Zoll Med. Corp. v. Barracuda Networks, Inc.

565 F.Supp.3d 101

ZOLL MEDICAL CORP., Plaintiff,

v.BARRACUDA NETWORKS, INC., et al., Defendant.

Civil Action No. 20-11997-NMG

United States District Court, D. Massachusetts.

Signed September 21, 2021

Filed September 22, 2021

Michael P. Burke, DarrowEverett LLP, Benjamin W. O'Grady, Gordon Rees Scully Mansukhani, LLP, Boston, MA, Jennifer A. Guidea, Pro Hac Vice, Ronald A. Giller, Gordon Rees Scully Mansukhani LLP, Florham Park, NJ, for Plaintiff.

Angelo A. Stio, III, Pro Hac Vice, Troutman Pepper Hamilton Sanders LLP, Princeton, NJ, Jaclyn M. Essinger, Troutman Pepper Hamilton Sanders LLP, Boston, MA, Mia S. Rosati, Pro Hac Vice, Troutman Pepper Hamilton Sanders LLP, Philadelphia, PA, Ronald I. Raether, Pro Hac Vice, Troutman Pepper Hamilton Sanders LLP, Irvine, CA, for Defendant.

MEMORANDUM & ORDER

GORTON, United States District Judge

This action arises out of a data breach which compromised the confidential, protected health information ("PHI") of more than 277,000 patients of Zoll Services LLC ("Zoll Services"), an indirect subsidiary of Zoll Medical Corporation ("Zoll Medical") (together, "Zoll" or "plaintiffs"). Pending before the Court is the motion of defendants Barracuda Networks, Inc. ("Barracuda") and Sonian Inc. ("Sonian") (together, "defendants") to dismiss the complaint filed by plaintiffs. For the reasons that follow, that motion will be allowed in part and denied in part.

I. Background

Zoll Medical is a Massachusetts-based corporation that develops and markets medical devices and software solutions that help advance emergency health care. It is the indirect parent corporation of Zoll Services, a Nevada-based limited liability company that commercializes the "LifeVest wearable cardioverter defibrillator".

In the course of commercializing that product, Zoll Services often receives emails from physicians containing patient information, such as patient names, addresses, demographics and health information. In order to manage and secure that data, plaintiffs rely upon a limited number of third-party service providers. To that end, in 2012 Zoll Medical entered into a Hosting Services Agreement (the "Hosting Agreement") with Apptix, Inc. ("Apptix") whereby Apptix agreed to provide plaintiffs with a product that would safely store their emails and other data. Apptix has since been acquired by Fusion, LLC ("Fusion"), a New Jersey limited liability company with its principal place of business in Georgia.

Separately, in 2014, Zoll Lifecor Corporation, the predecessor to Zoll Services, entered into a Business Associate Agreement ("the BAA") with Apptix pursuant to the Health Insurance Portability and Accountability Act ("HIPAA") wherein Apptix allegedly agreed, inter alia, to use appropriate safeguards to prevent the unauthorized use or disclosure of PHI and to ensure that any of its subcontractors or vendors to whom it provides PHI agreed to do the same.

In the course of performing its obligations under the Hosting Agreement and the BAA, Apptix entered into a contract with Sonian to provide its customers with software and related services for the management of customer communications and email ("the OEM Agreement"). Sonian is a Delaware corporation that has since been acquired by Barracuda, another Delaware corporation with its principal place of business in California. Plaintiffs allege that Barracuda holds itself out to the public as "an expert in data security", namely, in archiving emails in a secure environment with controls that ensure that only authorized personnel have access to the data stored within the archive. Despite that representation, plaintiffs and Fusion contend that, with respect to their data, Barracuda failed to implement adequate safeguards which ultimately led to the subject data breach.

The data breach began on November 8, 2018, when a Barracuda employee allegedly left a data port open in its system during a standard migration of data within its network. None of Barracuda's supervisory, security or oversight mechanisms detected the error until approximately seven weeks later, on December 28, 2018. In the meantime, the confidential and protected health information of plaintiffs’ patients was apparently accessed by unauthorized third parties.

Barracuda finally contacted Apptix with respect to the data breach in January, 2019, advising that it

recently discovered that a very small number of user emails stored in an application known as Sonian EA were compromised as a result of unauthorized access to our system by a third party.

Barracuda informed neither Apptix nor the Zoll plaintiffs that the data port had remained open, undetected for several weeks and, instead, allegedly misrepresented that the data breach was minor.

Once Zoll Medical received notification of the breach, it and its subsidiaries began an investigation into the event to determine whether customer PHI had been accessed. As part of that investigation, plaintiffs requested from Barracuda additional information regarding the data breach but Barracuda purportedly refused to cooperate, compelling plaintiffs to hire an independent forensics firm, Kroll, Inc., to assist in the investigation.

Thereafter, plaintiffs issued a press release advising the public that its data had been breached, including communications which contained PHI. In April, 2019, a class action lawsuit was filed against Zoll Medical and Zoll Services in the Circuit Court of Kanawha County, West Virginia by individuals claiming that their PHI had been the subject of the data breach. That action has since been settled, leaving Zoll Services liable to its patients for any injury resulting from the "data breach event". Plaintiffs contend that they have also suffered investigation, mitigation and remediation costs associated with the incident, as well as harm to their reputation.

In November, 2020, plaintiffs filed the instant action against Barracuda and Sonian, alleging (1) negligence (Count I); (2) breach of implied warranty of merchantability (Count II); (3) breach of implied warranty of fitness (Count III); (4) breach of written contract—third party beneficiary (Count IV) and (5) equitable indemnity (Count V).

Defendants now move to dismiss the complaint for failure to state a claim.

II. Motions to Dismiss

A. Legal Standard

To survive a motion under Fed. R. Civ. P. 12(b)(6), the subject pleading must contain sufficient factual matter to state a claim for relief that is actionable as a matter of law and "plausible on its face." Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ). A claim is facially plausible if, after accepting as true all non-conclusory factual allegations, the court can draw the reasonable inference that the defendant is liable for the misconduct alleged. Ocasio-Hernandez v. Fortuno-Burset, 640 F.3d 1, 12 (1st Cir. 2011).

When rendering that determination, a court may not look beyond the facts alleged in the complaint, documents incorporated by reference therein and facts susceptible to judicial notice. Haley v. City of Boston, 657 F.3d 39, 46 (1st Cir. 2011). A court also may not disregard properly pled factual allegations even if actual proof of those facts is improbable. Ocasio-Hernandez, 640 F.3d at 12. Rather, the relevant inquiry focuses on the reasonableness of the inference of liability that the plaintiff is asking the court to draw. Id. at 13.

B. Application

i. Negligence

A plaintiff asserting a negligence claim must establish the basic elements of duty, breach, causation and damages. See Colter v. Barber-Greene Co., 403 Mass. 50, 525 N.E.2d 1305, 1313 (1988). To state a claim for negligence, a plaintiff typically must allege damages beyond pure economic loss, as "purely economic losses are unrecoverable ... in the absence of personal injury or property damage". FMR Corp. v. Boston Edison Co., 415 Mass. 393, 613 N.E.2d 902, 903 (1993). This limitation on the recovery of purely pecuniary harm is known as the economic loss doctrine.

Here, defendants contend that the economic loss doctrine bars plaintiffs’ claim for negligence. Plaintiffs, on the other hand, maintain that their negligence claim falls within an exception to the economic loss doctrine. They argue that the economic loss doctrine does not preclude recovery of purely economic loss on a negligence claim arising out of an independent, noncontractual legal duty. In particular, plaintiffs claim that the duty of Barracuda to keep Zoll's confidential customer information secure from unauthorized access arises from HIPAA and common law privacy principles separate from any agreement between the parties. In the alternative, plaintiffs submit that they reasonably and foreseeably relied on defendants’ promise to Fusion that it would keep the PHI of Zoll's customers secure, and that Massachusetts law recognizes reasonable reliance on a defendant's promise to a third party as an exception to the economic loss doctrine.

With respect to the alleged common law duty to maintain privacy, plaintiffs cite Portier v. NEO Tech. Solutions, No. 17-cv-30111, 2019 WL 7946103 (D. Mass. Dec. 31, 2019). In Portier, the district court held that because defendant employer

undertook the affirmative acts of collecting and storing [plaintiff] employees’ personal and financial information on its internet accessible computer system, it had a common law duty to exercise reasonable care to protect the data from the foreseeable risk of a data breach.

Id. at *20. The district court concluded that plaintiff employees could recover purely pecuniary losses notwithstanding the economic loss doctrine. Id.

Plaintiffs’ reliance on Portier is misplaced. In that case, the district court concluded that a "special relationship" existed between plaintiff employees and defendant employer, and that the special relationship gave rise to a duty on the employer's part to safeguard personally identifiable information...