On August 12, 2021, the United States District Court for the District of South Carolina issued an opinion denying in part and granting in part a motion by Blackbaud to dismiss seven statutory claims brought by plaintiffs in a multidistrict consolidated action stemming from a ransomware attack. The most notable aspect of the opinion is the Court’s interpretation of the California Medical Information Act (CMIA), which may have the effect of broadening the scope of liability for California-based cloud service providers that suffer data breaches.
Plaintiffs in the case are patrons of Blackbaud’s business-to-business customers and do not have a direct relationship with Blackbaud. Plaintiffs allege, however, that Blackbaud’s “deficient security program” and insufficient internal response permitted a two-part ransomware attack in 2020, which ultimately led to Blackbaud’s payment of an undisclosed amount of Bitcoin in exchange for the attackers’ assurances to delete compromised data. Plaintiffs also allege failure to provide timely, adequate and accurate notice of the attack and information about the exfiltrated data.
In June, Blackbaud moved to dismiss the CMIA (as well as other statutory) claims on the basis that the entity did not constitute a “provider of health care” prohibited under CMIA from disclosing “medical information” without proper authorization. Several plaintiffs failed to allege exposure of any medical information and the court granted Blackbaud’s motion accordingly. The Court found, however, that one plaintiff plausibly argued potential disclosure of medical information, including medical diagnoses and treatment plans.
Central to the Court’s ruling was its analysis of whether Blackbaud, a cloud provider, qualifies as a “provider of health care” under CMIA. Blackbaud argued that no California plaintiff had purchased any product directly from Blackbaud and that plaintiffs had failed to allege that Blackbaud collected information for medical purposes. The Court rejected that argument, calling Blackbaud’s reading of CMIA “tortured” and holding that CMIA applies to entities “that are not ordinarily considered medical providers, such as technology companies that process and maintain ‘medical information.’” The Court noted that a direct product or service offering is not required and that CMIA applies to business that maintain medical information, regardless of whether that is the primary purpose of the business.
The impact of the Court’s decision on the CMIA claim is potentially significant and may broaden the scope of liability for cloud service providers that offer hardware or software designed or marketed for the storage of medical information of Californians. Many cloud service providers do not market directly to consumers and may not have considered potential consumer liability because of the lack of privity. It remains to be seen whether other courts follow the District of South Carolina’s reasoning with regard to the scope of the CMIA. This is an issue that cloud service providers should track carefully.