Opinion
Civil Action 8:24-cv-00313-PX
07-29-2024
MEMORANDUM OPINION
Paula Xinis United States District Judge
This case concerns the ugly underbelly of electronic access to patient healthcare records. Plaintiff Real Time Medical Systems, Inc. (“Real Time”) performs diagnostic analytics for thousands of patients in skilled nursing facilities. See ECF No. 38-3 ¶ 4. To do so, Real Time must access patient clinical healthcare records, which are created and stored in a cloudbased platform that is owned and operated by Defendant PointClickCare Technologies, Inc. d/b/a PointClickCare (“PCC”). See ECF No. 38-4 ¶ 5. Real Time alleges in this suit that PCC has implemented a supposed security protocol that cuts off Real Time's access to the patients' healthcare records, thus grinding Real Time's business to a halt. ECF No. 2 ¶¶ 77-79. Real Time further contends that PCC does so not for legitimate security or performance reasons, but rather to interfere with Real Time business so that PCC may capture Real Time's market share with its own competing analytics products. See. ECF No. 38-1 at 6. PCC, on the other hand, maintains that it legitimately must implement the protocol to protect patient healthcare data and maintain the performance integrity of its systems. See ECF No. 44 at 26-28.
Real Time now moves to preliminarily enjoin PCC from implementing a narrow aspect of its asserted security protocol, the use of certain kinds of Completely Automated Public Turing Test to Tell Computers and Humans Apart (“CAPTCHAs”), which wholly prevent Real Time's access to patient healthcare data. ECF No. 38. After a two-day evidentiary hearing, ECF Nos. 54 & 55, the matter is now ripe, for resolution. For the following reasons, the motion is GRANTED.
I. Background
A. The Parties
Real Time is a healthcare analytics company that contracts with nursing facilities to monitor patients' electronic medical records, identify subtle but significant medical changes, and then alert electronically the healthcare providers for intervention and preventative care.' ECF No! 2 ¶¶ 13-14; ECF No. 38-3 ¶ 4. The company currently serves about 1,700 skilled nursing facilities across the country, many of which are in Maryland. ECF No. 2 ¶¶ 13; ECF No. 38-3 ¶ 16. Real Time enters standard service contracts with the nursing facilities, see, e.g., ECF No. 38-■ 12, and the nursing facilities, in turn, contract with data repository companies like PCC, see, e.g., ECF No. 38-13. Pertinent here, the contracts between the nursing facilities and PCC require that PCC “make its cloud-based electronic health record platform ... available” to both the facility and “users.” Id. at 7. “Users” are defined as “individuals who are authorized by [the nursing facility] to use and access [PCC's platform],and who have been supplied user identifications and passwords by [the nursing facility].” Id., Although PCC is not the only electronic records storage provider, its size is formidable. PCC holds healthcare records for “approximately 1.6 million patients” across “27,000 facilities.” ECF No. 62 at 6. As to Real Time, PCC maintains patient medical records for roughly 80% of the nursing facilities with whom Real Time holds a service contract. ECF No. 38-3 ¶ 16; ECF No. 44-3 ¶ 4. As part of PCC's standard agreement, the nursing facilities agree not to:
access the Services or allow any employee, contractor or agent to access the Services, with, for example, any automated or other process such as screen scraping, by using robots, web-crawlers, spiders or any other sort of bot or tool, for the purpose of extracting data, monitoring availability, performance, functionality, or for any other benchmarking or competitive purpose.ECF No. 38-13 §2.2.
In practice, this tripartite arrangement works as follows. The nursing facility obtains from PCC user identifications or “user IDs” and passwords which it then passes onto Real Time. ECF No. 61 at 88. Real Time next accesses the nursing facility's patient records via the user IDs to obtain voluminous patient clinical data in real time every day, sometimes multiple times per day. ECFNo. 38-4 ¶¶ 5-7. Real Time pulls most patient clinical data through generating “reports” on such metrics as patients' daily food and liquid consumption, temperature, vital signs, and other standard measures that the facility obtains on a regular basis. ECF No. 61 at 81-82. Real Time next analyzes the data and alerts the facility to adverse trends in patient health. Id.
Real Time is given “read only” access to the patient data, meaning that it cannot alter the electronic medical records on PCC's platform. ECFNo. 61 at 72.
According to Real Time's Chief Technology Officer, Christopher Miller, performing such analytics has always depended on the use of automated software, which PCC considers to be “bots.” ECF No. 61 at 69-71. Since Real Time's inception more than twelve years ago, its entire process, from data collection to patient alerts, has been “fully automated, from the beginning to the end.” Id. at 83; see also ECF No. 38-4 ¶ 8; ECF No. 2 ¶ 37. Although the automated software does no more than what a human user would do to access patient health records, the sheer volume of the data that Real Time needs would require 450 people working seven days a week, 24 hours a day, to pull the requisite data. ECF No. 61 at 134-35. Hence Real Time's heavy reliance on automated software to gather medical data.
B. PCC's Use of CAPTCHAs
Despite Real Time's'long history of using such automated software, PCC recently claims the need to prevent Real Time from employingthis technology. Accordingly, PCC has introduced CAPTCHAs into its sign on process. See ECF No. 38-4 ¶ 11. A CAPTCHA is a well-known internet security device designed to ensure that humans, not automated software or “bots,” are attempting to gain access to the online platform. ECF No. 44-2 ¶ 27; ECF No. 38-4 ¶ 11. The kind of CAPTCHAs used here are visual depictions of words in funky formats that the user must “solve” by typing the word. ECF No. 44-2 ¶ 27; ECF No. 62 at 26. In theory, only humans can solve CAPTCHAs, thus keeping the bots out. See ECF No. 44-2 ¶ 27.
Real Time's experience with PCC's CAPTCHAs has evolved. At first, the CAPTCHAs presented as expected; they were decipherable, and Real Time navigated them with relative ease using humans to solve the CAPTCHAs. ECF No. 38-4 ¶¶ 11-12. But beginning in late 2023, periodically and without warning, PCC began deploying “indecipherable” CAPTCHAs that could not be solved. Id. ¶ 14.
After several attempts at solving the CAPTCHAS, the Real Time user ID would be “locked out,” preventing Real Time from accessing any patient records stored for the given facility. ECF No. 38-4 ¶ 16. Asa result, Real Time had no.way of performing its patient analytics until it could alert the affected facility, and the facility could obtain a new user ID or reactivate the old one. ECF No. 61 at 178-79. Because this process was neither easy nor predictable, Real Time experienced total business interruption for any number of days on account of the unsolvable CAPTCHAs. Id. at 111.
Thus far, Real Time has encountered the unsolvable CAPTCHAs episodically between October of 2023 and May of 2024. See ECF No. 38-4 ¶¶ 14, 24-26, 33-39. Real Time contends that PCC has deployed unsolvable CAPTCHAs not for any stated security purpose, but to damage Real Time's business and thereby push Real Time out of the market. See ECF No. 38-1 at 6. PCC, on the other hand, claims it legitimately uses CAPTCHAs (even the unsolvable ones) to address both security and performance concerns associated with bots pulling data from its platform. See ECF No. 44 at 8; ECF No. 44-2 ¶ 27. Because these competing narratives are at the heart of this motion, the Court summarizes the record evidence related to each.
C. PCC as Real Time's Competitor
Since late 2020, PCC has been breaking into the patient analytics market. It has acquired at least two of Real Time's direct competitors. ECF No. 2 ¶¶ 23, 46. And in early 2022, PCC went head-to-head with Real Time to bid on a several million-dollar analytics contract with Chesapeake Regional Information System for Our Patients, Inc. (“CRISP”), the regional health . information exchange for the state of Maryland. ECF No. 38-3 ¶¶ 8, 21. Real Time ultimately won the CRISP contract. Id. ¶21.
PCC next considered acquiring Real Time. In May of 2023, the parties entered into a non-disclosure agreement (“NDA”) to explore the potential merger. ECF No. 38-3 ¶¶ 11-12. Real Time, in turn, opened to PCC the entirety of its proprietary business information its books and records, and all aspects of its operations, to include its software design and heavy reliance on' automated software data retrieval. Id. ¶¶ 12, 15. Notably, despite PCC's loud protestation against “bots” today, PCC never raised with Real Time any concerns about its exclusive reliance on automated software. See ECF No. 61 at 213-14. After Real Time shared with PCC that it maintained the highest level of security certification in the industry, that “was the end of the discussion" regarding the security of Real Time's automated environment. Id.
Real Time also seems to pose no identifiable security threat to PCC. Real Time itself has never experienced a security breach. ECF No. 61 at 149. In fact, it maintains the highest industry security certificate in one of the most regulated industries concerning patient privacy. Id. at 147-48. And its automated software poses no greater risk of a security breach than that associated with human users. Id. at 151-52.
Acquisition talks appear to have continued long enough for PCC to learn of Real Time's business details without sharing any of its own. ECF No. 61 at 211. Soon after. PCC went silent, and the negotiations ceased without further explanation. Id. at 209. Then in October of 2023. PCC began deploying the unsolvable CAPTCHAs on some of Real Time's user IDs. Id. at 98-99, 209. As a result, in October alone, Real Time could not access patient records for those living in 75 skilled nursing facilities on account of PCC's unsolvable CAPTCHAs. ECF No. 384 ¶¶ 14-17. A representative sample of the unsolvable CAPTCHAs that appeared in October of 2023 is below:
The record demonstrates that many of Real Time user IDs have the word or phrase “Real Time” or “RTMS” in the identification itself. See ECF No. 61 at 175-77; ECF No. 62 at 98-99. Miller also testified that PCC could identify when Real Time was accessing records through the IP addresses associated with the company. ECFNo. 61 at 145.
Image Omitted Id. ¶ 14. It was only after PCC implemented the unsolvable CAPTCHAs that Real Time learned that PCC was no longer interested in an acquisition. ECFNo. 61 at 212.
D. Attempts at a Business Solution
Real Time had previously navigated PCC's decipherable CAPTCHAs by having humans sign into PCC's platform. See ECF No. 38-4 ¶ 11. But when confronted with unsolvable CAPTCHAs, Real Time began exploring with PCC alternative solutions to obtaining patient data without the use of automated software. Id. ¶¶ 18-20; ECF No. 61 at 92-93. First, it approached PCC about negotiating a direct business relationship so that Real Time could purchase from PCC access to the patient data. ECF No. 61 at 212-13. Real Time and PCC discussed obtaining some of the necessary data through PCC's Application Programming Interface (“API”). Id. at 9293. But this fix also required the provision of supplemental patient records. Id. at 96-97. So, the parties next discussed PCC exporting the supplemental data for a fee. Id. at 97. The export would involve “a series of files [Real Time] would get throughout the day” from PCC. Id. at 98. Relevant to PCC's stated concern about bot use, exports would •'eliminate” Real Time's need to log into PCC's system to pull down the data, thereby eliminating any risk associated with Real Time's software interacting with PCC's platform. Id. The technical teams for both companies spent about a month working collaboratively toward this solution, Id. at 97, and on October 27, 2023, the CAPTCHA walls appeared to have been turned off, ECF No. 38-4 ¶ 24.
But then in early November, there was a “breakdown” between the parties, and Real Time was told that it was not “going to get what [they] had been discussing.” ECF No. 61 at 99. Shortly after and without warning. Real Time was hit with a torrent of indecipherable CAPTCHAS that appeared like this:
Image Omitted
ECF No. 38-4 ¶ 27. As a result. Real Time could not access patient records for approximately 700 skilled nursing facilities. Id. ¶ 28.
Now with substantial business interruption, Real Time attempted to reinitiate negotiations with PCC to achieve a mutually agreeable business solution. ECF No. 6! at 212-15. Real Time proposed that PCC export the necessary patient data for a per-facility fee. Id. PCC, on the other hand, wanted Real Time to sign its “marketplace agreement.” Id. at 216. The terms of the agreement, however, were onerous: it prohibited Real Time from competing with PCC; allowed PCC to cancel the agreement for convenience at any time; and required Real Time to market its product through PCC. Id. at 217-18; see also ECF No. 46-2. Real Time would also have to pay PCC a substantial per-facility monthly fee to receive only 30% of the data that it needed. ECF No. 61 at 79-80,222-23. According to Timothy Buono, Real Time's Chief Strategy and Development Officer, agreeing to these terms would have “pretty much put us out of business, or at least put us in a breach.” Id. at 219.
Instead of the marketplace agreement, Real Time urged that the companies resume negotiations from scratch. ECF No. 61 at 216. PCC insisted instead that Real Time propose its changes to the standard marketplace agreement. Id. Real Time did as PCC instructed, and in November 2023, returned to PCC a heavily redlined agreement that struck all unsustainable terms and countered with a lower per-facility fee for PCC's export of the entire clinical record. Id. at 223-24. Approximately two weeks later, on December 14th, PCC rejected all changes to the agreement and declined to make any data exports available to Real Time. Id. at 219.
With no business solution in sight, Real Time filed suit on January 9, 2024. ECF No. 2. In May, PCC hired Arkose, an independent vendor which provides CAPTCHA technology solutions. ECF No. 38-4 ¶¶ 38-39. At this point, PCC resumed deploying indecipherable CAPTCHAs for user IDs assigned to Real Time, again without warning. Representative examples of the CAPTCHAs implemented through Arkose are below:
Image Omitted Id. ¶ 40. As a result. Real Time could not provide its analytics services to several hundred nursing facilities, which prompted the pending motion. Id. ¶¶ 38-41.
E. PCC's Stated Reasons for Deploying CAPTCHAs
PCC contends that it deploys CAPTCHAs to eliminate hot activity and thereby reduce the risk of data breaches and improve system performance. See ECF No. 44 at 14-17. Thus, says PCC, it has enacted a “Bot Prevention Policy” (the “Policy”) designed to target and eliminate “malicious unacceptable behavior” to include “large data exports from [PCC] applications that could not reasonably be performed without automated process automation, web activity, or use of bots.” ECF No. 44-2 at 49. The Policy, however, suffers from several problems.
First, the Court is not convinced it has the operative version of the Policy in evidence. The Policy admitted is dated April 14, 2023. ECF No. 44-2 at 46. But it has since gone through at least two additional reviews and revisions on September 5 and 21.2023. Id. at 53. Although counsel for PCC proffered that the one before the Court is the most recent version, ECF No. 62 at 251-52, the Policy itself suggests otherwise, see ECF No. 44-2 at 53. Nor did PCC's sponsoring witness for the Policy, Senior Vice President of Software-as-a-Service Engineering and Operations, Bachar Fourati, shed any light on how or when such revisions were implemented. ECF No. 62 at 83, 90-91.
Second, and perhaps even more troubling. PCC does not appear to follow the Policy. See ECF No. 62 at 89-90. For example, the Policy states that PCC will notify its customers of suspected violations by providing first, second, and third offense written warnings. ECF No. 44- 2 at 49-50. The formal written warnings should include notice of the “violation of this [P]olicy.” Id. at 49. Yet no evidence supports that PCC has ever issued such notices. ECF No. 62 at 8990. Fourati even admitted that PCC abandoned using any notices in short order because the notices were “not very effective.” Id. at 90
Third, the Policy claims that PCC will “ensure that its bot mitigation measures comply with relevant [] law.” ECF No. 44-2 at 51. But as to how PCC ensures such compliance, Fourati offered no information. At the time of the hearing, he could not even tell the Court who at PCC is responsible, for implementing the Policy. ECF No. 62 at 90.
Likewise, evidence regarding how PCC's security.protocol mitigates harm from “bot activity” is thin. According to Fourati, all user IDs identified as pulling high volumes of data are' placed on a “watch list,” and it is only those watch listed user IDs that receive CAPTCHAs. ECF No. 62 at 28-29, 40. The undated version of the watch list submitted into the record includes about 572 user IDs. Id. at 286-87. PCC, however, offered no objective criteria for what lands a user ID on the watch list. ECF No. 61 at 96-97. Fourati explained only that a user ID would be watch listed if its activity was “15 times or 20 times that of the normal user.” Id. at 94. But at no point did he address why such multiples of “normal use” could meaningfully affect the security or performance of a platform as massive as PCC's. See Id. at 94-96.
PCC also introduced several largely unhelpful “charts” that purport to depict the difference between bot and human use. See ECF No. 62 at 24 25; ECF No. 44-2 at 8-9. Some charts were undated and poorly labeled. PCC did not offer, or produce to Real Time, the underlying data that supposedly was reflected in the charts. At best, the charts reflect that automated software pulls significantly more data from PCC than a human user can. See Id. at 9. This uncontroversial proposition, however, does not aid the Court in determining whether the use of automated software to retrieve data poses any real security or performance risks to PCC.
Nor could Fourati explain hpw automated user software akin to that used by Real Time presents any real security risk for PCC. Although he generally acknowledged concern about data breaches experienced by other healthcare companies like Change Healthcare and Ascension, he could not articulate whether or how such risks are present here. See ECF No. 62 at 11-12.
As to the claimed performance-related concerns, Fourati broadly testified that PCC has experienced “many” incidents of “performance degradation” and “complete outage[s].” ECF No. 62 at 12-13. But he offered no information as to the circumstances surrounding such claimed degradation. This was so even though Fourati asserted that his team “create[s] an incident [report] every time there's an outage,” and “track[s] all those incidents.” Id. at 15. Yet no such evidence or indeed any evidence beyond Fourati's say so was offered to corroborate the supposed system slowdowns, or that “bots” caused such performance problems. Id. at 1316. PCC only offered one chart which showed that on a single day, data retrieval from one nursing facility was “slow,” which it attributed to Real Time's contemporaneous use of automated data retrieval software. Id. at 17-20.
Fourati did generally explain that bot-related performance problems are tied to PCC's available server space. ECF No. 62 at 132-33. According to Fourati, when PCC purchases its server space through a provider like Amazon or Microsoft Azure, PCC does not “size” the server environment to accommodate bot activity. Id. at 8, 130-31. But Fourati also confirmed that nothing prevented PCC from purchasing more server space. Id. at 9-10. And more to the point of this motion, he did not explain how the automated software used to pull patient data affects the performance of a system the size of PCC's. Although PCC uses its own automated software to “administer 1.2 million medications per day on behalf of patients” by pushing “a large volume of transactions” through its system, Id. at 132 (emphasis added), Fourati did not address why 572 watch-listed automated software users were to blame for PCC's claimed degradation of performance.
Finally, no record evidence explains how or why PCC began implementing unsolvable CAPTCHAs as a legitimate security protocol. Although the record uniformly supports that CAPTCHAs are, by definition, designed to be solved by humans, the record also supports that PCC has used CAPTCHAs that cannot be decoded. See ECF No. 62 at 148-49. On this point, Fourati explained that when a user fails to solve the CAPTCHAs, the level of difficulty increases as to that user. Id. Thus, by extension, unsolvable CAPTCHAs are only deployed when bots, not humans, failed to decode the word. Id. Left unanswered, however, was why PCC chose to implement unsolvable CAPTCHAs at all if the whole purpose of CAPTCHAs are to provide a word that is capable of a human solution.
With this evidence in mind, the Court turns to the propriety of narrowly crafted preliminary injunctive relief.
II. Standard of Review
A preliminary injunction is an extraordinary remedy that should be granted only upon “a clear showing that the plaintiff is entitled to relief.” Dewhurst v. Century Aluminum Co., 649 F.3d 287, 290 (4th Cir. 2011) (internal quotation marks omitted) (quoting Winter v. Natural Res. Def. Council, 555 U.S. 7, 22 (2008)). Generally, injunctions are sought to “preserve the status quo so that a court can render a meaningful decision after a trial on the merits.” Hazardous Waste Treatment Council v. State of S.C., 945 F.2d 781, 788 (4th Cir. 1991) (quotation omitted); see also United States ex rel. Rahman v. Oncology Assocs., PC., 198 F.3d 489, 498 (4th Cir. 1999). By contrast, injunctions which alter the status quo, known as “mandatory injunctions,” are highly disfavored, Wetzel v. Edwards, 635 F.2d 283, 286 (4th Cir. 1980), and should be granted only when “necessary both to protect against irreparable harm in a deteriorating circumstance created by the defendant and to preserve the court's ability to enter ultimate relief on the merits of the same kind,” In re Microsoft Corp. Antitrust Litig., 333 F.3d 517, 526 (4th Cir. 2003), abrogation on other grounds recognized in Bethesda Softworks, LLC v. Interplay Entm't Corp., 452 Fed.Appx. 351, 353-54 (4th Cir. 2011); see also Pierce v. N. Carolina State Bd. of Elections, 97 F.4th 194, 209 (4th Cir. 2024).
In many respects, Real Time seeks modest, narrowly tailored injunctive relief. It asks only that the Court enjoin PCC from using unsolvable CAPTCHAs which, according to Real Time, render it unable to access the nursing facilities' patient data and thwarts its ability to, function. See ECF No. 62 at 216. While this motion was pending, the parties agreed that, in exchange for Real Time providing all user IDs under which it operates, PCC would suspend the use of indecipherable CAPTCHAS as to those user IDs. Id. The parties have been operating under this agreement for several weeks now without incident. Id. Accordingly, whether deemed a “mandatory” injunction or a “status quo” injunction, the effect is largely the same: granting the motion would keep the current plan in place pending resolution of the case, which is the narrowest form of relief necessary to permit Real Time sufficient access to perform its services on behalf of its clients without unnecessarily invading PCC's security protocol.
III. Analysis
To prove entitlement to a preliminary injunction, Real Time must demonstrate by preponderant evidence four well-established factors: (1) a likelihood of success on the merits; (2) a likelihood of suffering irreparable harm in the absence of preliminary relief; (3) that the . balance of equities tips in its favor; and (4) that issuing the injunction is in the public interest. See Winter, 555 U.S. at 20. The Court considers each factor separately.
A. Likelihood of Success on the Merits
Although the Complaint alleges six causes of action, Real Time presses only three claims for purposes of injunctive relief: tortious interference with business relations, unfair competition, and breach of contract as a third-party beneficiary. ECF No. 38-1 at 23-30. To succeed on this motion, Real Time need only demonstrate a likelihood of success on one cause of action. See Mayor & City Council of Baltimore v. Azar, 392 F.Supp.3d 602, 613 (D. Md. 2019). Because the Court finds that Real Time is likely to succeed on its unfair competition and tortious interference claims, it will address only those here.
1. Unfair Competition Claim
Unfair competition prohibits “damaging or jeopardizing another's business by fraud, deceit, trickery or unfair methods of any sort.” Ellicott Dredges, LLC v. DSC Dredges, LLC, 280 F.Supp.3d 724, 732 (D. Md. 2017) (quoting Trimmed v. Sherwood Medical Co., 977 F.2d 885, 891 (4th Cir. 1992)). The cause of action “protectfs] against unfair practices those persons who have established and developed a business,” while “encourag[ing] fair competition and thereby protect[ing] the public against the evils of monopolies.” Edmondson Vill. Theatre v. Einbinder, . 208 Md. 38,48 (1955). It aims “to foster, and not hamper, competition,” free of “dealings based on deceit and dishonesty.” Baltimore Bedding Corp. v. Moses, 182 Md. 229, 236 (1943). The claim is animated by “the general principle that all dealings must be done on the basis of common honesty and fairness, without taint of fraud or deception.” Id. at 237.
Importantly, the claim is fact specific and narrowly circumscribed to include acts which substantially interfered with the plaintiff's business in a manner that is riot just unethical, but illegal. See Ellicott Dredges, 280 F.Supp.3d at 732. That said, a violation of a statute may constitute unfair competition even if the statute does not afford the plaintiff a private cause of action. See Restatement of Law (Third) of Unfair Competition, § I, cmt. (g) (1995); Berlyn, Inc. v. The Gazette Newspapers, Inc., 157 F.Supp.2d 609, 624 (D. Md. 2001); see also Intus Care, Inc. v. RTZAssocs., Inc., No. 24-01132-JST, 2024 WL 2868519, at *2 (N.D. Cal. June 5, 2024).
At its core, Real Time alleges that PCC has deployed indecipherable CAPTCHAs not for security or performance-related reasons, but to halt Real Time's business so as to improve its own position in the interventional analytics space. ECF No. 2 ¶¶ 129-38. In so doing, argues Real Time, PCC's conduct amounts to “information blocking” of protected patient medical records in violation of the 21st Century Cures Act, 42 U.S.C. § 300jj-52. ECF No. 38-1 at 2. Thus, says Real Time, PCC has competed unfairly by severing Real Time's ability to provide analytics for no legitimate purpose other than to gain an economic advantage in Real Time's market. ECF No. 38-1 at 28-29. Based on the current record, the Court finds that Real Time is likely to succeed on this claim.
Because the claim depends on understanding the ground rules animating the exchange of electronic health records, the Court first lays out the governing statute, the 21st Century Cures Act (the “Cures Act” or the “Act”). Passed in 2016, the Cures Act was designed to foster safe and open “access, exchange, and use of electronic health information (EHI).” 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, 85 Fed.Reg. 25642, 25643 (2020). The Act aims to protect individuals and entities from “information blocking,” or unnecessary obstacles to records access from the companies that' electronically store the records. Id. “Information blocking” constitutes any acts which likely “interfere with access, exchange, or use of electronic health information,” to include “practices that restrict authorized access” to records necessary “for treatment and other permitted purposes.” 42 U.S.C. 300jj-52. The parties do not dispute that the unsolvable CAPTCHAs amount to “information • blocking” under the Cures Act, and for good reason. See ECF No. 44 at 26-27. Whenever PCC deploys CAPTCHAs that cannot be solved, Real Time loses all access to the healthcare records it needs to perform its analytics. ECF No. 38-4 ¶¶ 38-39. Further, Real Time has demonstrated that for distinct time periods, the unsolvable CAPTCHAs totally barred its access to records for thousands of patients at hundreds of skilled nursing facilities. See Id. ¶¶ 14, 36, 38-39. PCC, however, contends that because its conduct falls under one of three enumerated exceptions to the Cures Act's prohibition on “information blocking,” its use of unsolvable CAPTCHAs does not, amount to a Cures Act violation. ECF No. 44 at 27-29. The Court addresses each exception in turn.
i. Health IT Performance Exception
PCC invokes the Act's “health IT performance” exception, which allows an actor to block access to medical records if necessary to maintain or improve the performance of the actor's IT systems. See 45 C.F.R. § 171.205; see also ECF No. 62 at 276-79; ECF No. 44 at 27. The exception, found at 45 C.F.R. § 171.205, reads, in pertinent part:
An actor's practice that is implemented to maintain or improve health IT performance and that is likely to interfere with the access, exchange, or use of electronic health information will not be considered information blocking when the practice meets a condition in paragraph (a), (b), (c), or (d) of this section, as' applicable to the particular practice and the reason for its implementation.
Although PCC made only passing reference to this exception in its pleadings, see ECF No. 44 at 27, it leaned heavily on subsection (b) at the hearing, ECF No. 62 at 276-79. Subsection (b) provides that:
... An actor may take action against a third-party application that is negatively impacting the health IT's performance, provided that the practice is
(1) For a period of time no longer than necessary to resolve any negative impacts;
(2) Implemented in a consistent and non-discriminatory manner; and
(3) Consistent with existing service level agreements, where applicable. § 171.205(b). .
PCC thus argued vigorously that its CAPTCHA watch list and Bot Prevention Policy satisfy this exception. ECF No. 62 at 280-82. The record, however, does not shore up the argument. First, the record does not establish that bot use by patient analytics companies meaningfully impacts PCC's performance. Fourati claimed “numerous” incidents and “many examples” of complete system outages on account of bot usage. Id. at 13, 17. But he could offer no proof to support these sweeping pronouncements. Despite the supposed generation of an “incident [report] every time there's an outage,” PCC offered none to corroborate the contention. See Id. at 15-16.
At best, the record suggests that on one day, PCC's retrieval system was slow for one facility while Real Time was pulling down reports. See ECF No. 62 at 24-25, 285-86. Sure, PCC generally proffers that automation somehow eats into its server space which in turn risks slowing down PCC's performance. Id. at 131-32, 277. But it introduced no evidence that Real Time's activities are even associated with slowdowns beyond a single day. Keeping in mind the size of PCC's own operations one that pushes out prescriptions for over one million patients in a day the Court cannot simply take Fourati's word for it that automated software use akin to, that of Real Time makes a material difference in PCC's performance. See Id. at 132; ECF No. 61 at 276-77.
Second, even if bot usage from patient analytic companies somehow degrades PCC's system's performance, the record does not support that PCC uses unsolvable CAPTCHAs for no longer than is necessary to resolve any negative impacts. The record generally reflects that once PCC determines through some unexplained metric that a user ID is pulling down “higher than normal” data, the user ID will receive unsolvable CAPTCHAs in perpetuity. See ECF No. 62 at 13-16. But PCC offered no credible explanation for their use. Thus, the Court cannot conclude that PCC is employing those CAPTCHAs “[f]or a period of time no longer than necessary to resolve any negative impacts” on its IT systems. 45 C.F.R. § 171.205(b)(1).
Third, PCC does not appear to deploy CAPTCHAs in a consistent and nondiscriminatory manner. See 45 C.F.R. § 171.205(b)(2). As primary evidence of its evenhandedness, PCC points to the watch list. See ECF No. 44 at 15. The watch list reflects only those user IDs which must solve CAPTCHAs; it says nothing about which ones must receive unsolvable CAPTCHAs. ECF No. 61 at 276-77. On this record, the Court cannot conclude that PCC deploys its CAPTCHAs in an even and nondiscriminatory manner. Thus, the evidence does not support the applicability of the IT health exception.
ii. Security Exception
PCC alternatively argues that its CAPTCHA use meets the security exception set forth in 45 C.F.R. § 171.203. ECF No. 62 at 256-57. This exception allows practices that likely “interfere with the access, exchange, or use of electronic health information in order to protect the security of electronic health information.” § 171.203. The practice will not constitute information blocking if it meets three enumerated criteria:
(a) The practice must be directly related to safeguarding the confidentiality, integrity, and availability of electronic health information.
(b) The practice must be tailored to the specific security risk being addressed [and]
(c) The practice must be implemented in a consistent and nondiscriminatory manner. Id.
If the first three criteria are met, the practice must also satisfy either subsection (d) or (e) Subsection (d) reads:
(d) If the practice implements an organizational security policy, the policy must
(1) Be in writing;
(2) Have been prepared on the basis of, and be directly responsive to, security risks identified and assessed by or on behalf of the actor;
(3) Align with one or more applicable consensus-based standards or best practice guidance; and
(4) Provide objective timeframes and other parameters for . identifying, responding to, and addressing security incidents. § 171.203(d).
And subsection (e) reads:
(e) If the practice does not implement an organizational security policy, the actor must have made a determination in each case, based on the particularized facts and circumstances, that:
(1) The practice is necessary to mitigate the security risk to electronic health information; and
(2) There are no reasonable and appropriate alternatives to the practice that address the security risk that are less likely to interfere with access, exchange or use of electronic'health information.§ 171.203(e).
As for subsection (a), no reliable evidence supports that PCC's use of unsolvable CAPTCHAs is “directly related to safeguarding the confidentiality, integrity, and availability of electronic health information.” § 171.203(a). Fourati asserted that PCC generally introduced CAPTCHAs to address “numerous incidents and issues” related to security concerns surrounding the “large scale ... exfiltration of data.” ECF No. 62 at 27. But he could not articulate what those security issues are. See Id. By contrast, Real Time's Chief Information Security Officer, Andrew Lister, explained that Real Time's automated software used to pull patient data presents no greater security risk than that posed by a human pulling the same reports. ECF No. 61 at 152.
It also stands to reason that automated software used by a company with the highest security certification remains more secure than if the same company had to employ 450 individuals to perform the same task. See ECF No. 61 at 134-35.
Regarding subsection (b), the record does not tie any particular security risk to the automated processes used by patient analytics companies like Real Time. The Court cannot simply conclude, as PCC urges, see ECF No. 62 at 93, that all bots are alike, and that the talismanic invocation of the word “bot” is sufficient to trigger this exception. Mere reference to breaches at Ascension and Change Healthcare untethered to any facts of this case does little to advance the analysis. See ECF No. 62 at 255.
As for subsection (c), the Court has previously explained why PCC does not appear to employ its CAPTCHAs (unsolvable or otherwise) in a consistent and nondiscriminatory manner. .. See supra Part IIl.A.l.i. Accordingly, because no reliable evidence satisfies any of the first three criteria, PCC cannot invoke the security exception.
iii. Manner exception
Last, PCC contends that it meets the Cures Act's manner exception because it has given Real Time several alternatives to pulling down reports using automated software. See ECF No. 62 at 261-62. This exception commands that the “actor must fulfill a request for electronic health information in any manner requested, unless the actor is technically unable to fulfill the request or cannot reach agreeable terms with the requestor to fulfill the request in the manner requested.” § 171.301(a)(1) (emphasis added). Where the actor does not fulfill the initial request for electronic health information “in any manner requested” because of either technical inability or failure to reach agreeable terms, then the actor may satisfy the requirements through providing access to records through several other enumerated alternatives. § 171.301(b).
The first problem for PCC is that no evidence demonstrates that it is technically unable to fulfill the request in the manner requested. Nothing in the record suggests that PCC cannot accommodate Real Time's use of automated software to generate its reports. See ECF No. 61 at 97-98. Occasional claimed slowdowns notwithstanding, Real Time has operated the same way for more than 12 years. See ECF No. 38-4 ¶ 7. PCC also explored the potential acquisition of Real Time and learned precisely how Real Time works, never expressing concern about any technical inability to support the Real Time model upon acquisition. ECF No. 61 at 213-14. Thus, the Court cannot conclude that PCC is “technically” unable to fulfill Real Time's requests for records.
Second, the record does not suggest that PCC can find no “agreeable terms” for alternatives. Indeed, the parties were well on their way to a mutually agreeable alternative whereby Real Time would pay PCC to export the data not otherwise available through API. See ECF No. 61 at 221-24. PCC inexplicably chose to end those discussions and so it now cannot reap the benefit of this exception. In a nutshell, PCC appears more unwilling than unable to reach a mutually agreeable solution. See ECF No. 62 at 261-62. PCC cannot take cover under the manner exception.
In sum, PCC's use of unsolvable CAPTCHAs has blocked Real Time's access to patient healthcare records. Further, no exception to such information blocking applies. Thus, PCCs use of unsolvable CAPTCHAs violates the Cures Act.
Turning next to whether PCC has intentionally acted with the aim of “damaging or jeopardizing” Real Time's business “by fraud, deceit, trickery or unfair methods of any sort.” Ellicott Dredges, 280 F.Supp.3d at 732. At this juncture, Real Time has.made this showing. No evidence supports that PCC had any legitimate good faith use for wholly inscrutable CAPTCHAs which, by definition, blocked Real Time from getting the very records it needs to exist. See ECF No. 62 at 11-12. But even more damning is the timing of such deployments, which support that PCC used those CAPTCHAs as a device to hamstring or eliminate Real Time as a competitor. See ECF No. 38-4 ¶¶ 28-33.
Prior to launching unsolvable CAPTCHAs, PCC made a series of moves to break into the patient analytics market: it acquired other of Real Time's rivals, and it flexed its muscle by bidding unsuccessfully on the CRISP contract. ECF No. 2 ¶¶ 23, 46; ECF No. 38-3 ¶¶ 8,21. Then it focused on supposedly acquiring Real Time. PCC mined Real Time for proprietary business information only to walk away from such talks without explanation and without sharing any proprietary information of its own. See ECF No. 61 at 208-11. Shortly thereafter, PCC deployed against Real Time the unsolvable CAPTCHAs in a manner that effectively shut down a substantial portion of Real Time's business (700 of 1700 facilities) overnight. ECF No. 38-4 ¶ 28. And then, once Real Time felt the brunt of the shutdown, PCC offered Real Time an array of business “solutions” that were no solutions at all. Sure, PCC proposed alternatives that would avoid Real Time's use of automated software. See ECF No. 61 at 212-13. But none would give Real Time access to more than 30% of the patient data it needed to do its job. Id. at 79-80.
Nor could Real Time accept PCC's partnership offer under its “marketplace agreement.” See ECF No. 46-2. Steadfast in its terms, PCC wanted to maintain proprietary rights to Real Time's product with no corresponding benefit to PCC in that it still would not have obtained the full data necessary to perform patient analytics. See Id. at 10. PCC could also cancel the contract unilaterally for “convenience” and without recourse. See ECF No. 61 at 216-23. In a very real sense, therefore, PCC presented to Real Time a classic Hobson's choice; either continue with its current operations and face the business interruptions associated with unsolvable CAPTCHAs, or agree to alternative terms that effectively would put it out of business. See ECF No. 61 at 217-19. Either way, PCC aimed to handicap Real Time in a manner that cuts against “the principles of old-fashioned honesty” which require that “[o]ne man may not reap where another has sown, nor gather where another has strewn.” GAI Audio of New York, Inc. v. Columbia Broad. Sys., Inc., 27 Md.App. 172, 193 (1975) (internal quotation marks omitted). For these reasons, Real Time has demonstrated a likelihood of success on the merits of its unfair competition claim.
2. Merits of Tortious Interference Claim
Turning next to Real Time's tortious interference with contractual relations claim, Real Time must adduce evidence that PCC knew of its contractual obligations to the skilled nursing facilities and intentionally interfered and hindered its performance, resulting in damages. See Fowler v. Printers II, Inc., 89 Md.App. 448,466 (1991); Macklin v. Robert Logan Assocs., 334 Md. 287, 297-98 (1994). Real Time may demonstrate damages by showing “(a) the pecuniary loss of the benefits of the contract”; “(b) consequential losses for which the interference is a legal cause”; or “(c) emotional distress or actual harm to reputation, if they are reasonably to be expected to result from the interference.” Restatement (Second) of Torts § 774A (1979).
Real Time has shown it is likely to succeed on the merits of this claim. First, PCC does not dispute that it knew of Real Time's contractual relationships with roughly 1700 skilled nursing facilities. See ECF No. 44 at 19-22. Second, PCC's purposeful use of indecipherable CAPTCHAs prevented Real Time from accessing patient records necessary to perform on these contracts. See ECF No. 38-4 ¶¶ 17, 39. In fact, PCC knew as .early as November of 2023 that those CAPTCHAs had a seismic impact on Real Time's business operations because Real Time said as much. Id. ¶ 18. Yet PCC locked out Real Time again in May of this year. Id., ¶¶ 38-40. Last, Real Time has, at a minimum, expended resources to restore access to the patient records data which alone provides a measure of damages. See ECF No. 61 at 175. Accordingly, Real Time has demonstrated that it is likely to succeed on the merits of the claim.
PCC counters that Real Time cannot demonstrate that PCC has “intentionally” interfered with Real Time's business relationships because the true purpose behind the unsolvable CAPTCHAs was to “safeguard system security and integrity against malicious bots regardless of their source.” ECF No. 44 at 20. This rationale, as discussed, falls far short of the mark. PCC has offered no legitimate reason for deploying unsolvable CAPTCHAs.
PCC next argues that Real Time's claim fails because it has not demonstrated an actual breach of contract with the nursing facilities. See ECF No. 44 at 21. But under Maryland law, “a person who intentionally and wrongfully hinders contract performance ... and thereby damages a party to the contract, is liable to the injured party even if there is no breach of the contract.” Lake Shore Invs. v. Rite Aid Corp., 67 Md.App. 743, 753 (1986); see also Id. at 748-50 (“We have found only two reported Maryland decisions that suggest or hold that a breach of contract is an essential element of a tortious interference claim.”); Total Recon Auto Ctr., LLC v. Allstate Ins. Co., No. DLB-23-672, 2023 WL 8545228, at *3 (D. Md. Dec. 11, 2023); Webb v. Green Tree Servicing, LLC, No. ELH-11-2105, 2011 WL 6141464, at *4-7 (D. Md. Dec. 9, 2011). Because the record supports that indecipherable CAPTCHAs thwarted Real Time ability to serve the involved nursing facilities, Real Time has demonstrated PCC's substantial interference with its business relations sufficient to support the claim. Real Time has satisfied the first Winter factor.
B. Irreparable Harm
As to the second Winter factor, Real Time must demonstrate that it will be irreparably harmed absent injunctive relief. See Gen. Parts Distribution, LLC v. St. Clair, No. 11 -3556-AW, 2011 WL 6296746, at *6 (D. Md. Dec. 14, 2011). Indeed, the harm must be of the kind that “cannot be fully rectified by the final judgment after trial.” Mountain Valley Pipeline, LLC v. 6.56 Acres of Land, Owned by Sandra Townes Powell, 915 F.3d 197, 216 (4th Cir. 2019) (internal quotation marks omitted). This can include loss of good will or erosion of its customer base. See Gen. Parts, 2011 WL 6296746, at *6. The risk of such must be “actual and imminent,” not remote or speculative. Id.
Real Time has made this showing. PCCs deployment of unsolvable CAPTCHAs visits on Real Time a 100% business interruption with any given nursing facility. The more recent deployments have severed the company's access to patient data for 700 facilities at a time. ECF No. 38-4 ¶ 28. And since approximately 80% of Real Time's clients store their data with PCC, continued use of indecipherable CAPTCHAs presents a real and imminent threat to the company's continued ability to do business. See ECF No. 38-3 ¶ 6. Thus, Real Time has demonstrated that it is likely to suffer irreparable harm absent immediate injunctive relief.
C. Balance of the Equities
The third Winter factor, the balance of the equities, also tilts in Real Time's favor. Scotts Co. v. United Indus. Corp., 315 F.3d 264 (4th Cir. 2002). On the one hand, were PCC permitted to use unsolvable CAPTCHAs in the future, Real Time would face unpredictable, unplanned widespread business outages akin to that which it has withstood before. PCC, on the other hand, has given the Court no reason to believe that eliminating the use of such unsolvable CAPTCHAs would visit any harm to it. The narrow relief requested leaves intact nearly all of PCC's existing security protocol, including the use of solvable CAPTCHAs, and enjoins solely the use of unsolvable CAPTCHAs which do not rationally relate to the provision of security in any event. Thus, the balance of equities tip in favor of Real Time.
D. Public Interest
Last, the fourth Winter factor also favors injunction. The public retains great interest in the specific improvements to healthcare that Real Time indisputably provides to thousands of nursing facility patients. ECF No. 38-8 ¶¶ 3, 7; see also ECF No. 38-3 ¶ 17. The public likewise benefits from fostering access to medical records consistent with, not in contravention of, the Cures Act. Indeed, the provision of affordable, quality healthcare depends directly on access to such records. The requested relief promotes faithful adherence to such access in compliance the Cures Act, and thus, will advance that important interest.
IV. Conclusion
Real Time has convinced the Court that preliminary injunctive relief, narrowly drawn, is proper. PCC is enjoined from using indecipherable CAPTCHAs of the type depicted in this opinion. This Order becomes effective, pursuant to Fed.R.Civ.P. 65(c), upon Real Time's payment to the Clerk of the Court in the security of $50,000, an amount the Court deems proper to pay the costs and damages sustained by PCC in the event it is later found to have been wrongfully enjoined or restrained. A separate Order follows.
Rule 65(c) commands that a preliminary injunction shall issue “only if the movant gives security in an amount that the court considers proper to pay the costs and damages sustained by any party found to have been wrongfully enjoined or restrained.” See also Hoechst Diafoil Co. v. Nan Ya Plastics Corp., 174 F.3d 411, 421 (4th Cir. 1999) (failure to require a bond is reversible error). The Court sets the bond accordingly because the injunctive relief is confined to solely prohibiting the deployment on known Real Time users of the unsolvable CAPTCHAs as depicted in this Memorandum Opinion, and otherwise leaves PCC's security protocol untouched. Thus, the scope of any wrongful injunction would be minimal.