Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

Federal Court Holds that Cloud Service Provider is Subject to CMIA

By Philip N. Yannella, Gregory P. Szewczyk & Eric K. Temmel on August 25, 2021
Email this postTweet this postLike this postShare this post on LinkedIn

On August 12, 2021, the United States District Court for the District of South Carolina issued an opinion denying in part and granting in part a motion by Blackbaud to dismiss seven statutory claims brought by plaintiffs in a multidistrict consolidated action stemming from a ransomware attack. The most notable aspect of the opinion is the Court’s interpretation of the California Medical Information Act (CMIA), which may have the effect of broadening the scope of liability for California-based cloud service providers that suffer data breaches.

Plaintiffs in the case are patrons of Blackbaud’s business-to-business customers and do not have a direct relationship with Blackbaud. Plaintiffs allege, however, that Blackbaud’s “deficient security program” and insufficient internal response permitted a two-part ransomware attack in 2020, which ultimately led to Blackbaud’s payment of an undisclosed amount of Bitcoin in exchange for the attackers’ assurances to delete compromised data. Plaintiffs also allege failure to provide timely, adequate and accurate notice of the attack and information about the exfiltrated data.

In June, Blackbaud moved to dismiss the CMIA (as well as other statutory) claims on the basis that the entity did not constitute a “provider of health care” prohibited under CMIA from disclosing “medical information” without proper authorization. Several plaintiffs failed to allege exposure of any medical information and the court granted Blackbaud’s motion accordingly. The Court found, however, that one plaintiff plausibly argued potential disclosure of medical information, including medical diagnoses and treatment plans.

Central to the Court’s ruling was its analysis of whether Blackbaud, a cloud provider, qualifies as a “provider of health care” under CMIA. Blackbaud argued that no California plaintiff had purchased any product directly from Blackbaud and that plaintiffs had failed to allege that Blackbaud collected information for medical purposes. The Court rejected that argument, calling Blackbaud’s reading of CMIA “tortured” and holding that CMIA applies to entities “that are not ordinarily considered medical providers, such as technology companies that process and maintain ‘medical information.’” The Court noted that a direct product or service offering is not required and that CMIA applies to business that maintain medical information, regardless of whether that is the primary purpose of the business.

The impact of the Court’s decision on the CMIA claim is potentially significant and may broaden the scope of liability for cloud service providers that offer hardware or software designed or marketed for the storage of medical information of Californians. Many cloud service providers do not market directly to consumers and may not have considered potential consumer liability because of the lack of privity. It remains to be seen whether other courts follow the District of South Carolina’s reasoning with regard to the scope of the CMIA. This is an issue that cloud service providers should track carefully.

Philip N. Yannella

yannellap@ballardspahr.com | 215.864.8180 | view full bio

As Practice Leader of Ballard Spahr’s Privacy and Data Security Group, and Practice Leader of the firm’s E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use…

yannellap@ballardspahr.com | 215.864.8180 | view full bio

As Practice Leader of Ballard Spahr’s Privacy and Data Security Group, and Practice Leader of the firm’s E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.

Phil regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of Financial Services Cybersecurity Regulations, ISO 27001 compliance, HIPAA Security Rules, and FTC enforcement activity, as well as eDiscovery issues—leveraging his experience serving as National Discovery Counsel for more than two dozen companies in nationwide litigation. He harnesses his deep knowledge of privacy, data security, and information governance laws to help multinational companies develop global information governance programs to comply with overlapping, and sometimes conflicting, laws. Phil serves on the advisory board for the ACC Foundation’s Cybersecurity Survey, the largest survey of in-house counsel on cybersecurity issues.

Read more about Philip N. YannellaEmail
Show more Show less
  • Posted in:
    Privacy & Data Security, Technology
  • Blog:
    CyberAdviser
  • Organization:
    Ballard Spahr LLP
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • LEX Reception Blog
  • Civil Justice Blog
  • Boston ERISA & Insurance Litigation Blog
  • Stridon News and Insights
  • Taft Class Action & Consumer Insights
Copyright © 2022, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo