United States District Court, S.D. New York
MEMORANDUM OPINION AND ORDER
GREGORY H. WOODS UNITED STATES DISTRICT JUDGE.
at least 2011, plaintiffs CVS Pharmacy, Inc. (“CVS
Pharmacy”) and Caremark Rx LLC (“Caremark”)
(collectively “CVS”) have contracted to provide
pharmacy benefit management (“PBM”) services to
beneficiaries of various health plans. CVS relies on Press
America, Inc. (“Press America”) to assist with
the printing and mailing of information to the plans'
CVS's clients is International Business Machines
Corporation (“IBM”). Pursuant to its contract
with IBM, CVS is responsible for, among other things,
providing beneficiaries of IBM's health plan with mail
order pharmacy services. Press America performs the mailing
on CVS's behalf. Given the nature of the mailings, they
often contain private health information (“PHI”).
August 2012, Press America incorrectly addressed mail
containing beneficiaries' PHI, resulting in 41
unauthorized disclosures of IBM health plan
beneficiaries' PHI. As a result of those disclosures, CVS
credited IBM $1, 845, 000 and subsequently sought
reimbursement from Press America. Press America declined, and
CVS filed this action on January 10, 2017. On May 18, 2017,
Press America moved to dismiss, arguing that it is not
obligated to indemnify CVS for the payment to IBM. Because
CVS has sufficiently stated claims for breach of contract,
contractual indemnification, common law indemnification, and
negligence, Press America's motion to dismiss must be
Agreements Between CVS and Press America
about October 1, 2011, CVS entered into a Master Service
Agreement and Statement of Work with Press America, whereby
Press America agreed to provide printing and mailing services
to CVS. Am. Compl. (ECF No. 28), ¶ 13. Section 2 of the
Master Service Agreement stated that Press America would
provide services that met “the minimum CVS Standards,
” which were set forth in the Statement of Work. Master
Ag. § 2 (ECF No. 28-1, at 1). The parties also entered
into a second Statement of Work, ECF No. 28-1, at 23,
effective May 1, 2012 through April 30, 2013, specifically
outlining the printing services for which Press America would
be responsible. Am. Compl. ¶¶ 2, 13. Both
Statements of Work were incorporated into the Master
Agreement (collectively, the “Master Agreement”),
which was submitted together with the Amended Complaint.
addition, CVS entered into a Business Associate Agreement
with Press America (the “Business Associate
Agreement”), ECF No. 28-2, which was intended to
encourage compliance with the relevant privacy laws,
including the Health Insurance Portability and Accountability
Act of 1996 (“HIPAA”). Am. Compl. ¶ 14. In
the Business Associate Agreement, Press America agreed not to
use or disclose PHI except as specifically permitted by
contract. Id. These provisions reflected CVS's
“particular concern” about liability stemming
from the disclosure of its clients' PHI. Id.
each of CVS's contracts with Press America contain
indemnity provisions. Am. Compl. ¶ 16. Under the Master
Agreement, Press America “agrees (i) to indemnify and
hold harmless CVS from and against any claims, liabilities,
and damages to the extent same are due to [Press
America's] negligence, willful misconduct, or breach of
this Agreement or [Press America's] failure to comply
with or abide by any applicable law . . . .” Master Ag.
§ 8.1. In addition, the Master Agreement requires that
Press America maintain insurance sufficient to cover any
losses incurred by CVS that were caused by Press
America's disclosure of PHI. Am. Compl. ¶ 18 (citing
Master Ag. § 8.3). Similarly, the Business Associate
Agreement provides that Press America will:
indemnify and hold harmless CVS and any of its officers,
directors, employees, or agents from and against any claim,
cause of action, liability, damage, cost, or expense . . .
arising out of or in connection with any breach of the terms
of this Agreement, any Breach of Private Information under
the control of [Press America] or its agents or
subcontractors that requires notification under the HIPAA
Rules or state law, or any failure to perform its obligations
with respect to Private Information by [Press America], it[s]
officers, employees, agents, or any person or entity under
[Press America's] direction or control.
Bus. Assoc. Ag. § 6.0.
Agreements Between CVS and IBM
to a “series of agreements” between CVS and IBM
that were ultimately memorialized in an agreement that went
into effect on January 1, 2012 (the “IBM
Contract”), CVS “agreed to administer IBM's
managed care pharmacy program.” Am. Compl. ¶ 15.
The IBM Contract provides, among other things, that CVS would
correspond with IBM employees about their prescribed
medications via U.S. Mail. Id. Pursuant to the
Second Statement of Work, Press America became responsible
for “services that would be performed for CVS in
connection with its work” under the IBM Contract.
Id. ¶ 13.
relevant for purposes of this motion, the IBM Contract
requires that CVS comply with certain “performance
standards.” Am. Compl. ¶ 26 (quoting IBM Ag.
§ 3.13). According to the IBM Contract, the
“performance standards and any related fee adjustments
are not intended to operate as liquidated damages, a penalty,
or as an exclusive remedy but rather to correspond to the
level of service being provided.” Am. Compl. ¶ 27
(quoting IBM Ag. § 3.13). One such performance standard,
entitled “Protection of Confidential Participant
Information, ” sets forth a fee that CVS must pay to
IBM in the event of a “Protection of Information
Failure, ” which is defined as:
[any] use or disclosure of Confidential Participant
Information, Protected Health Information or Personal Data
(collectively “Personal Information”) in the
possession or control of CVS Caremark, its employees, agents,
independent contractors or Subcontractors that is not
provided for or permitted by this Agreement, including
Breaches of Unsecured Protected Health Information and
certain disclosures that would not qualify as a Breach of
Unsecured Protected Health Information but that result in
disclosure of Personal Information to an improper or
incorrect third party, or that would require notice to the
Participant under state or federal law as a data breach.
Id. ¶¶ 29, 30 & Ex. D. The fee is
three percent of the annual fees at risk “for each
Protection of Information Failure.” Am. Compl.
¶ 31 (emphasis in the original).