argued that its claims were not barred by the economic loss doctrine because the doctrine “does not preclude recovery of purely economic loss on a negligence claim arising out of an independent, noncontractual legal duty.” Barracuda’s independent duty, according to Zoll Medical, arose from HIPAA and common law privacy principles separate from any agreement. Alternatively, Zoll Medical argued that it reasonably relied on Barracuda’s promise to a third party, namely Apptix, to keep the information secure, which Massachusetts law recognizes as an exception to the economic loss doctrine. 

The District Court found that there was no “special relationship” to give rise to a duty to safeguard personally identifiable information, contrary to the one that exists between an employer and employee, as found in Portier v. NEO Tech. Solutions, No. 17-cv-30111, 2019 WL 7946193 (D. Mass. Dec. 31, 2019). The Court found that, unlike in Portier where the storage and protection of information was at most “incidental” to the employment relationship, the storage and protection of the PHI by Barracuda is what the parties contracted amongst themselves, and cited Wyman v. Ayer Properties, LLC, 11 N.E. 3d 1074, 1080 (Mass. 2014) for the proposition that the economic loss doctrine was “developed in part to prevent the progression of tort concepts from undermining contract expectations.”  The Court further found Zoll Medical’s argument that Barracuda had an independent duty arising from HIPAA unavailing, relying upon federal cases declining an independent right of action under HIPAA and the lack of any authority in support of the position that HIPAA creates a tort duty.  Finally, the Court found Zoll Medical did not allege actual reliance on any promise made by Barracuda to Apptix, noting that it was not even clear that Zoll Medical was aware that Apptix had engaged Barracuda, to support the argument that there was an exception to the economic loss doctrine. 

This is a significant decision to keep in mind when assessing the economic loss doctrine defense in Mass. negligence actions and in actions against third-party IT providers in data breach actions. For further information contact William E. Gildea at wgildea@fmglaw.com.