A patient intake software company is suing a competitor for allegedly accessing the plaintiff’s back-end systems without authorization and gathering trade secrets and proprietary information in order to reverse engineer and reproduce the software.
On Wednesday in the District of Maryland, Phreesia Inc. filed a complaint against Certify and Certify Health, Certify Vice President Timothy Goodwin, and Rolling Rock Software Pvt Ltd., claiming that the defendants have colluded to misappropriate Phreesia’s trade secrets “in order to create an almost identical version of Phreesia’s industry-leading software, and to unlawfully interfere with Phreesia’s customer relationships” in concert with an unnamed, existing Phreesia client.
According to the complaint, Phreesia vets its potential clients before authorizing them to access any of its systems. Reportedly, partners, such as health systems, must sign nondisclosure agreements before being authorized, and all clients must execute a Master Services Agreement, which stipulates clients’ responsibility to maintain confidentiality and prevent third parties from accessing Phreesia’s systems. No one may access the systems without direct authorization from Phreesia, the complaint said.
The plaintiff stated that because it keeps a log of usernames, passwords, and IP addresses that access its systems, Phreesia found that the unnamed Phreesia client created an account under the name Erika Blair, who is a Certify employee. The complaint said that this username was changed three minutes later to Timothy Goodwin, a top Certify official, and ultimately was given the name Alice Test. Allegedly, the defendants logged in to the Phreesia system using the account more than 230 times in 2019, 130 of the logins being tracked to the IP address at Certify’s headquarters and 19 being tracked to Rolling Rock Software’s offices’ IP address in India. Phreesia first learned of this alleged conduct in January 2021.
“During 2019, Defendants used the Timothy Goodwin/“Alice Test” account, among other things, to log into the Phreesia System to view the operation of the system, create patient records, delete patient records, and discover and reverse-engineer the functionality, structure, architecture, and workflow of the Phreesia software, and to access the proprietary training files,” the complaint alleged.
Phreesia argued this is evidenced by side-by-side comparisons of Certify’s and Phreesia’s user interfaces, revealing that they are “almost identical.”
“The Certify software even includes the same coding idiosyncrasies and workarounds for features unique to the Phreesia System that could not plausibly have occurred without direct access and copying of the confidential functionality and interface of the Phreesia System,” the complaint contended.
The formal causes of action against the defendants by the plaintiff are violations of the Computer Fraud and Abuse Act, misappropriation of trade secrets and conspiracy to misappropriate trade secrets, unfair competition and conspiracy to compete unfairly, tortious interference with a contractual relationship, and unjust enrichment.
Phreesia is requesting judgment on all counts, compensatory and punitive damages, a declaration that Certify’s products in question were unlawfully developed, and an enjoinment of the defendants from continuing to offer any products that allegedly were developed unlawfully through trade secret or confidential information misappropriation, among other relief deemed proper.
Goodwin Proctor LLP is representing Phreesia.