Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

CVS Pharmacy, Inc. v. Press America, Inc.

United States District Court, S.D. New York

January 3, 2018




         Since at least 2011, plaintiffs CVS Pharmacy, Inc. (“CVS Pharmacy”) and Caremark Rx LLC (“Caremark”) (collectively “CVS”) have contracted to provide pharmacy benefit management (“PBM”) services to beneficiaries of various health plans. CVS relies on Press America, Inc. (“Press America”) to assist with the printing and mailing of information to the plans' beneficiaries.

         One of CVS's clients is International Business Machines Corporation (“IBM”). Pursuant to its contract with IBM, CVS is responsible for, among other things, providing beneficiaries of IBM's health plan with mail order pharmacy services. Press America performs the mailing on CVS's behalf. Given the nature of the mailings, they often contain private health information (“PHI”).

         In August 2012, Press America incorrectly addressed mail containing beneficiaries' PHI, resulting in 41 unauthorized disclosures of IBM health plan beneficiaries' PHI. As a result of those disclosures, CVS credited IBM $1, 845, 000 and subsequently sought reimbursement from Press America. Press America declined, and CVS filed this action on January 10, 2017. On May 18, 2017, Press America moved to dismiss, arguing that it is not obligated to indemnify CVS for the payment to IBM. Because CVS has sufficiently stated claims for breach of contract, contractual indemnification, common law indemnification, and negligence, Press America's motion to dismiss must be denied.

         1. BACKGROUND[1]

         A. Agreements Between CVS and Press America

         On or about October 1, 2011, CVS entered into a Master Service Agreement and Statement of Work with Press America, whereby Press America agreed to provide printing and mailing services to CVS. Am. Compl. (ECF No. 28), ¶ 13. Section 2 of the Master Service Agreement stated that Press America would provide services that met “the minimum CVS Standards, ” which were set forth in the Statement of Work. Master Ag. § 2 (ECF No. 28-1, at 1). The parties also entered into a second Statement of Work, ECF No. 28-1, at 23, effective May 1, 2012 through April 30, 2013, specifically outlining the printing services for which Press America would be responsible. Am. Compl. ¶¶ 2, 13. Both Statements of Work were incorporated into the Master Agreement (collectively, the “Master Agreement”), which was submitted together with the Amended Complaint.

         In addition, CVS entered into a Business Associate Agreement with Press America (the “Business Associate Agreement”), ECF No. 28-2, which was intended to encourage compliance with the relevant privacy laws, including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Am. Compl. ¶ 14. In the Business Associate Agreement, Press America agreed not to use or disclose PHI except as specifically permitted by contract. Id. These provisions reflected CVS's “particular concern[]” about liability stemming from the disclosure of its clients' PHI. Id. ¶ 16.

         Moreover, each of CVS's contracts with Press America contain indemnity provisions. Am. Compl. ¶ 16. Under the Master Agreement, Press America “agrees (i) to indemnify and hold harmless CVS from and against any claims, liabilities, and damages to the extent same are due to [Press America's] negligence, willful misconduct, or breach of this Agreement or [Press America's] failure to comply with or abide by any applicable law . . . .” Master Ag. § 8.1. In addition, the Master Agreement requires that Press America maintain insurance sufficient to cover any losses incurred by CVS that were caused by Press America's disclosure of PHI. Am. Compl. ¶ 18 (citing Master Ag. § 8.3). Similarly, the Business Associate Agreement provides that Press America will:

indemnify and hold harmless CVS and any of its officers, directors, employees, or agents from and against any claim, cause of action, liability, damage, cost, or expense . . . arising out of or in connection with any breach of the terms of this Agreement, any Breach of Private Information under the control of [Press America] or its agents or subcontractors that requires notification under the HIPAA Rules or state law, or any failure to perform its obligations with respect to Private Information by [Press America], it[s] officers, employees, agents, or any person or entity under [Press America's] direction or control.

Bus. Assoc. Ag. § 6.0.

         B. Agreements Between CVS and IBM

         Pursuant to a “series of agreements” between CVS and IBM that were ultimately memorialized in an agreement that went into effect on January 1, 2012 (the “IBM Contract”), CVS “agreed to administer IBM's managed care pharmacy program.” Am. Compl. ¶ 15. The IBM Contract provides, among other things, that CVS would correspond with IBM employees about their prescribed medications via U.S. Mail. Id. Pursuant to the Second Statement of Work, Press America became responsible for “services that would be performed for CVS in connection with its work” under the IBM Contract. Id. ¶ 13.

         Most relevant for purposes of this motion, the IBM Contract requires that CVS comply with certain “performance standards.” Am. Compl. ¶ 26 (quoting IBM Ag. § 3.13). According to the IBM Contract, the “performance standards and any related fee adjustments are not intended to operate as liquidated damages, a penalty, or as an exclusive remedy but rather to correspond to the level of service being provided.” Am. Compl. ¶ 27 (quoting IBM Ag. § 3.13). One such performance standard, entitled “Protection of Confidential Participant Information, ” sets forth a fee that CVS must pay to IBM in the event of a “Protection of Information Failure, ” which is defined as:

[any] use or disclosure of Confidential Participant Information, Protected Health Information or Personal Data (collectively “Personal Information”) in the possession or control of CVS Caremark, its employees, agents, independent contractors or Subcontractors that is not provided for or permitted by this Agreement, including Breaches of Unsecured Protected Health Information and certain disclosures that would not qualify as a Breach of Unsecured Protected Health Information but that result in disclosure of Personal Information to an improper or incorrect third party, or that would require notice to the Participant under state or federal law as a data breach.

Id. ¶¶ 29, 30 & Ex. D. The fee is three percent of the annual fees at risk “for each Protection of Information Failure.” Am. Compl. ¶ 31 (emphasis in the original).

         C. The ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.