Opinion
CIVIL ACTION NO. 20-5375
05-17-2021
Barry K. GRAHAM, et al. v. UNIVERSAL HEALTH SERVICE, INC.
John A. Yanchunis, Morgan & Morgan, Tampa, FL, for Stephen Motkowicz. Mark S. Melodia, Holland & Knight LLP, New York, NY, Nipun J. Patel, Paul Bond, Holland & Knight LLP, Philadelphia, PA, for Universal Health Services, Inc.
John A. Yanchunis, Morgan & Morgan, Tampa, FL, for Stephen Motkowicz.
Mark S. Melodia, Holland & Knight LLP, New York, NY, Nipun J. Patel, Paul Bond, Holland & Knight LLP, Philadelphia, PA, for Universal Health Services, Inc.
MEMORANDUM
McHUGH, United States District Judge
This is a putative class action arising out of a data breach that occurred when a health care company was subjected to a ransomware attack. Plaintiffs Barry K. Graham, Angela Morgan, and Stephen Motkowicz allege that Universal Health Services failed to safeguard their protected health information ("PHI"), with the result that their PHI was exposed to hackers in September 2020. The issue is whether Plaintiffs can show injuries sufficient to confer standing. Two of the three named Plaintiffs allege only increased risk of identity theft, as well as additional expenditures of time and money to monitor accounts for fraud. Their claims fail because of the narrow definition of injury the Third Circuit adopted for data breach cases in Reilly v. Ceridian Corp , 664 F.3d 38 (3d Cir. 2011). The remaining Plaintiff, Stephen Motkowicz, alleges an additional, novel injury—that the data theft delayed his surgery, which caused his employer-provided insurance to lapse and required him to purchase alternative insurance at a higher premium. As to this claim, the economic loss qualifies as a concrete injury, but further development of the record is required to determine whether there is a sufficient causal relationship to confer standing.
I. Factual Background
Defendant Universal operates "one of the largest healthcare companies in North America," First Am. Compl. ¶ 37, ECF 13, and "[i]n its ordinary course of business, ... maintains PHI, including the name, address, zip code, date of birth, Social Security number, medical diagnoses, insurance information, and other sensitive and confidential information for current and former customers/patients." Id. ¶ 38. In late September 2020, Defendant announced that its facilities were "currently offline due to an IT security issue." Id. ¶ 2. Plaintiffs contend that Defendant's systems were inaccessible because of a malicious ransomware attack. Id.
Barry Graham, Angela Morgan, and Stephen Motkowicz are customers of Defendant. Id. ¶¶ 12, 14, 16. They claim their PHI was compromised in the September attack due to "Defendant's failure to implement and follow appropriate security procedures." Id. ¶ 5. Plaintiffs further allege that they have (1) experienced an increased risk of identity theft, id. ¶ 53; (2) expended additional time and money to monitor their personal and financial records for fraud, id. ¶ 62; (3) suffered the lost or diminished value of their PHI, id. ¶ 181; and (4) received a "diminished value of the services they paid Defendant to provide," as Defendant represented that it would protect the confidentiality of their PHI. Id. ¶ 6.
In addition to the injuries described above, Plaintiff Motkowicz also claims financial harms, in the form of increased insurance expenses. Id. ¶ 65. He avers that he was scheduled for a surgical procedure on September 28, 2020, but that Defendant canceled his procedure on account of the ransomware attack. Id. Motkowicz's surgery was rescheduled for six weeks later, which caused him to miss additional time at work. Id. Because he could not return to work, Plaintiff's insurance lapsed, requiring him to procure alternative insurance at an increased cost. Id.
Plaintiffs’ suit claims that Defendant has engaged in negligence ("Count I"), breach of implied contract ("Count II"), breach of fiduciary duty ("Count III"), and breach of confidence ("Count IV"). Defendant counters with a Motion to Dismiss pursuant to Fed. R. Civ. P. 12(b)(1) and 12(b)(6), arguing that Plaintiffs lack standing and that they have otherwise failed to state a claim.
II. Standard of Review
Slightly different standards of review apply for motions to dismiss claims pursuant to Federal Rules 12(b)(1) and (6). Within the Third Circuit, motions to dismiss under Fed. R. Civ. P. 12(b)(6) are governed by the well-established standard set forth in Fowler v. UPMC Shadyside , 578 F.3d 203, 210 (3d Cir. 2009).
To decide a motion to dismiss under 12(b)(1), "a court must first determine whether the movant presents a facial or factual attack." In re Schering Plough Corp. Intron/Temodar Consumer Class Action , 678 F.3d 235, 243 (3d Cir. 2012). A facial attack is one that "attack[s] the sufficiency of the consolidated complaint on the grounds that the pleaded facts d[id] not establish constitutional standing." In Re Horizon Healthcare Services Inc. Data Breach Litigation , 846 F.3d 625, 632 (3d Cir. 2017). A factual challenge, by contrast, contests the validity of Plaintiffs’ factual claims. Id. Defendant raises a facial challenge; it does not directly attack Plaintiffs’ pleaded facts but instead argues that "[t]he allegations in Plaintiffs’ Amended Complaint fall far short" of conferring standing. Def.’s Mem. L. Supp. Mot. Dismiss 13, ECF 15-1. Considering this facial attack, I must "accept the Plaintiffs’ well-pleaded factual allegations as true and draw all reasonable inferences from those allegations in the Plaintiffs’ favor." In Re Horizon , 846 F.3d at 633.
III. Discussion
Article III of the Constitution limits federal courts’ jurisdiction to certain "Cases" and "Controversies." U.S. CONST. art. III, § 2. At its core, "the question of standing is whether the litigant is entitled to have the court decide the merits of the dispute or of particular issues." Warth v. Seldin , 422 U.S. 490, 498, 95 S.Ct. 2197, 45 L.Ed.2d 343 (1975). To demonstrate standing to file suit, Plaintiffs must show (1) an "injury in fact" or an "invasion of a legally protected interest" that is "concrete and particularized," (2) a "causal connection between the injury and the conduct complained of," and (3) a likelihood "that the injury will be redressed by a favorable decision." Lujan v. Defs. of Wildlife , 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992).
These standing requirements also apply in the class action context. "[N]amed plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent." Lewis v. Casey , 518 U.S. 343, 357, 116 S.Ct. 2174, 135 L.Ed.2d 606 (1996) (citation and internal quotation marks omitted). "[I]f none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class." O'Shea v. Littleton , 414 U.S. 488, 494, 94 S.Ct. 669, 38 L.Ed.2d 674 (1974). Accordingly, at least one of the three named Plaintiffs must have Article III standing to maintain this class action. See Neale v. Volvo Cars of North America, LLC , 794 F.3d 353, 364 (3d Cir. 2015).
A. Injury-in-Fact
Plaintiffs assert five potential injuries-in-fact: (1) increased risk of identity theft; (2) additional expenditures of time and money for monitoring; (3) lost or diminished value of their PHI; (4) a "diminished value of the services they paid Defendant to provide," and (5) Mr. Motkowicz's increased insurance costs. First Am. Compl. ¶¶ 6, 65. Based on the pleadings presented, I find that only Motkowicz has shown injury-in-fact. Because Graham and Morgan's injuries are either speculative or manufactured, their claims are precluded by the Third Circuit's opinion in Reilly v. Ceridian Corp. 664 F.3d 38.
The injury-in-fact requirement is intended to "distinguish a person with a direct stake in the outcome of a litigation—even though small—from a person with a mere interest in the problem." United States v. Students Challenging Regulatory Agency Procedures (SCRAP) , 412 U.S. 669, 689 n.14, 93 S.Ct. 2405, 37 L.Ed.2d 254 (1973). This standard is "not Mount Everest," Danvers Motor Co., Inc. v. Ford Motor Co. , 432 F.3d 286, 294 (3d Cir. 2005), and demands only that the plaintiff "allege some specific, ‘identifiable trifle’ of injury." Cottrell v. Alcon Laboratories , 874 F.3d 154, 163 (3d Cir. 2017) (citing Bowman v. Wilson , 672 F.2d 1145, 1151 (3d Cir. 1982) ) (internal punctuation omitted). Even so, an injury-in-fact "must be concrete in both a qualitative and temporal sense." Reilly , 664 F.3d at 42. For this reason, "allegations of possible future injury," will not suffice, and a plaintiff "lacks standing if his ‘injury’ stems from an indefinite risk of future harms inflicted by unknown third parties." Id.
1. Economic loss in the form of increased insurance premiums
Motkowiczs’ claim for increased insurance payments meets the injury-in-fact requirement. As noted by the Third Circuit, "[t]ypically, a plaintiff's allegations of financial harm will easily satisfy each of these components, as financial harm is a ‘classic’ and ‘paradigmatic form’ of injury in fact." Cottrell , 874 F.3d at 163 (internal punctuation omitted). See also Danvers , 432 F.3d at 293 (stating that where a plaintiff alleges financial harm, standing "is often assumed without discussion"). Plaintiff's injury is not speculative, as his financial expenditures allegedly occurred in response to the data breach and the corresponding cancellation of his surgery. Nor has Plaintiff "manufactured" standing, as his additional insurance payments did not arise due to voluntary prophylactic action on his part. See Clapper v. Amnesty Intern. USA , 568 U.S. 398, 416, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013) (stating that respondents cannot create "standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending"). I therefore conclude that Motkowicz has sufficiently alleged an injury-in-fact.
2. Injuries premised on future risks
In contrast, Plaintiffs’ claims of injury based on increased risk of identity theft do not confer standing under Reilly , where the Third Circuit outlined the contours of the "injury-in-fact" requirement in the data breach context. 664 F.3d at 42. As an initial matter, it is important to recognize that Plaintiffs are suing exclusively under common law. Where Congress has deemed certain conduct unlawful, standing can be conferred by alleging an injury recognized by statute. For example, because the Fair Credit Reporting Act confers certain protections on consumer data, it transforms what might otherwise be viewed as intangible harms into injuries-in fact. See In Re Horizon , 846 F.3d at 639. Plaintiffs here cannot rely upon any such Congressional judgment as the basis for claiming injury. See Gennock v. Kirkland's Inc., No. 17-454, 2017 WL 6883933, at *5 (W.D. Pa. 2017) (distinguishing between Horizon and Reilly "on the basis that [Reilly] involved common law claims, whereas in Horizon the plaintiffs cited an act in which Congress elevated the unauthorized disclosure of information into a tort"). Plaintiffs must therefore meet the requirements of Reilly.
The Reilly plaintiffs alleged that a hacker successfully infiltrated the defendant's database and obtained the PHI of 27,000 employees. 664 F.3d at 40. The Third Circuit concluded that plaintiffs’ allegations, which included claims of increased risk, amounted to "hypothetical future injuries" that depended on the court assuming that the "hacker (1) read, copied, and understood their personal information; (2) intend[ed] to commit future criminal acts by misusing the information; and (3) is able to use such information to the detriment of Appellants by making unauthorized transactions in Appellants’ names." Id. at 42. The court further stated that, "unless and until these conjectures come true, Appellants have not suffered any injury; there has been no misuse of the information, and thus, no harm." Id.
Plaintiffs’ attempts to distinguish their case from Reilly are not persuasive. They first invoke decisions from the Sixth, Seventh, Ninth, and Tenth Circuits finding standing based on increased risk of harm. Those cases may indeed have a more realistic view of the impact of data thefts on consumers, but I am bound by the Third Circuit's approach. Plaintiffs next emphasize that there "was no evidence that the intrusion was intentional or malicious [in Reilly ] ... [h]owever, few things could be more intentional or malicious than a ransomware attack such as the attack at issue in this case." Pls.’ Opp'n Mot. Dismiss 5, ECF 20. This distinction regarding the motives of the attacker does not render the injuries of these Plaintiffs any more concrete. The target of a ransomware attack is the holder of the confidential data; the misappropriation of the data, whether by theft or merely limitation on access to it, is generally the means to an end: extorting payment. A court is still left to speculate, as in Reilly , whether the hackers acquired Plaintiffs’ PHI in a form that would allow them to make unauthorized transactions in their names, as well as whether Plaintiffs are also intended targets of the hackers’ future criminal acts. At this juncture, the most Plaintiffs can plead is that the hackers secured their PHI through a ransomware attack against Universal.
See, e.g. , Galaria v. Nationwide Mut. Ins. Co. , 663 F. App'x. 384, 389 (6th Cir. 2016) ; Lewert v. P.F. Chang's China Bistro, Inc. , 819 F.3d 963, 967 (7th Cir. 2016) ; In re 21st Century Oncology Customer Data Sec. Breach Litig. , 380 F. Supp. 3d 1243, 1253 (M.D. Fla. 2019) ; In re Zappos.com, Inc. , 888 F.3d 1020, 1027 (9th Cir. 2018).
As in Reilly, Plaintiffs’ risk of identity theft "is dependent on entirely speculative, future actions of an unknown third-party." 664 F.3d at 42. Faced with similar facts, district courts within the Third Circuit have been compelled to conclude that consumers lack standing. See Clemens v. ExecuPharm, Inc. , No. CV 20-3383, 2021 WL 735728, at *3 (E.D. Pa. Feb. 25, 2021) (stating that plaintiff involved in ransomware attack had failed to allege an injury-in-fact); In Re Rutter's Inc. Data Breach Litigation , 511 F.Supp.3d 514, 523 (M.D. Pa. 2021) (holding that plaintiffs lacked standing where they "had not alleged actual ‘misuse’ of their information"); Storm v. Paytime Inc. , 90 F.Supp. 3d 359, 368 (M.D. Pa. 2015) ("Plaintiffs have not alleged that harm to their privacy interest is actual or imminent"). In contrast, the Reilly standard can be met where a plaintiff is able to plead actual or imminent misuse of their personal information. See, e.g. , Enslin v. Coca–Cola Company , 136 F. Supp. 3d 654, 664 (E.D. Pa. 2015) (finding standing where the plaintiff suffered "alleged theft of funds from his bank accounts on two occasions, unauthorized use of four credit cards, and the unauthorized issuance of new credit cards in Plaintiff's name").
Similarly, Plaintiffs’ preventative measures to monitor their financial records do not establish injury-in-fact. The Reilly court specifically rejected the theory that plaintiffs’ expenditures to safeguard their information following a data breach conferred standing. 664 F.3d at 46. It reasoned that "costs incurred to watch for a speculative chain of future events based on hypothetical future criminal acts are no more ‘actual’ injuries than the alleged ‘increased risk of injury.’ " Id. The circumstances are nearly identical here, where Plaintiffs’ costs similarly consist of monitoring for criminality that has not occurred yet. Id. at 44 ; accord Clemens , 2021 WL 735728, at *5 ; Storm , 90 F.Supp. 3d at 367 ; In Re Rutter's Inc. , 511 F.Supp.3d at 525–26.
Plaintiffs further assert the diminished value of their PHI, citing In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig. , 440 F. Supp. 3d 447 (D. Md. 2020). There, Judge Grimm cogently explained how personal data can have intrinsic value in an economy that relies heavily upon personally identifying information. Id. at 460–61. But the potential value of the information is not the issue. The issue remains whether Plaintiffs’ admittedly valuable information has been misused, and that remains speculative. See Clemens , 2021 WL 735728, at *4 (denying standing where claim was "still only ascertainable using the word ‘if’—if anyone actually downloaded her information from the dark web, if they attempt to use her information, and if they do so successfully, only then will she experience actual harm").
And finally, without more, Plaintiffs may not achieve standing on the allegation that Defendant breached an implied contract. See First Am. Compl. ¶ 6 (alleging injury based on the "diminished value of the services they paid Defendant to provide"). A review of the district court record in Reilly reveals that the plaintiff there also asserted breach of contract, No. 10-5142, 2011 WL 735512, at *2 (D.N.J. Feb. 22, 2011), and that this claim did not prevent the Court of Appeals from affirming dismissal for lack of standing. Moreover, even assuming a contractual undertaking by Universal to protect the data, the harms flowing from the breach would remain speculative and therefore problematic under Reilly.
B. Causation
Mr. Motkowicz, the remaining named Plaintiff, has demonstrated injury-in-fact. To claim standing, he must further show that the injury-in-fact is "fairly traceable to the challenged conduct of the defendant." Cottrell , 874 F.3d at 162. The Third Circuit has recently reiterated that the "[t]he traceability element is akin to ‘but for’ causation in tort." LaSpina v. SEIU Pennsylvania State Council , 985 F.3d 278, 284 (3d Cir. 2021). And at the pleading stage, "standing may be satisfied even if the plaintiff alleges an indirect (or multistep) causal relationship between the defendant's conduct and her injury." Id. at 287.
Plaintiff's theory of causation appears to proceed as follows: "but for" Defendant's negligence, the data breach would not have occurred, Motkowicz's appointment would not have been canceled, and he would have returned to work on time and maintained his prior insurance. This causal chain presents Plaintiff with a significant challenge, but a definitive answer as to standing requires further development of the record. The Third Circuit has held that "[t]he District Court, rather than a jury, resolves factual issues relevant to determining whether a party has standing." Freedom from Religion Found., Inc. v. New Kensington Arnold Sch. Dist., 832 F.3d 469, 475 n.4 (3d Cir. 2016). "District courts, when assessing pre-discovery challenges to standing, may consider plaintiffs’ affidavits or conduct preliminary evidentiary hearings." Finkelman v. National Football League, 810 F.3d 187, 202 n.97 (3d Cir. 2016) (citing Doherty v. Rutgers Sch. of Law–Newark, 651 F.2d 893, 898 n. 6 (3d Cir. 1981) ).
The pandemic presents logistical challenges to in-person hearings. I will therefore give the parties sixty days within which to conduct discovery and supplement the record with affidavits or deposition testimony pertinent to the issue of causation.
IV. Conclusion
For the reasons set forth above, Defendant's Motion to Dismiss Plaintiff's First Amended Complaint will be granted in part. An appropriate order follows.