Failure to Prevent Ransomware Attacks Exposes Your Lab to Costly Negligence Lawsuits

Testing labs and other custodians of personal health information have become a prime target for ransomware attacks. In addition to fines for HIPAA violations, failure to safeguard patient medical information against these threats can lead to liability under state negligence and gross negligence laws, including within the framework of potentially disastrous class action lawsuits. Although it doesn’t involve a lab, the recent case against national cloud software provider Blackbaud, Inc. offers a useful illustration of potential ransomware liability risks.

The Ransomware Attack and Class Action Lawsuit   

It’s an all too familiar story. Blackbaud was burned in a two-stage ransomware attack that compromised the private, personal data of many of the labs, nonprofits and other users of its data management software for fundraising and marketing. A group of 34 downstream customers of those clients whose data was exposed banded together to bring a class action lawsuit against Blackbaud for its supposedly subpar data security program and asserting six claims, including negligently failing to implement adequate system security measures to prevent the attacks, and not furnishing adequate notification of the breach.

Blackbaud contended that four of the claims—negligence, gross negligence, negligence per se and unjust enrichment—were legally invalid. Even if the allegations were true, they wouldn’t amount to legal violations, the company argued. And since it was all a question of law and not fact, they asked the South Carolina federal court to dismiss the four claims without a trial.

The Court’s Ruling

The court handed down a split decision, siding with the plaintiffs on the negligence and gross negligence claims and with Blackbaud on the other two.

Liability for Ransomware Attack

Negligence: Acts or omissions constitute negligence only when the person that commits them owes a duty of care to the victim who suffers damages as a result. Blackbaud insisted that it had no such duty of care to the plaintiffs because it provided the software directly to the labs and other clients and had no direct relationship with the plaintiffs. But the court disagreed, comparing Blackbaud to a lab hired by an employer to perform drug testing on its employees. “If the laboratory is negligent in testing the employee’s specimen, it is foreseeable that the employee will likely suffer a direct economic injury,” the court reasoned. Thus, not imposing a duty of care would leave employees victimized by the lab’s negligence without legal redress.

Gross Negligence: Gross negligence, too, requires there to be a duty of care between the author of the grossly negligent behavior and the victim. Thus, the same reasoning supporting the conclusion that Blackbaud could be liable for negligence applied to the gross negligence claim. Result: The plaintiffs would get their chance to prove both claims at trial, putting them in a strong bargaining position to command a settlement.

No Liability for Ransomware Attack

Blackbaud got the summary dismissal it sought on the other two claims.

Negligence Per Se: Negligence and gross negligence raised questions of what’s called common law or tort law made by courts on the basis of previous rulings that establish precedents for subsequent cases. By contrast, negligence per se is a hybrid creature composed of both tort and statutory law. The argument is that a statute establishes a standard for reasonable behavior in the context of negligence; thus, violating a statute is tantamount to an act of negligence, i.e., failure to act with reasonable care, to the victim the statute protects.

But the negligence per se argument didn’t work in this case. Explanation: The plaintiffs claimed that Blackbaud’s acts and omissions in failing to prevent the ransomware attacks violated HIPAA, as well as the Children’s Online Privacy Protection Act (COPPA), which protects the privacy of personal information about children, and Federal Trade Commission (FTC) Act, a broad consumer protection law. While all of these statutes do establish a standard of conduct protecting the plaintiffs, they don’t afford victims the right to sue for personal injury. And, as in many other states, in South Carolina, negligence can’t be based on violation of a statute unless that statute allows victims to assert personal claims.

Unjust Enrichment: A person must prove three things to win a case for unjust enrichment:

1. He/She conferred a non-gratuitous benefit on the defendant;
2. The defendant realized some value from the benefit; and
3. It would be inequitable for the defendant to retain the benefit without paying the person for its value.

The plaintiffs cited a case where a federal court applied these principles in refusing to dismiss the unjust enrichment claims against Capital One and Amazon for a data breach compromising the personal information furnished by their credit card holders. But the court rejected the comparison as apples to oranges. There was no exchange of personal information in consideration for personal financial services the way there was in the Capital One and Amazon case, the court explained. The plaintiffs provided their information to the labs and other Blackbaud clients and Blackbaud didn’t actively seek to acquire it.

In re Blackbaud, Inc., 2021 U.S. Dist. LEXIS 201211, 2021 WL 4866393

Takeaway

HIPAA doesn’t generally give the victims of ransomware and other cyberattacks the right to sue for money damages. However, as the Blackbaud case clearly illustrates, potential liability for failing to adequately keep patient health information secure and ward off cyberthreats goes well beyond HIPAA. Victims of cyberattacks have an arsenal of potent legal weapons at their disposal, including tort law and negligence lawsuits.