`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE DISTRICT OF MARYLAND
`
`
`
`Civil Action No. ___________
`
`COMPLAINT
`
`JURY TRIAL DEMANDED
`
`
`
`
`
`
`PHREESIA, INC.,
`
`
`
`
`
`
`
`
`Plaintiff,
`
`v.
`
`
`CERTIFY GLOBAL, INC. D/B/A CERTIFY AND
`CERTIFY HEALTH, ROLLING ROCK
`SOFTWARE PVT LTD. and TIMOTHY
`GOODWIN,
`
`
`
`
`
`
`
`
`
`
`
`Defendants.
`
`
`
`Plaintiff Phreesia, Inc. (“Phreesia” or “Plaintiff”), by and through its attorneys, for its
`
`Complaint against Defendants Certify Global, Inc. d/b/a Certify and Certify Health (“Certify”),
`
`Rolling Rock Software Pvt Ltd. (“Rolling Rock Software”), and Timothy Goodwin, Vice President
`
`of Certify (collectively “Defendants”), alleges as follows:
`
`PRELIMINARY STATEMENT
`
`
`
`Defendants have engaged in a conspiracy to misappropriate Phreesia’s trade secrets
`
`and confidential information in order to create an almost identical version of Phreesia’s industry-
`
`leading software, and to unlawfully interfere with Phreesia’s customer relationships. Defendants’
`
`actions involved a concerted effort over the span of years to steal Phreesia’s trade secrets and
`
`confidential information in order to create a service to compete with Phreesia’s industry-leading
`
`software. However, due to Phreesia’s security and compliance controls Phreesia was able to
`
`reconstruct Defendants’ unauthorized incursions and establish how and when Defendants’
`
`
`
`
`1
`
`
`
`Case 8:21-cv-00678-TDC Document 1 Filed 03/17/21 Page 2 of 23
`
`unlawful actions took place.
`
`
`
`Defendants worked to subvert Phreesia’s relationships with an existing client
`
`partner to create unauthorized login accounts. As a result of these efforts, Defendants were able
`
`to repeatedly access Phreesia’s confidential software system and to use information gained by that
`
`access to misappropriate Phreesia’s trade secrets and confidential information. Defendants then
`
`took that information and incorporated it into their own systems to unlawfully compete against
`
`Phreesia.
`
`
`
`Defendants’ ongoing actions are unjustly enriching Defendants and causing
`
`significant harm to Phreesia. As a result of Defendants’ wrongful conduct, Phreesia is entitled to
`
`the award of substantial damages to be determined at trial, including all revenues derived by
`
`Defendants from the sale of products that use or incorporate Phreesia’s trade secrets and/or
`
`confidential information; an additional award of lost profits to Phreesia; a declaration that Certify’s
`
`products have unlawfully been developed using Phreesia’s intellectual property; an order enjoining
`
`Defendants from offering any product or service that incorporates trade secrets or confidential
`
`information misappropriated from Phreesia, and from accessing Phreesia software, data and
`
`information; and such additional declaratory and injunctive relief as the Court deems appropriate.
`
`PARTIES
`
`
`
`Plaintiff Phreesia is a Delaware corporation with its headquarters located at 434
`
`Fayetteville Street, Suite 1400, Raleigh, NC 27601.
`
`
`
`On information and belief, Defendant Certify is a Delaware corporation with its
`
`headquarters located at 9801 Washingtonian Blvd., Ste. 200, Gaithersburg, MD 20878.
`
`
`
`On information and belief, Defendant Rolling Rock Software is an Indian
`
`corporation with its U.S. headquarters located at 9801 Washingtonian Blvd., Ste. 200,
`
`
`
`
`2
`
`
`
`Case 8:21-cv-00678-TDC Document 1 Filed 03/17/21 Page 3 of 23
`
`Gaithersburg, MD 20878.
`
`
`
`On information and belief, Defendant Rolling Rock Software performs a
`
`substantial portion of the software development activities for Defendant Certify.
`
`
`
`On information and belief, in addition to sharing the same suite at the same address
`
`for their respective U.S. headquarters, Defendants Certify and Rolling Rock Software are also
`
`operated by the same officers. For example, the two companies share the same Chief Executive
`
`Officer (Marc Potash), the same Chief Technical Officer (Preetham Gowda), the same Chief
`
`Operating Officer (Jacob Saji), and the same Vice President of Product Development (Preet
`
`Mann). On information and belief, Defendants Certify and Rolling Rock Software also have
`
`common ownership.
`
`
`
`On information and belief, Defendant Timothy Goodwin is an individual who
`
`resides in Maryland and serves as Vice President of Defendant Certify.
`
`JURISDICTION AND VENUE
`
`
`
`This Court has jurisdiction over this action pursuant to 28 U.S.C. § 1331, because
`
`Plaintiff’s claims against all Defendants for violations of the Defend Trade Secrets Act of 2016,
`
`18 U.S.C. § 1836 et seq., and the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, raise federal
`
`questions.
`
`
`
`Plaintiff’s remaining claims arising under state law fall within this Court’s
`
`supplemental jurisdiction pursuant to 28 U.S.C. § 1367(a) because they are so related to the federal
`
`claims that they form part of the same case or controversy.
`
`
`
`This Court has Personal jurisdiction over Defendant Certify because its
`
`headquarters are in Gaithersburg, Maryland, and it therefore resides within this District.
`
`
`
`Upon information and belief, Defendant Certify has engaged in and maintained
`
`
`
`
`3
`
`
`
`Case 8:21-cv-00678-TDC Document 1 Filed 03/17/21 Page 4 of 23
`
`systematic and continuous business contacts within the state of Maryland, and has purposefully
`
`availed itself of the benefits and protections of the laws of Maryland rendering it at home in
`
`Maryland.
`
`
`
`This Court has Personal jurisdiction over Defendant Rolling Rock Software
`
`because it maintains a principal place of business in Gaithersburg, Maryland, within this District.
`
`
`
` Upon information and belief, Defendant Rolling Rock Software has engaged in
`
`and maintained systematic and continuous business contacts within the state of Maryland, and has
`
`purposefully availed itself of the benefits and protections of the laws of Maryland rendering it at
`
`home in Maryland.
`
`
`
`Upon information and belief, Defendant Rolling Rock Software engaged in, and
`
`collaborated and/or acted in concert with Defendant Certify to engage in wrongful acts within
`
`Maryland in violation of Maryland law.
`
`
`
`Alternatively, the Court has personal jurisdiction over Defendant Rolling Rock
`
`Software under Federal Rule of Civil Procedure 4(k)(2). Plaintiffs’ claims arise under federal law,
`
`and Defendant Rolling Rock Software is a foreign defendant not subject to general personal
`
`jurisdiction in the courts of any state; Defendant Rolling Rock Software has sufficient contacts
`
`with the United States as a whole, including, but not limited to, purposefully placing products
`
`incorporating misappropriated trade secrets in U.S. commerce.
`
`
`
`This Court has Personal jurisdiction over Defendant Timothy Goodwin because he
`
`resides within this District.
`
`
`
`Venue in this district is proper under 28 U.S.C. § 1391(b)(2) because a substantial
`
`part of the events or omissions giving rise to the claims at issue occurred within this district. In
`
`the alternative, venue in this district is proper under 28 U.S.C. § 1391(b)(3) because this Court has
`
`
`
`
`4
`
`
`
`Case 8:21-cv-00678-TDC Document 1 Filed 03/17/21 Page 5 of 23
`
`Personal jurisdiction over at least one defendant.
`
`FACTUAL ALLEGATIONS
`
`A.
`
`Phreesia’s Business and its Trade Secrets and Confidential Information
`
`
`
`Founded in 2005, Phreesia has spent more than fifteen years helping medical groups
`
`and health systems improve their patient intake processes through the use of innovative
`
`technologies.
`
`
`
`Phreesia is engaged in the nationwide business of providing point-of-service
`
`solutions for healthcare practices that, among other things: (a) digitize intake (e.g., by permitting
`
`patients to fill out information forms and sign consent forms through a mobile device, on a tablet,
`
`or at a kiosk); (b) automate eligibility and benefits verification, and calculate patient responsibility
`
`(e.g., copays); and (c) provide a secure payments platform. Phreesia’s software drives efficiency
`
`for healthcare practices and provides patients with a seamless and automated experience.
`
`
`
`Phreesia provides its customized patient intake services through its proprietary
`
`software-as-a-service (SaaS) applications. Working through mobile applications and dedicated
`
`wireless PhreesiaPad tablets and kiosks, Phreesia’s specialized intake tools help partners
`
`streamline their operations, while giving patients safe, contactless options.
`
`
`
`In order to develop its software, Phreesia engaged in extensive research and
`
`development and product testing and solicited wide-ranging and confidential customer feedback
`
`and assessments. Phreesia has invested more than $92 million during the last five years alone to
`
`develop, implement, and update its proprietary software services.
`
`
`
`Due to its efforts, Phreesia has established a high degree of goodwill in the quality
`
`and utility of its software. For example, Phreesia has been named the Best in KLAS for Patient
`
`Intake Management by the research and insights firm KLAS in its annual reports in both 2019 and
`
`
`
`
`5
`
`
`
`Case 8:21-cv-00678-TDC Document 1 Filed 03/17/21 Page 6 of 23
`
`2020. The Best in KLAS designation is reserved for leading software and services vendors that
`
`have the broadest operational and clinical impact on healthcare organizations. Phreesia earned the
`
`overall top score based on provider criteria across a range of areas, including culture, loyalty,
`
`operations, product, relationship and value.
`
`
`
`The software code, architecture, format, structure, organization, workflows, back-
`
`end logic, functionality, operation, and interface of the Phreesia System are trade secrets that derive
`
`value from the fact that they are not publicly known.
`
`
`
`Accordingly, Phreesia takes measures to keep its trade secrets, data, and
`
`information confidential and to prevent disclosure without imposing confidentiality restrictions on
`
`the recipient. Phreesia’s efforts include, but are not limited to: execution of confidentiality
`
`agreements that require counter-parties not to disclose or permit third-party access to Phreesia
`
`software or information, or to use that information other than for a permitted purpose; limiting
`
`circulation of trade secrets within Phreesia and to third parties; and protecting, restricting and
`
`controlling access to Phreesia’s trade secrets and confidential information with physical and
`
`electronic means including encryption, password protection, and other security measures.
`
`
`
`As the provider of SaaS offerings, Phreesia does not distribute its software to
`
`existing or potential customers. Instead, Phreesia provides access to its software services on its
`
`own secured servers (the “Phreesia System”).
`
`
`
`Phreesia’s software offerings use an innovative back-end functionality and an easy-
`
`to-navigate user interface. Phreesia’s proprietary functionality and user interface are competitive
`
`differentiators in the market for Phreesia’s services and help drive sales for Phreesia’s services.
`
`
`
`Phreesia does not publish details of its software platform publicly. This is
`
`especially true of the Phreesia “Staff Interface,” which can only be accessed by authorized clients
`
`
`
`
`6
`
`
`
`Case 8:21-cv-00678-TDC Document 1 Filed 03/17/21 Page 7 of 23
`
`behind a password-protected login.
`
`
`
`Phreesia also maintains Phreesia University – a cache of Phreesia’s online training
`
`courses, videos, links to help pages, quizzes, and other documents – on the Phreesia System.
`
`Phreesia University is used to host Phreesia’s training content and to deliver that content to
`
`Phreesia’s authorized users at medical practices.
`
`
`
`In order to access the materials stored within Phreesia University, a user must be
`
`authorized and assigned access to a specially selected curriculum.
`
`
`
`To gain access to even a demonstration of Phreesia’s software, Phreesia researches
`
`potential clients to ensure that they will not misappropriate Phreesia’s confidential know-how.
`
`
`
`Before Phreesia provides a demonstration to larger partners such as health systems,
`
`the health system is required to sign a non-disclosure agreement (NDA).
`
` When Phreesia performs a demonstration of its software to a potential client, that
`
`potential client is shown a limited version of the Phreesia software and does not receive access to
`
`the Phreesia System.
`
`
`
`In order to receive access to the Phreesia System, clients must execute a software
`
`license agreement – the Master Services Agreement – that includes provisions that require the
`
`client to maintain confidentiality of the system:
`
`The receiving Party shall hold in confidence, and shall not disclose
`(or permit or suffer its personnel to disclose) any Confidential
`Information to any person or entity except to a director, officer,
`employee,
`outside
`consultant,
`or
`advisor
`(collectively
`“Representatives”) who have a need to know such Confidential
`Information in the course of the performance of their duties for the
`receiving Party and who are bound by a duty of confidentiality no
`less protective of the disclosing Party’s Confidential Information
`than this Agreement. The receiving Party and its Representatives
`shall use such Confidential Information only for the purpose for
`which it was disclosed and shall not use or exploit such Confidential
`Information for its own benefit or the benefit of another without the
`
`
`
`
`7
`
`
`
`Case 8:21-cv-00678-TDC Document 1 Filed 03/17/21 Page 8 of 23
`
`prior written consent of the disclosing Party. Each Party accepts
`responsibility for the actions of its Representatives and shall protect
`the other Party’s Confidential Information in the same manner as it
`protects its own valuable confidential information, but in no event
`shall less than reasonable care be used.
`
`
`* * *
`
`
`Customer further agrees that it shall not use the Products for the
`purposes of conducting comparative analysis, evaluations or product
`benchmarks with respect to the Products and will not publicly post
`any analysis or reviews of the Products without Phreesia’s prior
`written approval.
`
`
`Master Services Agreement § 4.1.
`
`
`
`
`The Master Services Agreement also requires Phreesia’s clients to refrain from, and
`
`to prevent third parties from reverse engineering, decompiling, disassembling, or otherwise
`
`attempting to derive the source code form or structure of the Phreesia System in order to build a
`
`competitive product or service, or to copy any ideas, features, functions or graphics of the Phreesia
`
`System:
`
`The Customer is responsible for (i) all activities conducted under its
`User logins and for its Users’ compliance with this Agreement, (ii)
`compliance with all applicable laws and regulations that govern its
`business, and (iii) obtaining all authorization’s, consents and
`licenses necessary to use Customer Data. Unauthorized use, resale
`or commercial exploitation of the Products in any way is expressly
`prohibited. Without Phreesia’s express prior written consent in each
`instance, the Customer shall not (and shall not allow any third party
`to): reverse engineer, decompile, disassemble, or otherwise attempt
`to derive the source code form or structure of the Products or access
`the Products in order to build a competitive product or service or
`copy any ideas, features, functions or graphics of the Products.
`Except as expressly permitted in this Agreement, the Customer shall
`not copy, license, sell, transfer, make available, lease, time-share or
`distribute the Products to any third party.
`
`
`Master Services Agreement § 8.3.
`
`
`
`
`To be able to access the Phreesia System and thus to access Phreesia’s proprietary
`
`
`
`
`8
`
`
`
`Case 8:21-cv-00678-TDC Document 1 Filed 03/17/21 Page 9 of 23
`
`software, each member of a partner’s staff must enter a unique username and password.
`
`
`
`Phreesia logs the username, passwords, and IP addresses of each individual who
`
`accesses the Phreesia System, as well as information regarding the date and time such access
`
`occurred.
`
`
`
`Users who are authorized to access the Phreesia System services not only gain
`
`access to the user interface, but can also gain confidential information regarding the functionality
`
`of Phreesia’s software – including the proprietary workflow of the Phreesia user interface which
`
`defines how the software responds to user queries or answers – as well as the proprietary guidance
`
`and training materials contained in Phreesia University.
`
`B.
`
`Defendants’ Conspiracy to Misappropriate Phreesia Trade Secrets and Confidential
`Information
`
`
`Defendant Certify purports to provide patient engagement and authentication
`
`
`
`services via SaaS applications.
`
`
`
`As part of its business, Certify offers patient intake software services that compete
`
`with those offered by Phreesia.
`
`
`
`On information and belief, Rolling Rock Software designs, creates, and maintains
`
`Certify’s software services.
`
`
`
`On information and belief, Certify conspired with an existing Phreesia client (the
`
`“Phreesia Client”) to violate that partner’s obligations under the Master Services Agreement and
`
`create an unauthorized login account so that Defendants could access the Phreesia System without
`
`Phreesia’s authorization.
`
`
`
`Phreesia’s user logs show that the Phreesia Client created a login account for
`
`Certify on or around April 18, 2018 under the name of Certify employee Erika Blair using the
`
`following Certify email address: erika.blair@certifyglobal.com. Additionally, the IP address
`
`
`
`
`9
`
`
`
`Case 8:21-cv-00678-TDC Document 1 Filed 03/17/21 Page 10 of 23
`
`associated with this fraudulent user account is associated with Certify.
`
`
`
`On information and belief, Erika Blair is an individual who was employed by
`
`Certify as an Information Technology Management Consultant during a period that included April
`
`2018.
`
`
`
`Three minutes later, on the same day (April 18, 2018), the username was changed
`
`to
`
`Timothy Goodwin,
`
`in
`
`connection with
`
`the
`
`associated
`
`
`address
`
`timothy.goodwin@certifyglobal.com.
`
`
`
`On information and belief, this username and email address refers to Timothy
`
`Goodwin, Vice President and Director of Business Development at Certify.
`
`
`
`On information and belief, Defendant Goodwin has been employed by Certify since
`
`July 2017.
`
`
`
`On information and belief, Defendants subsequently renamed the unauthorized
`
`Timothy Goodwin account to “Alice Test,” in an attempt to obscure their identities and
`
`involvement in the unauthorized access to the Phreesia System.
`
`
`
` Defendants used the Timothy Goodwin/“Alice Test” account to analyze and
`
`interact with the Phreesia system in an unauthorized manner more than 230 times during 2019
`
`alone. Of these login events, at least 130 were made from the IP address associated with Certify’s
`
`Maryland headquarters, which is also the U.S. headquarters of Rolling Rock Software.
`
`
`
`On
`
`information and belief 19 further
`
`login events using
`
`the Timothy
`
`Goodwin/“Alice Test” account arose from an IP address associated with Rolling Rock Software’s
`
`offices in India.
`
`
`
`During 2019, Defendants used the Timothy Goodwin/“Alice Test” account, among
`
`other things, to log into the Phreesia System to view the operation of the system, create patient
`
`
`
`
`10
`
`
`
`Case 8:21-cv-00678-TDC Document 1 Filed 03/17/21 Page 11 of 23
`
`records, delete patient records, and discover and reverse-engineer the functionality, structure,
`
`architecture, and workflow of the Phreesia software, and to access the proprietary training files
`
`located within Phreesia University.
`
`
`
`On information and belief, Defendants have also used their unauthorized access to
`
`the Phreesia System to export and send information to employees of the Defendants.
`
`
`
`On information and belief, Defendant Timothy Goodwin used his and Certify’s
`
`unauthorized access to the Phreesia system to send himself multiple emails with information from
`
`the Phreesia system to his email address: timothy.goodwin@certifyglobal.com.
`
`
`
`On information and belief, an employee of Defendant Certify, Darshan Patel, used
`
`Certify’s unauthorized access to send an email with information from the Phreesia system to his
`
`email address: darshan.patel@certifyglobal.com. On information and belief, Patel is employed by
`
`Defendant Certify as an IT Project and Program Manager.
`
`
`
`On information and belief, an employee of Defendant Certify, Shreyas Swami, used
`
`Certify’s unauthorized access to send multiple emails with information from the Phreesia system
`
`to his email address: shreyas.swamy@certifyglobal.com. On information and belief, Swamy is
`
`employed by Certify as a Business Analyst.
`
`
`
`On information and belief, Defendants used fraudulent accounts to access the
`
`Phreesia System to gather Phreesia’s trade secrets and confidential information, to reverse engineer
`
`the architecture, format, structure, organization, functionality, and workflows, and discover,
`
`analyze, and copy the “back-end” of the Phreesia System and its underlying software code, and to
`
`view and copy the proprietary user interface of the Phreesia System.
`
`
`
`A review of the Phreesia user logs show that Defendants also accessed proprietary
`
`training materials stored on the Phreesia System. In or around April 2018 Defendants accessed
`
`
`
`
`11
`
`
`
`Case 8:21-cv-00678-TDC Document 1 Filed 03/17/21 Page 12 of 23
`
`Phreesia University, gaining full access to Phreesia’s confidential training videos and documents.
`
`This material contains confidential information regarding both the functionality of the Phreesia
`
`System as well as information regarding Phreesia’s sales strategies and contacts. Defendants
`
`accessed materials from Phreesia University using the Timothy Goodwin/“Alice Test” account
`
`from in or around April 2018 to April 2019.
`
`
`
`On information and belief, Rolling Rock used the unauthorized logins it procured
`
`through its conspiracy with the other Defendants to review and copy Phreesia’s proprietary
`
`software at the direction of Certify.
`
`
`
`On information and belief, Defendants’ conspiracy with the Phreesia Client to gain
`
`unauthorized access was in part an attempt to disguise Defendants’ incursion of the Phreesia
`
`System.
`
`
`
`
`
`Phreesia first learned of Certify’s unauthorized access in or around January 2021.
`
`Certify has published images of its most recent user interface for its patient
`
`management and intake software. A side-by-side comparison of this Certify user interface and
`
`Phreesia’s proprietary interface shows that they are almost identical in look and function.
`
`
`
`The Certify software even includes the same coding idiosyncrasies and
`
`workarounds for features unique to the Phreesia System that could not plausibly have occurred
`
`without direct access and copying of the confidential functionality and interface of the Phreesia
`
`System.
`
`
`
`The similarities apparent even from the face of Certify’s published user interface
`
`and Phreesia’s proprietary interfaces show that the Certify system also copied the proprietary
`
`architecture, format, structure, organization, workflows, and logic of the software code underlying
`
`the Phreesia System.
`
`
`
`
`12
`
`
`
`Case 8:21-cv-00678-TDC Document 1 Filed 03/17/21 Page 13 of 23
`
`
`
`The extreme similarity between the Phreesia and Certify software could not have
`
`arisen but for the Defendants’ extensive unauthorized access to and reverse engineering of the
`
`software code underlying the Phreesia System.
`
`COUNT I
`Computer Fraud and Abuse Act, 18 U.S.C. § 1030
`(All Defendants)
`
`
`
`Phreesia incorporates by reference the allegations contained in the preceding
`
`paragraphs of this Complaint, as if fully set forth herein.
`
`
`
`Defendants accessed Phreesia’s password-protected proprietary computers and
`
`systems without authorization or in excess of authorization that had been provided.
`
`
`
`
`
`Defendants’ access of the Phreesia platform was thus without proper authority.
`
`Defendants knowingly and with intent to do so, obtained information from at least
`
`one protected computer as that term is used in 18 U.S.C. § 1030(e)(2)(B).
`
`
`
`
`
`This access exceeded Defendants’ authorization and/or was without authorization.
`
`Defendants’ intentional access of at least one protected computer without
`
`authorization, as that term is used in 18 U.S.C. § 1030(e)(2)(B), caused damage to Phreesia in an
`
`amount of $5,000 or more in violation of 18 U.S.C. § 1030(a)(5)(A), in amounts to be proven at
`
`trial.
`
`COUNT II
`Conspiracy - Computer Fraud and Abuse Act, 18 U.S.C. § 1030
`(All Defendants)
`
`
`
`Phreesia repeats and incorporates the allegations set forth in the preceding
`
`paragraphs, as though fully set forth herein.
`
`
`
`On information and belief, the Defendants, collectively constituting two or more
`
`parties, agreed to enter into a conspiracy to access Phreesia’s platform without proper authority.
`
`
`
`On information and belief, each of the Defendants, in their individual capacity
`
`
`
`
`13
`
`
`
`Case 8:21-cv-00678-TDC Document 1 Filed 03/17/21 Page 14 of 23
`
`and/or or acting as personnel for and on behalf of their employers, used improper means to access
`
`the Phreesia System without authorization, including by conspiring with the Phreesia Client to
`
`gain unauthorized access to Phreesia’s proprietary information, and by engaging in unauthorized
`
`access of the Phreesia System.
`
`
`
`Specifically, on information and belief, each of the following personnel engaged in
`
`the overt act of unauthorized access of the Phreesia System, Erika Blair (Certify), Timothy
`
`Goodwin (Certify), Darshan Patel (Certify), and Shreyas Swamy (Certify). Additionally, on
`
`information and belief, one or more officers or employees of Rolling Rock Software engaged in
`
`repeated unauthorized access of the Phreesia System from Rolling Rock Software’s India location
`
`and from Rolling Rock Software’s Gaithersburg, Maryland location.
`
`
`
`On information and belief, each party intentionally participated in the unauthorized
`
`access of the protected computers hosting the Phreesia System for the purpose of copying the
`
`Phreesia System to create a competing software system and/or to disclose Phreesia’s trade secrets
`
`and confidential information to third parties.
`
`
`
`Defendants’ intentional access of at least one protected computer without
`
`authorization, as that term is used in 18 U.S.C. § 1030(e)(2)(B), caused damage to Phreesia in an
`
`amount of $5,000 or more in violation of 18 U.S.C. § 1030(a)(5)(A), in amounts to be proven at
`
`trial.
`
`COUNT III
`Misappropriation of Trade Secrets in Violation of 18 U.S. Code § 1836 et seq.
`(All Defendants)
`
`
`
`Phreesia repeats and incorporates the allegations set forth in the preceding
`
`paragraphs, as though fully set forth herein.
`
`
`
`Phreesia developed its trade secrets and confidential and proprietary information,
`
`including the software code, architecture, format, structure, organization, workflows, back-end
`14
`
`
`
`
`
`
`Case 8:21-cv-00678-TDC Document 1 Filed 03/17/21 Page 15 of 23
`
`logic, functionality, operation, and interface of the Phreesia System through a significant
`
`investment of time, effort, and expense.
`
`
`
`Phreesia has invested more than $92 million during the last five years alone to
`
`develop, implement, and update the Phreesia System.
`
`
`
`The software code, architecture, format, structure, organization, workflows, back-
`
`end logic, functionality, operation, and interface of the Phreesia System derive value from their
`
`secrecy and the fact that they are not openly known in the market.
`
`
`
`Phreesia has taken and continues to take reasonable steps to keep its trade secrets,
`
`data, and information confidential and to prevent disclosure without imposing confidentiality
`
`restrictions on the recipient. Phreesia’s efforts include, but are not limited to: execution of
`
`confidentiality agreements that require counter-parties not to disclose or permit third-party access
`
`to Phreesia software or information, or to use that information other than for a permitted purpose;
`
`limiting circulation of trade secrets within Phreesia and to third parties; and protecting, restricting
`
`and controlling access to Phreesia’s trade secrets and confidential information with physical and
`
`electronic means including encryption, password protection, and other security measures.
`
`
`
`Defendants used improper means to access and discover Phreesia’s trade secrets
`
`and confidential and proprietary information, including by conspiring with the Phreesia Client to
`
`gain unauthorized access to Phreesia’s trade secrets and confidential information, and by engaging
`
`in unauthorized access of the Phreesia System.
`
`
`
`Defendants used the misappropriated trade secrets and confidential and proprietary
`
`information to create a competing software product and/or to disclose Phreesia’s trade secrets and
`
`confidential information to third parties.
`
`
`
`Defendants’ misappropriation of Phreesia’s trade secrets and confidential and
`
`
`
`
`15
`
`
`
`Case 8:21-cv-00678-TDC Document 1 Filed 03/17/21 Page 16 of 23
`
`proprietary information is willful, malicious and/or in wanton disregard of Phreesia’s rights.
`
`
`
`As a result of Defendants’ misappropriation, Phreesia has suffered and will
`
`continue to suffer damages in an amount to be determined at trial, including, inter alia, lost sales,
`
`impaired relationships with clients, and the disclosure and destruction of its trade secrets.
`
`COUNT IV
`Conspiracy - Misappropriation of Trade Secrets in Violation of 18 U.S. Code § 1836 et seq.
`(All Defendants)
`
`
`
`Phreesia repeats and incorporates the allegations set forth in the preceding
`
`paragraphs, as though fully set forth herein.
`
`
`
`On information and belief, the Defendants, collectively constituting two or more
`
`parties, agreed to enter into a conspiracy to misappropriate the trade secrets and confidential
`
`information of Phreesia.
`
`
`
`On information and belief, each of the Defendants, in their individual capacity
`
`and/or or acting as personnel for and on behalf of their employers, used improper means to discover
`
`the trade secrets and confidential and proprietary information of Phreesia, including by conspiring
`
`with the Phreesia Client to gain unauthorized access to Phreesia’s trade secrets and confidential
`
`information, and by engaging in unauthorized access of the Phreesia System.
`
`
`
`Specifically, on information and belief, each of the following personnel engaged in
`
`the overt act of unauthorized access of the Phreesia System, Erika Blair (Certify), Timothy
`
`Goodwin (Certify), Darshan Patel (Certify), and Shreyas Swamy (Certify). Additionally, on
`
`information and belief, one or more officers or employees of Rolling Rock Software engaged in
`
`repeated unauthorized access of the Phreesia System from Rolling Rock Software’s India location.
`
`
`
`On
`
`information and belief, each party
`
`intentionally participated
`
`in
`
`the
`
`misappropriation of Phreesia’s trade secrets and confidential information for the purpose of
`
`copying the Phreesia system to create a competing software system and/or to disclose Phreesia’s
`16
`
`
`
`
`
`
`Case 8:21-cv-00678-TDC Document 1 Filed 03/17/21 Page 17 of 23
`
`trade secrets and confidential information to third parties.
`
`
`
`Defendants’ misappropriation of Phreesia’s trade secrets and confidential and
`
`proprietary information is willful, malicious and/or in wanton disregard of Phreesia’s rights.
`
`
`
`Phreesia has suffered and will continue to suffer damages in an amount to be
`
`determined at trial, including, inter alia, lost sales, impaired relationships with clients, and the
`
`disclosure and destruction of its trade secrets.
`
`COUNT V
`Misappropriation of Trade Secrets in Violation of Maryland Code § 11-1201 et seq.
`(All Defendants)
`
`
`
`Phreesia repeats and incorporates the allegations set forth in the preceding
`
`paragraphs, as though fully set forth herein.
`
`
`
`Phreesia developed its trade secrets and confidential and proprietary information,
`
`including the software code, architecture, format, structure, organization, workflows, back-end
`
`logic, functionality, operation, and interface of the Phreesia System through a significant
`
`investment of time, effort, and expense.
`
`
`
`Phreesia has invested more than $92 million during the last five years alone to
`
`develop,