Lawsuit Against Blackbaud and the New Limits of the Identity Theft Legislation

Blackbaud Had No Common Law Duty to Protect the Confidentiality of Trinity Health’s Records

An Indiana district court judge has decided in support of the plaintiff in a lawsuit that alleged negligence for not preventing a breach of protected health information (PHI), stating that there is no common law duty in Indiana to protect the confidentiality of information shared with a vendor.

Trinity Health and its insurance provider, Aspen American Insurance Company (AAIC), filed a lawsuit against Blackbaud, a company offering software and support services. To be able to execute the contracted responsibilities, Blackbaud got access to the PHI of patients and donors. In 2020, Blackbaud encountered a ransomware attack that impacted over 13,000 clients. Trinity Health was a customer affected by the attack with over 3.2 million records taken during the attack.

There was a long-running legal struggle to bring back losses sustained because of the data breach. A similar district court formerly sacked Trinity Health/AAIC’s against Blackbaud as a result of insufficient alleged causation for every one of their claims. Trinity Health and AAIC submitted a revised complaint that Blackbaud likewise wanted to be sacked, however on May 31, 2023, the U.S. District Court for the Northern District of Indiana’s District Court Judge Jon E. DeGuilio permitted the lawsuit to continue.

Trinity Health had signed a Master Application Services Provider Agreement (MSA) with Blackbaud, which likewise entered into a HIPAA business associate agreement (BAA). It is stated in the MSA and BAA that Blackbaud decided to handle Trinity Health’s information in the most stringent confidence, follow reasonable caution with the information, and carry out sensible technical, physical, and administrative safety measures to protect data privacy and confidence. Nevertheless, the problem that must be addressed was if Blackbaud got a common law duty to stop data breaches as per Indiana legislation.

Judge DeGuilio made a decision that the revised Trinity Health/AAIC complaint offered an adequate basis for the allegations that it had sustained costs as a result of the inability of Blackbaud to adhere to its contractual responsibilities as per the MSA and BAA and that the majority of the sustained expenses were compensable and refused the motion to dismiss on two counts – MSA breach and BAA breach; nevertheless, approved the motion to dismiss the outstanding claims of breach of fiduciary duty, negligence, negligent misrepresentation, and gross negligence.

Blackbaud contended that the negligence and gross negligence claims don’t express a plausible claim, since there’s no common law duty to protect the public from the possibility of data exposure. Blackbaud contended that the claim of negligent misrepresentation is banned by the economic loss rule and that the claim of breach of fiduciary duty ought to be dismissed since no fiduciary duty was allegedly claimed.

Regarding the claims of negligence and gross negligence, Judge DeGuilio made a decision that there are no legislation or statutes in Indiana that require the deterrence of data breaches. The data breach notification rule in Indiana just requires a duty to send notifications concerning data breaches when they happen, not stop them from happening. Although the lawsuit is permitted to continue, the throwing of the claims of negligence and gross negligence will significantly restrict the damages that may be awarded, which are going to be restricted to economic damages sustained by AAIC and Trinity Health.

Supreme Court Decision Limits Reach of Identity Theft Legislation

The Supreme Court has made a decision against the federal government, meaning federal prosecutors must control identity theft charges and limit them to cases with the improper use of another person’s identification as the center of the criminal offense, instead of the present extensive interpretation that permits identity theft charges for bogus billing, in which another individual’s identification is only an additional element of a billing strategy.

Aggravated identity theft has a required jail term of 2 years in addition to any sentence with regard to the predicate felony. Before the Supreme Court decision, there was no difference between an identity thief taking a person’s identity and bringing about big debts, an attorney rounding up charges and just charging total hours, a waitress charging too much on clients, and a doctor overcharging Medicaid. The Supreme Court ruling is associated with the latter.

The mental health testing firm called Psychological ARTs is managed by psychologists William and David Dubin. In 2013, David Dubin was looking at a patient when William Dubin told Dave that the patient’s Medicaid benefits are depleted and stopped the evaluation. David Dubin then directed a staff to submit a reimbursement claim to Medicaid that used the name and Medicaid ID of the patient. This resulted in ending the analysis of being qualified for payment. That bogus claim led to a payment of $338.

In 2017, federal prosecutors charged David and William Dubin with 20 counts associated with the overcharging of Medicaid. There were 6 counts of aggravated identity theft and the provider got about $300,000 in fraudulent repayments. In 2019, David Dubin was charged with one-year imprisonment for filing blown-up air bills and two years for aggravated identity theft, with the sentences work out consecutively. Dubin’s legal team filed an appeal however the U.S. Court of Appeals for the 5th Circuit retained the identity theft sentence, because based on the extensive interpretation of the legislation, it is a felony to make use of another individual’s identity with no legitimate authority, and David Dubin utilized the names and Medicaid ID numbers of patients to file overstated claims. The Supreme Court unanimously decided that it cannot help such a {boundless|never-ending} interpretation” of the Identity Theft Penalty Enhancement Act of 2004.

Prosecutors contended that although the situation of the fraudulence in Dubin’s case was somewhat small, it was the proper reading of the law and the flat two-year imprisonment that ought to remain whatever the enormity of the fraudulence. Based on the letter of the law, small-scale fraudulence, and big-scale fraudulence have similar sentence for aggravated identity theft. The Supreme Court did not agree.

Patient names as well as other identifiers will, naturally, be affected in most of the medical billing. Patient names will probably be on prescriptions, and patients carrying out fraud by themselves will frequently need to include the names of people on their forms, for example, doctors or companies. Based on the Government’s private reading, such cases are ‘instantly identity theft,’ regardless of the name is connected with the fake part of the offense. She furthermore noticed that when she is on the side of the government then a similar interpretation can also be used on mail fraud, where utilizing another individual’s name to deal with a letter to them could in the same way be categorized as aggravated identity theft and is punishable with a two-year obligatory jail term. Dubin’s lawyer, Jeffrey Fisher, stated the same 2-year prison term can also be enforced on anyone who files a form for another individual that consists of a misrepresentation.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.