An information technology company cannot be held liable for a data breach exposing the health information of patients of a unit of medical device maker Zoll Medical Corp, the First Circuit ruled, because the two companies did not have a business relationship permitting them to hold one responsible for another's conduct.

In a published opinion Thursday, the panel unanimously cleared Barracuda Networks Inc., turning away arguments made by Axis Insurance Co. in its derivative capacity as Zoll Services LLC's assignee.

Axis claimed that a lower court should have focused on the nature of the relationship between the businesses before handing Barracuda a summary judgment win. But U.S. Circuit Judge Gustavo A. Gelpí noted that Massachusetts law does recognize responsibility in certain circumstances, including employer-employee, principal-agent, manufacturer-retailer, and some independent contractor relationships.

"Axis must have presented sufficient evidence that would tend to show that Zoll and Barracuda had any of these types of relationships," Judge Gelpí wrote. "Axis presented no such evidence."

Chelmsford, Massachusetts-based Zoll hit Barracuda with a suit in 2020, claiming that one of its employees in 2018 left open a data port during a standard data migration. The mistake let unauthorized parties gain access to patients' health information for about seven weeks before anyone noticed, according to the suit.

Fusion LLC, another IT company that had worked with both Barracuda and Zoll, also brought claims.

The First Circuit found that Zoll and Barracuda did not have the type of relationship that can sustain a claim for equitable indemnification. It also found that Axis, a subrogee of Fusion, had not shown any right in the parties' original equipment manufacturer agreement that would suggest Fusion is entitled to anything in the event of a breach.

"The OEM is limited to the creation of a non-exclusive license to market and resell Barracuda's emailing services to Fusion customers," Judge Gelpí wrote. "Although Fusion could have negotiated for a clause granting it assurances or protections in the event of a breach, we see nothing in the contract providing those assurances or protections."

In 2024, U.S. District Judge Nathaniel M. Gorton granted the California-based cloud security and data protection company summary judgment on a handful of claims, closing out the case.

The remaining claims at issue when the case closed — Zoll's claim of equitable indemnification and Fusion's claims of breach of contract and breach of the covenant of good faith — were assigned to Fusion's insurer, Axis.

The judge's order, with which the First Circuit agreed, said Barracuda had acted as an independent contractor for Zoll — not a close enough relationship to establish derivative or vicarious liability.

Representatives for the parties did not immediately respond to comment requests Friday.

Barracuda is represented by Joseph L. Demeo, Christopher P. Silva, Michael R. Stanley and Samuel B. Goodwin of Demeo LLP.

Axis is represented by Mark S. Resnick of ResnickLaw LLC.

The case is Axis Insurance Co. v. Barracuda Networks Inc. et al., case number 24-1920, in the U.S. Court of Appeals for the First Circuit.