TRENTON, N.J. – A federal judge has ruled that portions of a third-party complaint stemming from a ransomware attack on a New Jersey medical provider can proceed, partially denying a motion to dismiss filed by the company’s former IT contractor.
U.S. District Judge Zahid N. Quraishi issued the opinion in Blackman v. Northeast Spine & Sports Medicine, LLC, a proposed class action filed by patient Lisa Blackman after a cyberattack allegedly exposed personal and medical data belonging to patients.
Blackman sued Northeast Spine & Sports Medicine in May 2024, alleging violations of HIPAA privacy and security rules, Federal Trade Commission data protection standards, negligence, and breach of implied contract. After removing the case to federal court, Northeast Spine filed a third-party complaint against CompassMSP, LLC, an IT services firm it claims was responsible for maintaining and securing its network.
According to court filings, Northeast Spine originally contracted with Greenpoint Business Solutions in 2017 for comprehensive IT management, cybersecurity, and compliance monitoring. Compass later acquired Greenpoint in 2018 and allegedly assumed its obligations under the services agreement. The medical practice argues Compass failed to prevent a ransomware attack that compromised sensitive patient information, resulting in class-wide damages.
Compass moved to dismiss, contending it had no direct liability for the breach and that its duties were contractual, not legal. Judge Quraishi found some claims lacked sufficient factual basis and dismissed them, but he allowed others — including claims tied to contractual indemnification and negligence theories — to move forward, ruling that factual disputes over Compass’s assumed responsibilities must be resolved through discovery.
The case highlights growing legal exposure for managed IT and cybersecurity firms serving healthcare clients amid an increase in ransomware attacks targeting medical networks.
Key points:
• Federal judge partially denied CompassMSP’s motion to dismiss in a ransomware-related lawsuit.
• The case stems from a data breach at Northeast Spine & Sports Medicine compromising patient information.
• Contract and negligence-based claims against Compass will proceed to discovery.