Judge prunes medical device company's lawsuit over exposed data
2021 DPDBRF 1072
By John Fitzgerald
WESTLAW Data Privacy Daily Briefing
September 24, 2021
(September 24, 2021) - A federal judge in Massachusetts has dismissed four of the five allegations Zoll Medical Corp. made against a cybersecurity company after a data breach exposed the protected health information of more than 277,000 patients.
Zoll Medical Corp. v. Barracuda Networks Inc. et al., No. 20-cv-11997, (D. Mass. Sept. 22, 2021).
Only a count alleging equitable indemnity will go forward after U.S. District Judge Nathaniel M. Gorton of the District of Massachusetts agreed Sept. 22 with Barracuda Networks Inc. to dismiss the four other counts.
According to the complaint, Zoll, manufacturer of the LifeVest wearable cardioverter defibrillator, hired Apptix Inc. in 2012 to securely store emails containing customer PHI. Apptix hired Sonian Inc. to provide software and services, and Sonian has since been acquired by Barracuda.
In November 2018, a Barracuda employee inadvertently left a data port open, an error that went unremedied for seven weeks during which unauthorized third parties could access Zoll's emails. Barracuda notified Apptix of the data breach in January 2019, and Apptix notified Zoll, the complaint says.
Customers claiming their PHI was exposed in the data breach filed a class action against Zoll in West Virginia state court in 2019. That case has been settled.
Zoll then sued Barracuda and Sonian in November 2020, alleging negligence, breach of implied warranty of merchantability, breach of implied warranty of fitness, breach of contract and equitable indemnity. It sought to recover the costs it incurred litigating the West Virginia class action and other relief.
The defendants moved to dismiss for failure to state a claim in January.

Zoll demonstrated liability for damages

Judge Gorton let stand the allegation of equitable indemnity, saying that Zoll met the standard by demonstrating its liability for damages as a result of the West Virginia class action.
He rejected Zoll's argument that its negligence claim fell within an exception to the economic loss doctrine — namely that the claim arose out of a noncontractual legal duty.
"The storage and protection of sensitive data was exactly what the parties contracted among themselves to do," Judge Gorton wrote.
He also dismissed Zoll's allegations of breach of the implied warranties of merchantability and fitness because they were addressed in the contract Apptix signed with Sonian.
Under Massachusetts law, a subsequent purchaser cannot possess greater warranty rights than the original purchaser, and the defendants' disclaimer of the implied warranties rendered them waived as to Zoll, the judge said.
He also relied on the contract Apptix signed with Sonian to dismiss the breach of contract claim, ruling that the agreement made Apptix responsible for downstream customers such as Zoll.
"Because the [contract] does not 'clearly and definitely' demonstrate an intent to benefit Zoll, Zoll is not a third-party beneficiary of the contract," Judge Gorton wrote.
Zoll is represented by DarrowEverett LLP and Gordon Rees Scully Mansukhani LLP. Troutman Pepper Hamilton Sanders LLP represents Barracuda.
By John Fitzgerald

Related articles

Related Articles from Westlaw Health Law Daily Briefing
Article: Security company's error exposed 277,000 patients' data, device maker says 2020 HEADBRF 0316
Date: November 23, 2020
A data security company hired to archive a medical device maker's emails failed to implement adequate safeguards, leading to a data breach exposing the protected health information of more than 277,000 patients, the manufacturer says in a federal lawsuit.
End of Document© 2024 Thomson Reuters. No claim to original U.S. Government Works.