Aspen American Insurance Company v. Blackbaud, Inc.

• Court: District Court, N.D. Indiana
• Decided: August 30, 2022
• Docket: 3:22-cv-00044
• Status: Unknown

Opinion

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF INDIANA SOUTH BEND DIVISION

ASPEN AMERICAN INSURANCE COMPANY, et al.,

Plaintiffs,

v. Case No. 3:22-CV-44 JD

BLACKBAUD, INC.,

Defendant.

OPINION AND ORDER Now before the Court are three motions. Aspen American Insurance Company and Trinity Health Corporation (collectively, the “Plaintiffs”) have filed a motion to remand this case to the St. Joseph Superior Court. (DE 22; DE 25.) Blackbaud, Inc., the defendant, has filed a motion to dismiss the Complaint for failure to state a claim on which relief can be granted. (DE 9.) Plaintiffs have also filed a cross motion in which they seek to amend their Complaint if the Court decides to grant Blackbaud’s motion to dismiss. (DE 43.) For the reasons explained below, the Court will deny the motion to remand, but grant the remaining two motions. A. Factual Background Trinity Health Corporation (“Trinity Health”) is an Indiana not-for-profit corporation with a multi-facility health system that serves multiple counties across northern Indiana. (DE 6 ¶ 3.) As a multi-facility health system, Trinity Health possesses records containing highly sensitive information, including personal information from donors and patients. (Id. ¶¶ 2, 4, 5, 6 ) Among the data contained in these records is Personally Identifiable Information (“PII”) and Protected Health Information (“PHI”).1 (Id. ¶ 5.) PII includes information that can be used to distinguish or trace an individual’s identity, while PHI includes individually identifiable health information relating to the provision of health care. (Id. ¶¶ 6, 43.) On June 17, 2015, Trinity Health executed two contracts with Blackbaud, Inc., (“Blackbaud”) to help consolidate its existing databases into

one system of records and protect this sensitive data. (Id. ¶¶ 2, 4, 34.) The first agreement was a Master Application Services Provider Agreement (“MSA”). (Id. ¶ 28.) Under the MSA, Blackbaud agreed to maintain servers holding Trinity Health’s donor and patient data, including PII and PHI. (DE ¶¶ 2, 5, 30.) The MSA specifies, in relevant part, that the data must be kept by Blackbaud “in strictest confidence using the same or greater degree of care it uses with its own most sensitive information (but in no event less than a reasonable degree of care)” and also requires Blackbaud to “effect a comprehensive information security program that includes reasonable and appropriate technical, administrative, and physical security measures aimed at protecting such information from unauthorized access, disclosure, use, alteration or destruction, and that reflects industry-leading practices.” (Id. ¶ 30.)

The second agreement that Trinity Health and Blackbaud entered on June 17, 2015, was a Business Associate Agreement (“BAA”). (Id. ¶ 34.) Under the BAA, Blackbaud agreed to comply with its obligations as a “business associate” under HIPAA, HITECH, and any implementing regulations. (Id. ¶ 36.) Blackbaud also agreed to implement reasonable administrative, physical, technical, and electronic safeguards to protect the confidentiality, integrity, and availability of all PHI. (Id. ¶¶ 37, 38.) If there was a security breach or suspected breach, then Blackbaud was required to report this to Trinity Health within ten business days. (Id. ¶ 39.)

1 Collectively, “PII” and “PHI” will be referred to as “Private Information.” On February 7, 2020, a third party hacked into Blackbaud’s systems and deployed ransomware. (Id. ¶ 9.) These cybercriminals were able to gain access to the Private Information that Trinity Health had stored with Blackbaud. (Id. ¶ 12.) The cybercriminals copied data from Blackbaud’s systems and held this copied data for ransom. (Id. ¶ 81.) However, the

cybercriminals were unable to block Blackbaud from accessing its own systems. (Id. ¶¶ 81, 82.) Even though Blackbaud discovered that the ransomware attack occurred on May 14, 2020, it did not notify Trinity Health of the Incident until July 16, 2020. (Id. ¶¶ 11, 13.) After learning about the incident, Trinity Health notified affected patients and donors of the breach, set up credit monitoring for such individuals, and also established an information call center. (Id. ¶14.) Plaintiffs allege that this security breach occurred as a result of Blackbaud failing to reasonably safeguard Trinity Health’s database of Private Information. (Id. ¶¶ 80, 90.) According to Plaintiffs, even though Blackbaud represented itself as a “world leading software company,” and promised to implement reasonable security measures in the MSA, its security program was actually “woefully inadequate[.]” (Id. ¶¶ 2, 10.) The system Blackbaud used was purportedly

“obsolete,” ran “multiple applications,” and was based on a “patch schedule” which multiple employees at Blackbaud warned their supervisors about. (Id. ¶¶ 62–69.) Plaintiffs claim that “had Blackbaud maintained a sufficient security program, including properly monitoring its network, security, and communications, it would have discovered the cyberattack sooner or prevented it altogether.” (Id. ¶¶ 10, 16.) After the breach, Trinity Health incurred various expenses, which included credit monitoring services and call centers, legal counsel, computer systems recovery, and data recovery and data migration services (the “Remediation Damages”). (Id. ¶ 92.) Trinity Health was insured by Aspen American Insurance Company (“Aspen”).2 (Id. ¶ 91.) Pursuant to the insurance policy, Aspen agreed to “pay, on behalf of the Insured, Expense incurred in connection with a Privacy and Network Security Incident . . . .” (Exhibit B, DE 6, at 1.) “Expense” under the policy included “Data Forensics, Public Relations, Notification, Fraud Monitoring and

Resolution Services, Call Center Services, and Incident Response Consultation.” (Id. at 2.) There was also a subrogation clause allowing Aspen the right to step into the shoes of Trinity Health as a subrogee and recover against a third party. (Id. ¶ 94.) Plaintiffs allege that, in accordance with the policy, Aspen made payments on behalf of Trinity Health for the Remediation Damages. (DE 6 ¶ 15.) On December 15, 2021, the Plaintiffs filed the instant case against Blackbaud in Indiana state court, bringing six claims for relief: Count I: Breach of Contract Count II: Negligence Count III: Gross Negligence

Count IV: Negligent Misrepresentation Count V: Fraudulent Misrepresentation Count VI: Breach of Fiduciary Duty (DE 6.) Blackbaud then removed the case from state court, invoking the Court’s diversity jurisdiction. (DE 1; DE 8.) On February 11, 2022, Blackbaud filed a motion to dismiss Plaintiffs’ Complaint in its entirety for failure to state a claim upon which relief could be granted. (DE 9.) Plaintiffs filed a response to this motion (DE 42), and Blackbaud filed its reply (DE 46.).

2 On February 24, 2022, the Court granted a motion to substitute the original name of the Plaintiff, “Aspen Specialty Insurance Company, as subrogee of Trinity Health Corporation “for “Aspen American Insurance Company, as subrogee of Trinity Health Corporation.” (DE 30.) Accordingly, this motion is now ripe for review. Also ripe for review are Plaintiffs’ motion to remand and cross motions to amend their Complaint, which have been fully briefed.3 (DE 22; DE 42; and DE 43.)

B. Standard of Review In reviewing a motion to dismiss for failure to state a claim upon which relief can be granted under Federal Rule of Civil Procedure 12(b)(6), the Court construes the complaint in the light most favorable to the plaintiff, accepts the well-pleaded factual allegations as true, and draws all reasonable inferences in the plaintiff’s favor. Calderon-Ramirez v. McCament, 877 F.3d 272, 275 (7th Cir. 2017). A complaint must contain only a “short and plain statement of the

claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). That statement must contain sufficient factual matter, accepted as true, to state a claim for relief that is plausible on its face, Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009), and raise a right to relief above the speculative level. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). However, a plaintiff’s claim need only be plausible, not probable. Indep. Trust Corp. v. Stewart Info. Servs. Corp., 665 F.3d 930, 935 (7th Cir. 2012). Evaluating whether a plaintiff’s claim is sufficiently plausible to survive a motion to dismiss is “‘a context-specific task that requires the reviewing court to draw on its judicial experience and common sense.’” McCauley v. City of Chicago, 671 F.3d 611, 616 (7th Cir. 2011) (quoting Iqbal, 556 U.S. at 678).

C. Discussion

3 Plaintiff Aspen has filed two unopposed motions to join Plaintiff Trinity Health’s motion to remand and reply. (DE 25; DE 34.) These motions to join are unopposed, and therefore will be granted. The motion to remand is based on a forum selection clause in the MSA. (DE 23 at 2.) The Court will first consider this motion to remand, prior to addressing the motion to dismiss. Holmes v. F.D.I.C., No. 11-CV-211, 2011 WL 1498824, at *1 (E.D. Wis. Apr. 19, 2011) (noting that courts have a “great deal of discretion to decide the order in which they will dispose of

multiple motions” and deciding to rule on a motion to remand prior to a motion to dismiss). (1) Motion to Remand The parties do not dispute that this is an action with complete diversity of citizenship between the parties and an amount in controversy in excess of $75,000, and is thus within this Court’s original subject matter jurisdiction. 28 U.S.C. § 1332(a). Further, there is no dispute that

Blackbaud’s notice of removal was timely filed. 28 U.S.C. § 1446. Rather, Plaintiffs argue that the case must be remanded to the St. Joseph Circuit Court pursuant to a forum selection clause in the MSA. (DE 23 at 2.) According to Plaintiffs, the forum selection clause included in the MSA provided Trinity Health the “contractual right to prosecute these claims against Blackbaud in the St. Joseph Circuit Court.” (Id. at 3.) By removing the case to federal court, Plaintiffs claim that Blackbaud breached the forum selection clause, warranting remand. Enforcing a forum selection clause in a contract is a permissible basis for remand. Roberts & Schaefer Co. v. Merit Contracting, Inc., 99 F.3d 248, 252 (7th Cir. 1996). While the majority of federal circuits hold that federal law governs the interpretation and enforceability of forum selection clauses, the Seventh Circuit has held that “[s]implicity argues for determining

the validity and meaning of a forum selection clause, in a case in which interests other than those of the parties will not be significantly affected by the choice of which law is to control, by reference to the law of the jurisdiction whose law governs the rest of the contract in which the clause appears.” Jackson v. Payday Fin., LLC, 764 F.3d 765, 775 (7th Cir. 2014) (quoting Abbott Laboratories v. Takeda Pharmaceutical Co., 476 F.3d 421 (7th Cir. 2007)); see also Nw. Nat. Ins. Co. v. Donovan, 916 F.2d 372, 374 (7th Cir. 1990) (writing that “it can be argued that as the rest of the contract in which a forum selection clause is found will be interpreted under the principles of interpretation followed by the state whose law governs the contract, so should that

clause be”). Here, both the choice of law provision and the forum selection clause appear in the same section of the MSA: 12.6 Governing Law. The rights and obligations of the Parties under this Agreement shall be governed in all respects by the laws of the state of Indiana, excluding conflicts of law provisions. The Parties expressly consent to the exclusive jurisdiction of the state and federal courts located in the State of Indiana for any dispute concerning this Agreement and agree not to commence any such proceedings except in such courts. The Parties hereby waive all defenses of lack of personal jurisdiction and forum non conveniens related thereto. (Exhibit A, DE 6, at 14 (emphasis added).) Because the rights and obligations in the MSA are governed by Indiana law, and neither party asserts that interests other than the parties will be significantly affected by the choice of law, the validity and meaning of the forum selection clause are also governed by Indiana law. In Indiana, parties are “generally free to bargain for the terms that will govern their relationship[,]” including deciding “what law will govern,” whether disputes arising between them will be “resolved publicly” or in arbitration, and “where any disputes will be resolved.” O’Bryant v. Adams, 123 N.E.3d 689, 692 (Ind. 2019). Therefore, forum selection clauses in Indiana are generally enforceable, unless the party “resisting a forum-selection clause” shows that the clause was not “freely negotiated” nor reasonable and just. Id. at 694. However, neither party disputes that the forum selection clause is enforceable. Rather, the dispute between the parties concerns the proper interpretation of the forum selection clause. The Plaintiffs argue that the forum selection clause in Section 12.6 gives Trinity Health a right to prosecute its claims against Blackbaud in an Indiana state court which would be “rendered illusory if Blackbaud could nullify that right” by removing it to federal court. (DE 23 at 13.) Blackbaud argues that the plain language in Section 12.6 consents to jurisdiction in state and federal courts within Indiana, but does not remove its right to remove the case from Indiana state court to a federal court

located in Indiana. (DE 31 at 3.) The Court agrees that the plain language of the forum selection clause allows for removal from Indiana state court to a federal court located in Indiana. In Indiana, forum selection clauses are interpreted under the state’s principles for interpreting contracts generally. See Sunburst Chem., LLC v. Acorn Distributors, Inc., 922 N.E.2d 652, 653 (Ind. Ct. App. 2010). When interpreting a contract, the primary goal is to ascertain the intent of the parties. Id. If a text’s plain meaning is unambiguous, then “courts need not resort to interpretive canons[.]” O’Bryant, 123 N.E.3d at 693. The Court finds that Section 12.6’s plain meaning only gives Trinity Health the right to “commence” a lawsuit in either state or federal court in Indiana, but does not provide them a right to force Blackbaud to remain in that court.

There are a few reasons for this conclusion. First, the plain meaning of the forum selection clause counsels against a finding that Trinity Health has a right to keep this suit in its chosen forum. The relevant language states that“[t]he Parties expressly consent to the exclusive jurisdiction of the state and federal courts located in the State of Indiana for any dispute concerning this Agreement and agree not to commence any such proceedings except in such courts.” (Exhibit A, DE 6, at 14 (emphasis added).) The word “commence” in this clause means to “begin” or “start.” See Commence, OXFORD DICTIONARIES, https://premium.oxforddictionaries .com/us/definition/american_english/commence (last visited August 24, 2022) (defining commence as to “begin; start”); see also Commence, MERRIAM-WEBSTER DICTIONARY, https://www.merriam-webster.com/dictionary /commence (last visited August 24, 2022) (defining commence as “to enter upon; begin” or “to have or make a beginning”). Therefore, the most natural reading of this forum selection clause is that a party must start a legal proceeding concerning the MSA in either Indiana state court or a federal court located in Indiana. However,

starting a legal proceeding in one court does not mean that the party has a right to permanently keep that proceeding in that chosen court. Similar to how a vacationer might “commence” his trip by going to France but ultimately finish the trip in England, so too might a court proceeding “commence” in Indiana state court but then ultimately end up in federal court after removal. See Cruthis v. Metropolitan Life Ins. Co, 356 F.3d 816, 819 (7th Cir. 2004) (“[T]he right to file suit in a particular forum is not equivalent to the right to avoid removal from that forum.”); see also EBI-Detroit, Inc. v. City of Detroit, 279 F. App’x 340, 346 (6th Cir. 2008) (finding that a forum selection clause where a party agreed to “not commence any action in any other [court] than a competent State court in Michigan” was “irrelevant [to the question of removal] because it says nothing about the defendants’ right to remove.”). Given this plain meaning of “commence,” the

best interpretation of the forum selection clause is that while a party to the MSA may file suit in Indiana state court, the party does not necessarily have a right to keep the suit in that court, and that it may be removed to a federal court located in Indiana. Second, this interpretation is supported by Indiana’s law surrounding contractual waiver of legal rights. Blackbaud, as a defendant, had “a statutory right to remove [this] civil action from state court ‘to the district court of the United States for the district embracing the place where such action is pending.’” Rochester Comty. Sch. Corp. v. Honeywell, Inc., No. 306-CV- 351, 2007 WL 2473464, at *6 (N.D. Ind. Aug. 27, 2007) (quoting 28 U.S.C. § 1441(a)). Under Indiana law, a party may waive a statutory right provided by a statute if he does so through an affirmative act which demonstrates an intention to relinquish that right. See In re Est. of Highfill, 839 N.E.2d 218, 222 (Ind. Ct. App. 2005) (“A valid waiver involves both the knowledge of the existence of the right and the intention to relinquish it.”). Signing a contract to allow a party to commence a suit in one court does not indicate an intent on the part of Blackbaud to waive its

right to remove that suit once commenced. See RBC Mortg. Co. v. Couch, 274 F. Supp. 2d 965, 970 (N.D. Ill. 2003) (“Where a contract provides that the parties consent to the jurisdiction of state or federal court within a particular region, however, the agreement does not constitute a waiver of a defendant’s right to remove.”). Third, this interpretation accords with how other courts in this circuit have interpreted similar clauses. For example, in Oberweis Dairy, Inc. v. Maplehurst Farms, Inc., No. 88 C 4857, 1989 WL 2078, at *2 (N.D. Ill. Jan. 10, 1989), the parties signed an agreement where they agreed to “institute any action against the other arising out of [the Agreement] in any state or federal court of general jurisdiction in the State of Illinois and waive[] any objection he may have to either the jurisdiction or venue of such court.” The agreement in Oberweis is similar to

the one in this case in that it (1) specifies that suit may be filed in either state or federal court, (2) limits the geographic area for filing to a court residing in a state, and (3) disallows certain objections. The court in Oberweis ultimately concluded that the forum selection clause was a geographic limitation limiting the plaintiff to a “courtroom located in Illinois,” but did not waive the defendant’s right of removal as it did not “involve language which vests in the plaintiff the right to choose a particular Illinois court” nor did “the clause . . . bind the defendant to the plaintiff’s choice of forum.”Id; see also Newman/Haas Racing v. Unelko Corp., 813 F. Supp. 1345, 1348 (N.D. Ill. 1993) (finding that an agreement where the parties “consent[ed] to venue and jurisdiction of the Federal and State courts located in Lake and/or Cook County, Illinois” did not waive the defendant’s right of removal). The instant case’s forum selection clause also appears to be more of a geographic limitation, limiting the parties to federal or state court in Indiana, without vesting in a claimant the exclusive right to keep the case in their chosen forum. The Court also finds Blackbaud’s interpretation superior because the binding case law

cited by Plaintiffs in support of their interpretation is easily distinguishable. Plaintiffs cite Pine Top Receivables of Illinois, LLC v. Transfercom, Ltd., 836 F.3d 784, 787 (7th Cir. 2016) as an analogous case. The forum selection clause considered in Pine Top provided that the Defendant, in the event the Defendant insurer failed to pay an amount due under the insurance agreement, “at the request of the [Plaintiff], will submit to the jurisdiction of any Court of competent jurisdiction within the United States and will comply with all requirements necessary to give such Court jurisdiction . . . .” Id (emphasis added). The Seventh Circuit held that this agreement required the defendant “to submit to the jurisdiction of any court of competent jurisdiction chosen by [the Plaintiff]” and waived the Plaintiff’s right to removal. Id (emphasis added). Unlike the instant forum selection clause, the clause in Pine Top required acquiescence by the

defendant to the plaintiff’s chosen forum: the defendant had to “submit” to a jurisdiction chosen by the plaintiff and then “comply with all requirements necessary to give such court jurisdiction.” Id. Here, the agreement speaks to the initial filing by using the word “commence,” and limits the geographic area to Courts in Indiana, but nothing in the language prevents the parties from then removing the action to a federal court in Indiana. Other sister courts have drawn a similar distinction previously, differentiating language that is “more in the nature of a geographic limitation,” as in the instant case, from language that “vest[s] in the claimant . . . the exclusive right to choose” a given forum, as in Pine Top. Newman/Haas Racing, 813 F. Supp. at 1348. Accordingly, because the plain meaning of the forum selection clause allows for removal, the Court DENIES Plaintiff’s motion to remand.

(2) Motion to Dismiss In their Complaint, for each of their claims, Plaintiffs allege that as a direct and proximate cause of Defendant’s conduct they suffered Remediation Damages. These Remediation Damages include expenditures for “credit monitoring services and call centers, legal counsel, computer systems recover, and data recovery and data migration services.” (DE 6 ¶ 92.) Blackbaud argues that Plaintiffs fail to plausibly allege a compensable injury caused by Blackbaud’s actions in each of their claims. (DE 10 at 2, 7, 16.) Blackbaud also argues that

Plaintiff’s negligence claims are barred under the economic loss doctrine. (Id. at 18.) For the reasons explained below, the Court agrees with Blackbaud. (a) Causation Blackbaud argues that the Complaint fails to adequately plead causation for each of Plaintiffs’ claims. (DE 10 at 2, 7, 16.) In Count I of their Complaint, Plaintiffs allege that

Blackbaud’s contractual breaches include “failing to adequately protect consumers’ Private Information; failing to properly and adequately determine whether it was susceptible to a data breach; failing to properly maintain and monitor its own data security programs for intrusions; failing to remove old unused and obsolete data containing Private Information or to encrypt such information; failing to heed vendor announcements regarding the sunset of certain databases; leaving client information on older databases that were more vulnerable to cyberattack; and, failing to name Trinity Health as an additional insured under its policies.” (DE 6 ¶ 105.) Plaintiffs then allege that “[a]s a direct and proximate result of Blackbaud’s breaches of contract, Trinity Health, and its subrogee Aspen, suffered damages” and that “[t]he damages suffered by Trinity Health, and its subrogee Aspen, include, but are not limited to, paying the Remediation Damages.” (Id. ¶¶ 109, 110.) For each of their other claims, Plaintiffs include similar allegations of breach as well as the resulting damages.4 Blackbaud asserts that these allegations do not adequately explain how the breach caused their Remediation Damages, warranting dismissal.

(DE 10 at 2, 7, 13, and 16.) Causation is an essential element for each of Plaintiffs’ claims. For a breach of contract claim in Indiana, as alleged in Count I, a plaintiff must show that there was a contract, which defendant breached, that the breach was a substantial factor contributing to the damages, and that the damages were foreseeable at the time the contract was entered into. Berg v. Berg, 170 N.E.3d 224, 231 (Ind. 2021) (“The essential elements of a breach of contract action are the existence of a contract, the defendant’s breach thereof, and damages.”); Hopper v. Colonial Motel Properties, Inc., 762 N.E.2d 181, 188 (Ind. Ct. App. 2002) (noting that, in addition to proving existence of a contract, breach, and damages, a plaintiff must show that “the defendant’s breach was a substantial factor contributing to the damages” and that damages were foreseeable “at the time of

entering into the contract”); Hi-Tec Properties, LLC v. Murphy, 14 N.E.3d 767, 776 (Ind. Ct. App. 2014) (“The damages claim for such a breach must be the natural, foreseeable, and

4 The allegations of breach for Count II (Negligence) and Count III (Gross Negligence) are almost identical to Count I. (DE 6 ¶¶ 115, 122.) The allegations of breach in the other claims do differ to some degree, but not in ways that are relevant toward the causation issue present here. For example, for the fraudulent misrepresentation claim in Count V, Plaintiffs allege that “Blackbaud made misrepresentations that it could, among other things, comply with such federal law and regulations as well as industry standards to maintain reasonable and appropriate physical, administrative, and technical measures to keep Private Information confidential,” that Blackbaud knew these representations were false or recklessly ignored the falseness of the representations, and that the misrepresentations based on its representations was an inducement for executing the agreement with Blackbaud. (Id. ¶¶ 138–140.) However, even though this claim alleges a different theory of why the breach happened, it fails to provide any reasonable explanation for why the Plaintiffs spent money on their various Remediation Damages. Rather, without any further detail, Plaintiffs claim in a conclusory manner that, “[a]s a direct and proximate result of Blackbaud’s fraudulent misrepresentation, Trinity Health, and its subrogee Aspen, suffered damages.” (Id. ¶¶ 140–41) As the Court explains, this is insufficient to plausibly allege causation, and each of Plaintiffs’ claims suffers from this same deficiency. proximate consequence of the breach.”); Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 635 (7th Cir. 2007) (Under Indiana law, “[c]ompensable damages are an element of a breach of contract cause of action as well”). Showing that the breach was a substantial factor contributing to the damages requires proving that the “damages flowed directly and naturally from the breach.”

Dana Companies, LLC v. Chaffee Rentals, 1 N.E.3d 738, 748 (Ind. Ct. App. 2013). Plaintiffs’ claim in Count VI for breach of a fiduciary duty requires a similar showing. The elements of breach of fiduciary duty are: “(1) the existence of a fiduciary relationship; (2) a breach of the duty owed by the fiduciary to the beneficiary; and (3) harm to the beneficiary.” Farmers Elevator Co. of Oakville, Inc. v. Hamilton, 926 N.E.2d 68, 79 (Ind. Ct. App. 2010) (citation omitted). Like a claim for breach of contract, “a breach of fiduciary duty . . . requires [a] plaintiff to prove that the alleged breach was a ‘substantial contributing factor’ to the alleged harm.” Konecranes, Inc. v. Davis, No. 1:12-CV-1700-JMS-MJD, 2014 WL 637230, at *5 (S.D. Ind. Feb. 18, 2014) (quoting W&W Equipment Co., Inc. v. Mink, 568 N.E. 2d 564, 576 (Ind. Ct. App. 1994)) (emphasis added).

While the contract claim and the breach of fiduciary duty claim require showing that causation was a substantial factor to the damages, to succeed on the negligence claims in Counts II, III, and IV, the Plaintiffs must show “(1) a duty owed to plaintiff by defendant, (2) breach of duty by allowing conduct to fall below the applicable standard of care, and (3) a compensable injury proximately caused by defendant’s breach of duty.” Bader v. Johnson, 732 N.E.2d 1212, 1216–17 (Ind. 2000) (emphasis added). In Indiana, “a negligent act is said to be the proximate cause of an injury ‘if the injury is a natural and probable consequence, which in the light of the circumstances, should have been foreseen or anticipated.’” D.H. by A.M.J. v. Whipple, 103 N.E.3d 1119, 1134 (Ind. Ct. App. 2018) (quoting Bader, 732 N.E.2d at 1218). “The foreseeability component of proximate cause requires an evaluation of the facts of the actual occurrence.” Humphery v. Duke Energy Indiana, Inc., 916 N.E.2d 287, 291 (Ind. Ct. App. 2009) (citation omitted). Like their negligence claims, Plaintiffs’ claim for breach of fiduciary duty in Count VI requires a showing that the “injury to the complaining party [was] a proximate result”

of defendant violating a duty by making a deceptive material misrepresentation. Harmon v. Fisher, 56 N.E.3d 95, 99 (Ind. Ct. App. 2016). The failure to properly allege causation warrants dismissal. Johnson v. Wal-Mart Stores, Inc., 588 F.3d 439, 445 (7th Cir. 2009) (“Courts remain entirely free to dismiss a claim supported by prima facie evidence where the pleadings do not permit a reasonable inference of proximate cause.”); O’Brien v. Intuitive Surgical, Inc., No. 10 C 3005, 2011 WL 3040479, at *1 (N.D. Ill. July 25, 2011) (“Without some explanation of how the [breach] caused his injuries, [plaintiff] could not ‘plausibly suggest’ proximate causation or, it follows, ‘a right to relief.’”). Therefore, the Court may grant the motion to dismiss if the Complaint failed to plausibly allege (1) that Blackbaud’s contractual and fiduciary breaches were a substantial factor in their

Remediation Damages; and (2) that Blackbaud’s negligence and fraudulent misrepresentation were proximate causes of Plaintiff’s Remediation Damages. The Court finds that Plaintiffs have failed to adequately plead causation for each of their claims. Plaintiffs include allegations explaining how they believe Plaintiffs’ conduct caused the breach, but they fail to include any allegations explaining why the breach led to them making these expenditures. For each Count, Plaintiffs have a conclusory allegation that “as a direct and proximate result of Blackbaud’s breaches . . . [defendants] suffered damages” and that the “Remediation Damages [were] necessitated by the Incident.” (DE 6 ¶¶ 109–150.) However, without any allegations explaining why they had to spend these amounts, the Court is left to speculate how Blackbaud’s breaches caused Trinity Health’s Remediation Damages: was Trinity Health’s own data compromised in the attack, exposing them to a risk of valuable lost information it hoped to reduce in advance by making these expenditures? Or did the loss of Trinity Health’s donor and patient data pose a threat to Trinity Health’s reputation, which it

hoped to restore with the expenditures by demonstrating to its donors and patients that it was taking the data breach seriously? Perhaps Plaintiffs, knowing that these expenses were largely covered by their insurance plan, paid for them in an abundance of caution? In the absence of further allegations fleshing this out, Plaintiffs cannot “plausibly suggest” that the alleged contractual or fiduciary breach was a “substantial factor” contributing to their damages or that the alleged negligent or fraudulent acts proximately caused them to pay for call centers, credit monitoring, legal counsel, computer systems recover, data recovery, and data migration services. Other courts have come to similar conclusions in analogous data breach cases. For example, in the In re Sony Gaming Networks and Customer Data Security Breach Litigation, plaintiffs alleged that as a result of a data breach they had their “personal information . . . stolen”

and that they “purchased credit monitoring services . . .” 996 F. Supp. 2d 942, 965 (S.D. Cal. 2014). The court started its analysis by noting that, in “assessing whether credit monitoring services in the context of data breach cases are recoverable in negligence, courts have generally analogized to medical monitoring cases, which require a plaintiff to plead that the monitoring costs were both reasonable and necessary.” Id. at 970 (citing Pisciotta, 499 F.3d at 639). Therefore, “where a state allows for medical monitoring damages (as does California) and a plaintiff has sufficiently alleged a threat of identity theft . . . a plaintiff may seek to recover expenses to purchase credit monitoring services.” Id. The Court in Sony Gaming Networks ultimately held that the plaintiffs failed to adequately allege causation because they failed to “allege . . . any instances of identity theft resulting from the intrusion.” Id. The allegations of causation in the instant case are even weaker than in Sony Gaming Networks.5 In Sony Gaming Networks, the plaintiffs at least alleged that “they were harmed as a

result of Sony’s unlawful conduct because . . . they now have an increased risk of future identity theft” and that they incurred expenses to purchase credit monitoring services in order to mitigate this risk. 996 F. Supp. 2d at 960, 970. However, even with the allegation that they faced an increased risk of identity theft, the court still found that plaintiffs “failed to allege why the . . . prophylactic costs [of credit monitoring services] were reasonably necessary, and therefore proximately caused by Sony’s alleged breach.” Id. at 970. Meaning, the court found the allegations insufficient even where the complaint alleged (1) a data breach (2) resulting in an increased risk of future identity theft and (3) expenditures as a result of that increased risk. According to the court in Sony Gaming Networks, even though there was an increased risk of future identity theft, this failed to meet California’s standard for recovering monitoring costs

because it did not allege a significant exposure of personal information nor that identity theft had already occurred. Id. If anything, the allegations here are even more sparse: Plaintiffs fail to

5 In other data breach cases, Plaintiffs who have survived motions to dismiss alleged the reason they had to make certain mitigating expenditures. For example, in the In re Equifax, Inc., Customer Data Security Breach Litigation, a class of consumers whose personal information was stolen during a data breach brought a negligence claim. 362 F. Supp. 3d 1295 (N.D. Ga. 2019). The court held that causation was sufficiently alleged where the plaintiffs “allege[d] that [the class had] been harmed by having to take measures to combat the risk of identity theft . . . by expending time and effort to monitor their credit and identity, and that they all face a serious and imminent risk of fraud and identity theft due to the Data Breach.” Id at 1311. Other courts have similarly denied motions to dismiss where the plaintiffs alleged (1) that they had suffered an injury from having their private information disseminated and (2) had to undertake certain expenses to mitigate that injury. See In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., No. CV 19-MD-2904, 2021 WL 5937742, at *7, 17 (D.N.J. Dec. 16, 2021) (denying a motion to dismiss where Plaintiffs alleged that they had experienced harms such as “fraudulent charges” which required expenses to “mitigate their injury” and “that if Defendants had used reasonable care in selecting and monitoring their collection agency, AMCA would not have had access to Plaintiffs’ Personal Information and the Information would not have been wrongfully accessed”). allege that they suffered any harm requiring them to spend money on the Remediation Damages and provide no allegations as to why they made these expenditures, let alone allegations making it plausible that Blackbaud’s negligence was the proximate cause of their damages or that Blackbaud’s breaches were a substantial factor contributing to their damages.

Even if Plaintiffs had alleged that there was a significant threat of some type of increased risk of future identity theft, they would still be unable to recover, since risk of future identity theft is not a compensable harm in Indiana.6 Unlike California in Sony Gaming Networks, Indiana does not allow recovery for medical monitoring damages, which is an analogous area of the law courts often turn to when deciding whether a cause of action is available for damages based on a risk of future identity theft. “[I]n AlliedSignal, Inc. v. Ott, 785 N.E2d 1068 (Ind. 2003), the Supreme Court of Indiana held that no cause of action accrues, despite incremental physical changes following asbestos exposure, until a plaintiff reasonably could have been diagnosed with an actual exposure-related illness or disease.” Pisciotta, 499 F.3d at 639. The Supreme Court of Indiana recently “decline[d] to reconsider Ott’s holdings due to the principles

of stare decisis and legislative acquiescence. . . .” Myers v. Crouse-Hinds Div. of Cooper Indus., Inc., 53 N.E.3d 1160, 1162 (Ind. 2016). The Seventh Circuit has followed this analogous line of case law and determined that the cost of credit monitoring to mitigate a risk of future identity theft is not a compensable injury in Indiana. In Pisciotta v. Old National Bancorp, the Seventh Circuit had to “determine whether Indiana would consider that the harm caused by identity information exposure, coupled with the attendant costs to guard against identity theft, constitutes an existing compensable injury and consequent damages required to state a claim for negligence

6 It does not appear that Plaintiffs could allege that their personal data was exposed. After all, this was not their personal data, but rather their donors and patients’ personal data. or for breach of contract.” 499 F.3d at 635. This was a “novel question of state law,” and so the Seventh Circuit conducted a lengthy examination of various sources, including Indiana’s statute concerning database security breaches, analogous Indiana cases, and the law in other jurisdictions. Id. at 637–640. The Seventh Circuit considered the Supreme Court of Indiana’s

decision in Ott, and ultimately held that the harm “caused by identity information exposure, coupled with the attendant costs to guard against identity theft” did not constitute a compensable injury under either a negligence claim or a contract claim brought pursuant to Indiana law. Id. at 635, 640; see In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 953, 978 (N.D. Cal. 2016) (finding that, in light certain changes in Indiana’s statutes surrounding data breaches, that Pisciotta’s holding still remained applicable to data breach actions). Therefore, even if Plaintiffs had alleged that they experienced a harm in the form of identity information exposure, in Indiana this would be insufficient to support their claim for Remediation Damages. In their response, Plaintiffs make another argument that can be disposed of for similar

reasons. Plaintiffs argue that they had to incur the “Remediation Costs in order to mitigate damages caused by Blackbaud’s breaches” pursuant to a common law duty. (DE 42 at 9–10.) Plaintiffs cite to two cases for the proposition that a non-breaching party must act reasonably to take measures to reduce the damages caused by the breach or face having their damages awarded against a defendant reduced: Scott-Larosa v. Lewis, 44 N.E. 3d 89 (Ind. Ct. App. 2015) and Barnes & Thornburg LLP v. Hayes Lemmerz Intern., Inc., No. 02D01-0801-PL-8, 2012 WL 1136164 (Ind. Super. Feb 29. 2012). (Id.) However, this common law duty is clearly inapplicable here. In Indiana, Plaintiffs have a “right to damages for the loss actually suffered as a result of the breach . . . but not to be placed in a better position than [she] would have been if the contract had not been broken.” Fischer v. Heymann, 12 N.E.3d 867, 871 (Ind. 2014) (citations and quotation marks omitted). Therefore, “a non-breaching party” must “make a reasonable effort to

act in such a manner as to decrease the damages caused by the breach.” Id. (citations and quotation marks omitted). Meaning, “the non-breaching party to a contract has a duty to mitigate damages that stem from the breach.” Maples Health Care, Inc. v. Firestone Bldg. Prod., 162 N.E.3d 518, 530 n.5 (Ind. Ct. App. 2020). However, in both cases Plaintiffs cite, the plaintiff alleged that he (1) experienced a harm which (2) could be mitigated. See Scott-LaRosa, 44 N.E.3d at 94 (holding that a plaintiff whose co-lessor failed to pay rent could only recover one and half month’s rent from the co-lessor, since she failed to mitigate the damages by seeking another roommate or terminating the lease); Barnes & Thornburg LLP v. Hayes Lemmerz Intern., Inc., No. 02D01-0801-PL-8, 2012 WL 1136164 (Ind. Super. Feb. 29, 2012) (“Courts have consistently recognized that an injured party is allowed to recover the expenses incurred in

a reasonable effort to mitigate damages.”) As explained above, Plaintiffs fail to allege any harm which could potentially trigger a duty to mitigate (for example, a risk to their identity or harm to their reputation). The common law duty to mitigate would only potentially be relevant when the plaintiff alleges a harm that could be mitigated. To their credit, elsewhere in their response, Plaintiffs do attempt to explain the reason why they paid these remediation expenses. Plaintiffs argue that, unlike individuals, Trinity Health had statutory obligations under HIPAA and other “similar” state and federal statutes which required Plaintiffs to “incur costs for legal advice, a computer forensic investigation, maintenance of a call center, and the cost of printing and mailing the written notices.” (DE 42 at 10.) Plaintiff also provides an affidavit from the incident commander for the Blackbaud Security Breach, Fran Petonic, who was employed by Trinity Health. (DE 42-1.) The affidavit provides in pertinent part (1) Plaintiffs believed their patients were potentially at risk of imminent harm, (2) that they could not ignore the matter and fail to notify the affected individuals of the security

breach due to its statutory obligation under the HIPAA Breach Notification Rule, and (3) then began to conduct its own investigation to determine what data was potentially impacted. (Id ¶ 5.) Even though many of the allegations in the response and attached affidavit do not appear in the Complaint, “a plaintiff need not put all of the essential facts in the complaint; he may add them by affidavit or brief” so long as the “facts are consistent with the allegations in the complaint.” Help At Home Inc. v. Med. Cap., L.L.C., 260 F.3d 748, 753 (7th Cir. 2001); see Dopson v. Corcoran, No. 19 C 5077, 2020 WL 3268513, at *6 (N.D. Ill. June 17, 2020) (“[T]he court may consider additional allegations consistent with the complaint.”); Newbold v. State Farm Mut. Auto. Ins. Co., No. 13 C 9131, 2015 WL 13658554, at *4 (N.D. Ill. Jan. 23, 2015) (“The Court may consider additional facts set forth in a response brief opposing a motion to

dismiss so long as they are not inconsistent with the existing allegations in the complaint.”). The Court believes that these allegations are consistent with the Complaint, and therefore will consider them. However, the Court finds that none of the statutes cited by Plaintiffs in their response and affidavit required them to make these expenses and, therefore, their Complaint still fails to plausibly allege causation. First, Plaintiffs assert in their response that “the Indiana Breach Notification Statute required Trinity Health to provide notice to affected Indiana residents . . . [which] required Plaintiffs to incur costs for legal advice, a computer forensic investigation, maintenance of a call center, and the cost of printing and mailing the written notices.” (DE 42 at 10.) This misdescribes their obligations under the Indiana Breach Notification Statute, which “require[s] only that a database owner disclose a security breach to potentially affected consumers” and “do[es] not require the database owner to take any other affirmative act in the wake of a breach.” Pisciotta, 499 F.3d at 637; see also Ind. Code § 24-4.9-3-1 (“After discovering . . . a breach of the security

of data, the data base owner shall disclose the breach to an Indiana resident whose . . . unencrypted personal information was or may have been acquired by an unauthorized person . . . or encrypted personal information was or may have been acquired by an unauthorized person with access to the encryption key.”). Because the Indiana Breach Notification Statute did not require Trinity Health to take any affirmative action in the wake of the breach other than disclosure, citing it does not provide a plausible reason why the breach caused Trinity Health to spend these Remediation Damages. The next statute that Plaintiffs direct the Court to is a section under HIPPA: 45 C.F.R. § 164.530(f). (DE 42 at 17.) Under this section, “a covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of

protected health information in violation of its policies and procedures or the requirements of this subpart by the covered entity or its business associate.” 45 C.F.R. § 164.530(f). Trinity Health, according to the allegations in the Complaint, was a covered entity. (DE 6 ¶¶ 21–22). Therefore, Plaintiffs argue that, as a covered entity, when they determined that the breach had created a likelihood of imminent harm, this resulted in them having a duty to provide “call center and credit monitoring for [affected individuals]” as part of their duty to mitigate. (DE 42 at 11–12.) They assert that because of this statutory obligation to provide call centers and credit monitoring, their expenditures were the natural, foreseeable, and proximate consequence of Blackbaud’s breach. However, Plaintiffs provide no case law indicating that a call center, credit monitoring, or any of their other remediation expenses were required as a mitigation expense under HIPAA. Plaintiffs cite to a data, security & privacy law treatise, which states that the “mitigation of the harmful effect under HIPAA will depend on the type of incident and potential harmful effect to

the affected individual, but might include notification of the individual . . . credit monitoring services, among other potential mitigation efforts.” 2 Data Sec. & Privacy Law § 12:53 (2021– 2022) (emphasis added). But this source merely provides a list of what mitigation might include, cites no cases in support, and says nothing about what mitigation efforts are obligated under HIPAA. Since Plaintiffs fail to develop this argument by citing to any pertinent authority, the Court deems it waived. United States v. Berkowitz, 927 F.2d 1376, 1384 (7th Cir. 1991) (“[P]erfunctory and undeveloped arguments, and arguments that are unsupported by pertinent authority, are waived . . . .”). Even if Plaintiffs had not waived this argument, there is strong reason to believe that 45 C.F.R. § 164.530(f) does not compel a covered entity to expend millions of dollars to reduce the

risk of the harmful effect of a data breach on consumers. After 45 C.F.R. § 164.530(f) was promulgated, Congress passed a new law adding a notice requirement for disclosures constituting a “breach” of “unsecured PHI.” 42 U.S.C § 17932; see also 2013 Health L. Handbook § 5:17 (explaining that “[t]he Initial Privacy Rule [under 45 C.F.R. § 164.530(f)] required Covered Entities to mitigate disclosures of PHI that violated the Privacy Rule, but it did not specifically require a Covered Entity to notify Individuals of the breach” and that congress passed the HITECH Act, which “added a notice requirement”). The House of Representatives wrote in a conference report prior to enacting 42 U.S.C. § 17932 that it was necessary to pass that section of the HITECH Act as the current “Privacy and Security Rules promulgated pursuant to HIPAA [, including under 45 C.F.R. § 164.530(f), do] not require covered entities, providers, health plans or healthcare clearinghouses, to notify HHS or individuals of a breach of the privacy, security, or integrity of their protected health information.” H.R. REP. NO. 111-16, at 492 (Conf. Rep.). It would be unusual for 164.530(f) to require mitigation through the

expenditure of millions of dollars and yet not require mitigation through disclosure of the breach to affected consumers, as indicated by the House of Representatives Committee Report. Additionally, the Court has not found any case law indicating that 45 C.F.R. § 164.530(f) requires a covered entity to spend millions of dollars to mitigate the harm from a data breach. Therefore, it appears that 45 C.F.R. § 164.530(f) did not require Plaintiffs to spend money on these Remediation Damages, and so Plaintiffs still have not plausibly alleged causation. Finally, in the attached affidavit, Plaintiffs allege Trinity Health had to “notify the affected individuals of the security breach” due to its obligations under the HIPAA Breach Notification Rule under 45 C.F.R. § 164.400-414 and “therefore took steps to begin its own investigation,” which included obtaining IT support and hiring legal counsel, and then, based on

the investigation, set up call centers, credit monitoring services, and sent out written notifications via the United Postal Service. (DE 42-1 ¶ 5-7.) However, besides pointing to the breach statute and providing a citation, Plaintiffs again fail to cite to any cases interpreting the breach notification provisions of HIPAA, provide no analysis of the text of these provisions, and neglect to even include the text of these provisions. Rather, in a conclusory manner, they assert that a complex web of 14 provisions, spanning from 45 C.F.R. 164.400 to 164.414, somehow result in them having to make these expenditures. Since Plaintiffs fail to include any authority to support their position that the breach notification provision required these expenditures, the Court deems it waived. Berkowitz, 927 F.2d at 1384 (“[P]erfunctory and undeveloped arguments, and arguments that are unsupported by pertinent authority, are waived . . . .”). The Court also notes that the HIPAA Breach Notification Statute, on its face, does not appear to require the expenditure of these funds. The HIPAA Breach Notification Statute, 45

C.F.R. § 164.404, states that a “covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.” 45 C.F.R. § 164.404(a). The Court sees nothing here imposing an affirmative obligation on Trinity Health to make these expenditures. To the extent there is authority for this position somewhere in the statute, Trinity Health has waived this argument by failing to include any authority in support. Given that Plaintiffs have been unable to find any case law supporting that they were required to expend these sums in mitigation efforts, and have failed to provide any other allegations explaining why they spent these Remediation Damages, the Court finds that plaintiffs

have failed to plausibly allege (1) that Blackbaud’s contractual and fiduciary breaches were a substantial factor in causing their Remediation Damages and (2) that Blackbaud’s negligence and fraudulent misrepresentation were a proximate cause of Plaintiff’s Remediation Damages. Therefore, the Court finds that Plaintiffs have failed to adequately allege causation for each of their claims, and the Complaint must be dismissed.

(b) Negligence Claims are Separately Barred Under Economic Loss Rule The Court also finds that a second, alternative ground justifies dismissal of each of Plaintiffs’ negligence claims (Counts II, III, and IV). In their Complaint, Plaintiffs’ allegations concerning Blackbaud’s breach of contract (Count I) and Blackbaud’s negligence (Count II and III) mirror each other.7 Blackbaud argues that Indiana’s economic loss rule applies, since all of the “purportedly negligent conduct is covered by the MSA and BAA.” (DE 10 at 19–21.) The Court agrees and finds that Plaintiffs’

negligence (Count II and III) and negligent misrepresentation (Count IV) claims are barred by Indiana’s economic loss rule. The economic loss rule specifies “that a party to a contract or its agent may be liable in tort to the other party for damages from negligence that would be actionable if there were no contract, but not otherwise.” Koehlinger v. State Lottery Comm’n of Indiana, 933 N.E.2d 534, 542 (Ind. Ct. App. 2010); see also Gunkel v. Renovations, Inc., 822 N.E.2d 150, 152 (Ind. 2005) (“[U]nder [the economic loss doctrine], contract is the only available remedy where the loss is solely economic in nature, as where the only claim of loss relates to the product’s failure to live up to expectations, and in the absence of damage to other property or person.”). “The rule embodies a judgment that tort law is a superfluous and inapt tool for resolving purely

7 For example, with the breach of contract claim, Plaintiffs allege: Blackbaud breached its duties under the Agreement and BAA by, among other things, failing to adequately protect consumers’ Private Information; failing to properly and adequately determine whether it was susceptible to a data breach; failing to properly maintain and monitor its own data security programs for intrusions; failing to remove old unused and obsolete data containing Private Information or to encrypt such information; failing to heed vendor announcements regarding the sunset of certain databases, leaving client information on older databases that were more vulnerable to cyberattack . . . . (DE 6 ¶ 105.) Then, with their claim for negligence, Plaintiffs allege: Blackbaud's breach of duties included, but is not limited, failing to adequately protect consumers’ Private Information; failing to properly and adequately determine whether it was susceptible to a data breach; failing to properly maintain and monitor its own data security programs for intrusions; failing to remove old unused and obsolete data containing Private Infonnation or to encrypt such information; and, failing to heed vendor announcements regarding the sunset of certain databases, leaving client information on older databases that were more vulnerable to cyberattack. (Id. ¶ 115.) commercial disputes[,]’ which ought instead to be resolved by a body of law designed for such disputes[,] that is, the law of contracts.” DMC Mach. Am. Corp. v. Heartland Mach. & Eng’g, LLC, No. 117CV00369SEBMPB, 2019 WL 175272, at *3 (S.D. Ind. Jan. 11, 2019) (citations and quotation marks omitted). The question therefore is whether each claim alleges that

Blackbaud did anything “constitute[ing] an independent tort if there were no contract.” Greg Allen Const. Co. v. Estelle, 798 N.E.2d 171, 175 (Ind. 2003). Plaintiffs point to two potential duties which they claim could give rise to a negligence claim outside of Blackbaud’s contractual duties: (1) a duty to protect private information; and (2) a fiduciary duty. First, Plaintiffs claim that “Blackbaud’s legal duty to protect the Private Information it was entrusted with is independent of the Agreements.” (DE 42 at 23.) This is a conclusory allegation which does not actually explain where this independent duty comes from, and so the argument is waived. Berkowitz, 927 F.2d at 1384 (“[P]erfunctory and undeveloped arguments, and arguments that are unsupported by pertinent authority, are waived . . . .”). Plaintiffs elsewhere appear to argue that HIPAA could provide an independent duty which could support a

tort claim, apart from Blackbaud’s contractual obligation. (DE 42 at 26.) However, Courts in Indiana have held that HIPAA itself cannot provide the standard of care in a common law negligence action. Henry v. Cmty. Healthcare Sys. Cmty. Hosp., 134 N.E.3d 435, 437 (Ind. Ct. App. 2019) (“[T]o establish the standard of care in a common law negligence action [and] [t]o ensure that litigants are not enabled to make an end-run around the lack of a private right of action under HIPAA . . . there must first be a common law duty.”). Therefore, HIPAA cannot provide the independent duty necessary to bring these negligence claims. Second, Plaintiffs argue that Blackbaud had an independent fiduciary duty to protect this information. (DE 42 at 23.) The only allegation in the Complaint concerning fiduciary duty is that “Blackbaud acted for the benefit of Trinity Health by maintaining Trinity Health’s data on Blackbaud’s network, server, and/or software in a fiduciary capacity as trustee.” (DE 6 ¶ 145 (emphasis added).) However, there are no facts alleged in the Complaint supporting the conclusion that Blackbaud was a trustee. See Brooks v. Ross, 578 F.3d 574, 581 (7th Cir. 2009)

(“[A] court need not accept as true legal conclusions or threadbare recitals of the elements of a cause of action, supported by mere conclusory statements.”). In Indiana, a trust “is a fiduciary relationship between a person who, as trustee, holds title to property and another person for whom, as beneficiary, the title is held.” Fulp v. Gilliland, 998 N.E.2d 204, 207 (Ind. 2013); Kesling v. Kesling, 967 N.E.2d 66, 80 (Ind. Ct. App. 2012). As Blackbaud notes in its motion to dismiss, “Plaintiffs have not alleged a single fact [in their Complaint] that even hints that Blackbaud ‘holds title to property’ of Plaintiffs.” (DE 10 at 25.) The Court agrees. There are no allegations in the Complaint that Blackbaud held title to any property of the Plaintiffs. Therefore, a fiduciary duty based on Blackbaud being a trustee cannot support their negligence claims. In their response, however, Plaintiffs now argue that Blackbaud was actually in an

agency relationship with Plaintiffs. Plaintiffs claim that the legal label of “trust” in the Complaint was “inartful” and that what they actually meant to plead in substance is that Blackbaud was an “agent of Trinity Health” in an agency relationship. (DE 42 at 28.) Plaintiffs argue that because Blackbaud, under the MSA, was responsible for handling PHI, Blackbaud was Trinity Health’s agent. (Id. at 27.) However, this argument fails for multiple reasons. First, while it is true that pleadings should be construed for their “substance rather than according to its form or label,” Birch v. Kim, 977 F. Supp. 926, 936 (S.D. Ind. 1997), there are no factual allegations in the Complaint that would make it plausible that Blackbaud was in an agency relationship with Trinity Health. Actual agency requires that three elements be shown: “(1) manifestation of consent by the principal, (2) acceptance of authority by the agent, and (3) control exerted by the principal over the agent.” Demming v. Underwood, 943 N.E.2d 878, 883 (Ind. Ct. App. 2011). To satisfy the control element, it is necessary that the agent be subject to the control of the principal with respect to the details of the work. Bunger v. Demming, 40

N.E.3d 887, 893 (Ind. Ct. App. 2015). But there are no facts alleged regarding manifestation of consent to an agency relationship, acceptance of authority by the agent, or control by Trinity Health over the details of Blackbaud’s performance. Second, the Master Services Agreement which Plaintiffs attach to their Complaint explicitly states that Blackbaud was not in an agency relationship with Trinity Health: In performing any and all of its obligations under this Agreement, Vendor shall at all times and for all purposes be and remain an independent contractor and in no case and under no circumstances shall Vendor or any of its Personnel, be considered or otherwise deemed to be employees or agents of Trinity or its Affiliates for any purposes whatsoever. (Exhibit A, DE 6, at 21 (emphasis added).) Given that the exhibit was attached to the Complaint, it is proper not only to take it into account, but to allow the exhibit to control where it conflicts with the Complaint. Forrest v. Universal Sav. Bank, F.A., 507 F.3d 540, 542 (7th Cir. 2007). Other courts have found that a contractual agreement which disclaims an agency relationship demonstrates a lack of mutual consent. Litsinger v. Forest River, Inc., 536 F. Supp. 3d 334, 366 (N.D. Ind. 2021) (finding that the record lacked “reasonable indicia of mutual consent or control to establish agency” where the purchase agreement “thrice disclaimed any agency relationship”). Given that Plaintiffs’ Complaint fails to allege any facts supporting an agency relationship, and that the contract explicitly disclaims an agency relationship, the Court finds that Plaintiffs have failed to plausibly allege a fiduciary relationship between Trinity Health and Blackbaud.8 Unable to point to a separate duty, Plaintiffs next argue that two exceptions to the economic loss rule apply. First, the Plaintiffs argue that their claims fall into the damaged

property exception to the economic loss rule. The “economic loss rule” only applies where a plaintiff has suffered pure economic loss, meaning loss “not resulting from an injury to the plaintiff’s person or property.” Indianapolis-Marion Cnty. Pub. Libr. v. Charlier Clark & Linard, P.C., 929 N.E.2d 722, 731 (Ind. 2010). Plaintiffs assert that the “Complaint alleges that Trinity Health’s computer system and database was damaged because of Blackbaud’s negligence.” (DE 42 at 25.) In support of this claim, they cite paragraph 92 of the Complaint. However, nowhere in Paragraph 92 do Plaintiffs allege that there was any physical harm to their computer system and database.9 Additionally, such a claim is inconsistent with the rest of their Complaint, as they alleged in the Complaint that data was only copied. (DE 6 ¶ 82.) Accordingly, since there are no allegations that the plaintiffs’ person or property was harmed, the exception

does not apply. Next, Plaintiffs argue that the economic loss rule does not apply to their negligent misrepresentation claim in Count IV, citing to DMC Mach. Am. Corp., No. 117-CV-00369, 2019 WL 175272, at *4. (DE 42 at 24.) DMC Machinery does state that “negligent misrepresentation .

8 The Court notes that this also means that Count VI is not plausibly alleged, since a breach of fiduciary duty claim requires showing: “(1) the existence of a fiduciary relationship; (2) a breach of the duty owed by the fiduciary to the beneficiary; and (3) harm to the beneficiary.” Farmers Elevator Co. of Oakville, Inc. v. Hamilton, 926 N.E.2d 68, 79 (Ind. Ct. App. 2010). Since Plaintiffs have not plausibly alleged the existence of a fiduciary relationship, they have failed to plausibly allege Count VI. 9 Paragraph 92 reads: “[i]n accordance with the terms of the Policy, Trinity Health paid amounts covered under the retention for Remediation Damages incurred because of the Incident, including, but not limited to, credit monitoring services and call centers, legal counsel, computer systems recovery, and data recovery and data migration services (the “Remediation Damages”).” (DE 6 ¶ 92.) There are no allegations that the computer systems suffered any physical harm in this paragraph. . . is recognized in Indiana as one of the exceptions to the economic loss rule.” DMC Mach. Am. Corp., No. 117-CV-00369, 2019 WL 175272, at *4 (citing U.S. Bank, N.A. v. Integrity Land Title Corp., 929 N.E.2d 742, 744 (Ind. 2010). However, the court goes on to describe how this exception is a limited one: “[o]rdinarily, however, when the parties share a connection in

contract . . . the economic-loss rule nonetheless remits the negligent-misrepresentation plaintiff to its contract remedies, if any.” Id. (citation omitted); see also Indianapolis-Marion Cnty. Pub. Libr. v. Charlier Clark & Linard, P.C., 929 N.E.2d 722, 741 (Ind. 2010) (“[A] claim of negligent misrepresentation [is] an exception to the general economic loss rule where a mortgage lender not in privity of contract with a title company seeks to recover the title company’s negligence in issuing a title commitment that filed to disclose an encumbrance.”). Therefore, because there is a contract, this exception does not apply.10 Accordingly, because Plaintiffs have been unable to point to an independent duty outside of contract and no exception applies, the economic loss rule bars Plaintiffs negligence claims under Counts II, III, and IV.

(c) Claim V not Alleged with Particularity under Rule 9(b) A special rule applies for pleading fraud: under Rule 9(b), “a party must state with particularity the circumstances constituting fraud . . . .” Fed. R. Civ. P. 9(b) (emphasis added). “This ordinarily requires describing the ‘who, what, when, where, and how’ of the fraud . . . .”

10 Plaintiffs cite to Inoveteus Solar LLC v. Polamer Precision, Inc., 2018 WL 8758528, at *4 (N.D. Ind. 2018) in support. However, in that case, the court was considering a constructive fraud claim. The economic loss rule categorically “does not apply to fraud claims.” DMC Mach. Am. Corp., No. 117CV00369SEBMPB, 2019 WL 175272, at *4. However, negligent misrepresentation is a distinct claim. The exception for negligent misrepresentation is more limited, as described above, and when privity of contract exists, the exception does not apply unless “special circumstances and overriding public policies” council towards allowing tort liability. Id. (citing U.S. Bank, 929 N.E.2d at 748–49). Plaintiffs did not make any argument concerning public policy. AnchorBank, FSB v. Hofer, 649 F.3d 610, 615 (7th Cir. 2011). However, “malice, intent, knowledge, and other conditions of a person’s mind may be alleged generally.” Fed. R. Civ. P. 9(b). Rule 9(b) applies to any claim “that is premised upon a course of fraudulent conduct.” Camasta v. Jos. A. Bank Clothiers, Inc., 761 F.3d 732, 737 (7th Cir. 2014). Therefore, even

claims that are not definitionally fraudulent torts may “sound in fraud,” as long as they are premised upon a course of fraudulent conduct. See Borsellino v. Goldman Sachs Grp., Inc., 477 F.3d 502, 507 (7th Cir. 2007) (“Although claims of interference with economic advantage, interference with fiduciary relationship, and civil conspiracy are not by definition fraudulent torts, Rule 9(b) applies to ‘averments of fraud,’ not claims of fraud, so whether the rule applies will depend on the plaintiffs’ factual allegations.”). Count V is subject to the heightened pleading requirements of Rule 9(b). Plaintiffs allege that “Blackbaud made misrepresentations that it could, among other things, comply with such federal law and regulations, as well as industry standards . . . to keep Private Information confidential and to protect it from unauthorized access and disclosure.” (DE 6 ¶ 138.) Plaintiffs

further allege that “Blackbaud either knew its representations to Trinity Health were false or recklessly ignored the falseness of its representations, because it was previously warned about process vulnerabilities . . . and because Blackbaud stored Trinity Health’s data on obsolete servers.” (Id. ¶ 139.) By alleging that there were material false misrepresentations made with knowledge or reckless ignorance of the falseness, this claim mirrors the elements of fraudulent misrepresentation in Indiana, and sounds in fraud.11 Accordingly, it is subject to Rule 9(b).

11 A material misrepresentation claims requires proving there was a “(i) material misrepresentation of past or existing facts by the party to be charged (ii) which was false (iii) which was made with knowledge or reckless ignorance of the falseness (iv) was relied upon by the complaining party and (v) proximately caused the complaining party injury.” Reed v. Reid, 980 N.E.2d 277, 292 (Ind. 2012) (quoting Rice v. Strunk, 670 N.E.2d 1280, 1289 (Ind. 1996)). Under Rule 9(b), Plaintiffs had to allege “the identity of the person making the misrepresentation, the time, place and content of the misrepresentation, and the method by which the misrepresentation was communicated to the plaintiff.” Uni-quality, Inc. v. Infotrax, Inc., 974 F.2d 918, 923 (7th Cir. 1992) (quoting Bankers Trust Co. v. Old Republic Ins. Co., 927 F.2d 988,

992–93 (7th Cir. 1992)). The allegations in Count V lack the required specificity. Plaintiffs merely allege that Blackbaud made “misrepresentations” concerning its ability to “comply with” federal law and industry standards and concerning its ability “to keep Private Information confidential,” but fail to allege the time and place of this misrepresentation or the method by which the misrepresentation was communicated to Trinity Health. This is insufficient under the heightened pleading requirements of Rule 9(b). Plaintiffs’ only argument in response is that Rule 9(b)’s application is “the result of Blackbaud improperly removing this lawsuit from Indiana state court to federal court thereby subjecting the Complaint to the Federal Rules of Civil Procedure.” (DE 42 at 25.) However, the Court has already explained that this lawsuit was properly removed from Indiana state court.

Additionally, even in Indiana under Indiana Trial Rule 9(b), “all averments of fraud must be pled with specificity as to the circumstances constituting fraud,” which requires “the party alleging fraud [to] specifically allege the elements of fraud, the time, place, and substance of false reports, and any facts what were misrepresented . . . .” Payday Today, Inc. v. Hamilton, 911 N.E.2d 26, 33–34 (Ind. Ct. App. 2009). Accordingly, the Court finds that Plaintiff has failed to adequately plead Count V under Rule 9(b).

(3) Request for Leave to Amend Plaintiffs have requested leave to amend the Complaint in the event we grant the motion to dismiss. (DE 42; DE 43.) Blackbaud opposes this request, arguing that the motion to amend unduly delays resolution of the case and that it would be unduly prejudiced by amendment. (DE 47.)

“The general rule is to freely permit plaintiffs to amend their complaint ‘once as a matter of course.’” Arlin-Golf, LLC v. Village of Arlington Heights, 631 F.3d 818, 823 (7th Cir. 2011) (quoting Fed. R. Civ. P. 15(a)). The Seventh Circuit has repeatedly said “that [a] plaintiff whose original complaint has been dismissed under Rule 12(b)(6) should be given at least one opportunity to try to amend her complaint before the entire action is dismissed.” Pension Tr. Fund for Operating Engineers v. Kohl’s Corp., 895 F.3d 933, 941 (7th Cir. 2018) (quoting Runnion ex rel. Runnion v. Girl Scouts of Greater Chi. & Nw. Ind., 786 F.3d 510, 519 (7th Cir. 2015)); Foster v. DeLuca, 545 F.3d 582, 584 (7th Cir. 2008); Barry Aviation Inc. v. Land O’Lakes Municipal Airport Comm’n, 377 F.3d 682, 687 & n. 3 (7th Cir. 2004) (collecting cases). However, District courts “may deny leave to amend . . . where there is a good reason to do so,”

such as “futility, undue delay, prejudice, or bad faith.” R3 Composites Corp. v. G&S Sales Corp., 960 F.3d 935, 946 (7th Cir. 2020) (internal quotation marks omitted). The Court does not believe that granting leave to amend would unduly delay this case or unfairly prejudice Blackbaud. This case is only eight months old and discovery has not yet begun. In other cases where a motion to amend has been denied, the motion to amend was often filed at a later point where discovery has already been commenced. Johnson v. Methodist Med. Ctr. of Illinois, 10 F.3d 1300, 1304 (7th Cir. 1993) (denying motion to amend where “the proposed complaint attempts to add a whole new theory of the case four years after this action was commenced. . . .”); Feldman v. Am. Mem’l Life Ins. Co., 196 F.3d 783, 793 (7th Cir. 1999) (affirming denial of motion to amend where “motion came six months after the March 7, 1997, close of discovery and three months after the district court set a briefing schedule for Prairie States’ motion for summary judgment.”); Cont’l Bank, N.A. v. Meyer, 10 F.3d 1293, 1298 (7th Cir. 1993) (affirming a denial of a motion to amend where motion came more than two years

after action was filed and the opposing party “would have been put to additional discovery, and thus prejudiced”). Additionally, unlike two of the cases which Blackbaud cites to support prejudice, Plaintiffs have filed their motion to amend prior to entry of judgment. M.R. v. Girl Scouts of Greater Chicago & Nw. Indiana, No. 1:12-CV-06066, 2012 WL 12542828, at *2 (N.D. Ill. Dec. 20, 2012) (denying a motion to amend where the plaintiff also filed a motion to alter or amend judgment under Rule 59(e)); Park v. Indiana Univ. Sch. of Dentistry, No. 1:10- CV-1408-WTL-WGH, 2011 WL 1792717, at *1 (S.D. Ind. May 9, 2011) (same). A plaintiff filing a motion to amend after an order granting a motion to dismiss has the benefit of that order to identify their complaint’s defects. In such a circumstance, the court’s order puts the party on notice of the flaws in their complaint, and it is more reasonable to expect that their motion to

amend would explain in particularity how they intend to fix the complaint. See Pension Tr. Fund for Operating Engineers, 895 F.3d at 941 (explaining that it may have been “better practice” for the district court to allow an amendment where the plaintiff was not put on notice of the flaws in their complaint by a prior court order granting a motion to dismiss). In this circumstance, the Court believes that the liberal pleading standard of Rule 15(a) justifies giving the Plaintiffs at least one opportunity to amend their Complaint. Bausch v. Stryker Corp., 630 F.3d 546, 562 (7th Cir. 2010) (“District courts routinely do not terminate a case at the same time that they grant a defendant’s motion to dismiss; rather, they generally dismiss the plaintiff’s complaint without prejudice and give the plaintiff at least one opportunity to amend her complaint.”). Even though there may be “doubts that [the plaintiffs] will be able to overcome the defect in [their] initial pleading[,]” the “federal rule policy of deciding cases on the basis of the substantive rights involved rather on technicalities requires that [a] plaintiff be given every opportunity to cure a formal defect in [their] pleading.” Barry Aviation Inc, 377 F.3d at

682, 687 & n. 3 (citation and quotation marks omitted). Therefore, the Court grants Plaintiffs’ motion to amend their pleading. D. Conclusion For the foregoing reasons, the Court GRANTS the unopposed motions for Aspen to join in Trinity Health’s motion to remand and reply. (DE 25; DE 34.) However, the Court DENIES

Plaintiffs’ motion to remand. (DE 22.) The Court GRANTS Blackbaud’s motion to dismiss without prejudice on all counts. (DE 9.) The Court also GRANTS Plaintiffs’ cross motion to file an amended complaint. (DE 42; DE 43.) The amended complaint must be filed by September 28, 2022, otherwise this case will be dismissed with prejudice.

SO ORDERED. ENTERED: August 30, 2022

/s/ JON E. DEGUILIO Chief Judge United States District Court