Opinion
5:21-cv-508-JA-PRL
01-18-2023
CHRYSTAL HOLMES, GERALD FINK, ALEXANDER ROSHELL, and DENISE KINSEY, Plaintiffs, v. THE VILLAGES TRI-COUNTY MEDICAL CENTER, INC., LEESBURG REGIONAL MEDICAL CENTER, INC., and CENTRAL FLORIDA HEALTH, INC., Defendants.
ORDER
JOHN ANTOON II UNITED STATES DISTRICT JUDGE
In this putative class action arising from a computer ransomware attack, Defendants move under Federal Rule of Civil Procedure 12(b)(6) to dismiss all of Plaintiffs' claims for failure to state a claim upon which relief can be granted. Having heard oral argument on both that motion and the issue of Plaintiffs' Article III standing to pursue their claims in federal court, the Court concludes that the allegations in Plaintiffs' Amended Complaint do not support the injuryin-fact component of Article III standing. Thus, this Court lacks subject-matter jurisdiction and must remand this action to the state court from which Defendants removed it.
The Factual Background is taken from the Amended Complaint (Doc. 17).
The three Defendants-The Villages Tri-County Medical Center, Inc., Leesburg Regional Medical Center, Inc., and Central Florida Health, Inc. (collectively, UF Health)-all operate under the fictitious name “UF Health Central Florida.” UF Health is a health care system that provides inpatient hospital services and other medical services at several locations in central Florida. (Am. Compl., Doc. 17, ¶¶ 2-3). The four named Plaintiffs-Chrystal Holmes, Gerald Fink, Alexander Roshell, and Denise Kinsey-are former patients of Defendants who provided “personal identifiable information” (PII) and “protected health information” (PHI) to Defendants “to obtain medical treatment.” (Id. ¶¶ 1 & 4). The PII and PHI that each Plaintiff provided included their “name, address, date of birth, and/or Social Security number as well as health insurance information, medical record number, patient account number, and/or limited treatment information.” (Id. ¶¶ 74, 83, 92, & 101).
In late May 2021, “an unauthorized actor obtained unauthorized access to [UF Health]'s computer network as part of a ransomware attack,” and “[t]he unauthorized actor may have accessed the PII and PHI of [UF Health] s current and former patients, including Plaintiffs and Class Members.5' (Id. ¶¶ 5-6 (emphasis added)). “On or around July 30, 2021,” UF Health posted a notice on its website regarding the attack, advising that it was informing patients of the attack and that on July 30, 2021, it had begun mailing them letters about the event. (Id. ¶ 41; “Notice to Our Patients of Cybersecurity Event,” Ex. 2 to Am. Compl., Doc. 17-2). The notice stated:
Notice to Our Patients of Cybersecurity Event
UF Health takes the privacy and security of our patients' information very seriously. This notice concerns a cybersecurity event that may have involved some of that information.
On May 31, 2021, UF Health Central Florida - including UF Health Leesburg Hospital and UF Health The Villages® Hospital - detected unusual activity involving its computer systems. We took immediate action to contain the event, including reporting it to law enforcement and launching an investigation with independent experts. . . .
The investigation determined that unauthorized access to UF Health Central Florida's computer network occurred between May 29 and May 31, 2021. During this brief time period, some patient information may have been accessible, such as names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers and patient account numbers, as well as limited treatment information used by UF Health for its business operations. UF Health's electronic medical records were not involved or accessed.
We have no reason to believe the information was further used or disclosed; however, on July 30, 2021, we began mailing letters to
individuals whose data may have been involved and, as a precautionary measure, are offering them complimentary credit monitoring and identity protection services. Patients are also encouraged to review statements from their health insurer, and to contact them immediately if they see any services they did not receive. .. .(Doc. 17-2 at 2 (emphases added)). Each of the named Plaintiffs received a letter from UF Health about the event “on or around July 30, 2021.” (Am. Compl. ¶¶ 15-18, 75, 84, 93, 102). Plaintiffs did not know about the ransomware attack before receiving the letters. (See id. ¶ 11).
Plaintiff Holmes wasted no time, filing suit in state court approximately one month after receiving her letter. (See Doc. 1-1). Defendants removed the action to this Court in October 2021. (Notice of Removal, Doc. 1). In December 2021, the three other named Plaintiffs joined Holmes in filing the Amended Class Action Complaint (Amended Complaint) (Doc. 17). The Amended Complaint asserts four claims: negligence, two counts of breach of implied contract (pleaded in the alternative on behalf of two differently defined classes), and breach of fiduciary duty. Plaintiffs allege “actual injury in the form of damages to and diminution in the value of [their] PII and PHI as well as “lost time, annoyance, interference, inconvenience,” “anxiety and increased concerns for the loss of [their] privacy,” and “substantially increased risk of fraud, identity theft, and misuse.” (Am. Compl. ¶¶ 79-81, 88-90, 97-99, & 106-08). They seek damages as well as injunctive relief. (Id. at 53-57).
In response to the Amended Complaint, Defendants filed a Rule 12(b)(6) motion seeking to dismiss all of Plaintiffs' claims for failure to state a claim for which relief can be granted. (Mot., Doc. 25). Among Defendants' arguments in that motion was that Plaintiffs had failed to allege that they suffered any cognizable injury from the ransomware attack. (Id. at 15-24). Defendants did not challenge Plaintiffs' standing to pursue their claims in federal court. In response to Defendants' argument about a lack of cognizable damages, Plaintiffs relied almost exclusively on the nominal damages-not actual damages-that they sought to recover. (See Pls.' Resp., Doc. 32).
The Court granted Defendants' Request (Doc. 34) for oral argument on the 12(b)(6) motion and also, sua sponte, ordered the parties to address Plaintiffs' Article III standing to pursue their claims in federal court. (Order and Notice of Hr'g, Doc. 39). The parties did so during oral argument on August 4, 2022, with both sides maintaining that Plaintiffs have standing. As set forth below, however, the Court does not agree with the parties but instead concludes that it lacks subject-matter jurisdiction to consider the 12(b)(6) motion or otherwise adjudicate Plaintiffs' claims.
II. Discussion
A. Principles of Standing
The power that the Constitution grants federal courts is limited to resolving “Cases” and “Controversies.” U.S. Const, art. Ill. §§ 1-2. Indeed, “[n]o principle is more fundamental to the judiciary's proper role in our system of government than the constitutional limitation of federal-court jurisdiction to actual cases or controversies.” Raines v. Byrd, 521 U.S. 811, 818 (1997) (quoting Simon v. E. Ky. Welfare Rts. Org., 426 U.S. 26, 37 (1976)). And the doctrine of standing is essential to the requirement that there be a “Case” or “Controversy.” Standing is thus “a ‘threshold question in every federal case, determining the power of the court to entertain the suit.'” In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., Case No. 21-MD-02994-RAR, 2022 WL 1468057, at *2 (S.D. Fla. May 10, 2022) (quoting Warth v. Seldin, 422 U.S. 490, 498 (1975)). Here, the parties did not raise the issue of standing, but because it goes to the question of subject-matter jurisdiction, the Court is obligated to do so sua sponte. See, e.g., Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 94 (1998) (“This question the court is bound to ask and answer for itself, even when not otherwise suggested, and without respect to the relation of the parties to it.” (quoting Great S. Fire Proof Hotel Co. v. Jones, 177 U.S. 449, 453 (1900))).
At the “irreducible constitutional minimum,” “standing consists of three elements”: (1) an injury in fact suffered by the plaintiff; (2) that is fairly traceable to the defendant's challenged conduct; and “(3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016) (quoting Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992)). An injury in fact-the concern here-is “‘an invasion of a legally protected interest' that is ‘concrete and particularized' and ‘actual or imminent, not conjectural or hypothetical.'” Id. at 339 (quoting Lujan, 504 U.S. at 560).
To be concrete, an injury must be “real, and not abstract.” TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2204 (2021) (quoting Spokeo, 578 U.S. at 340). In other words, the injury “must actually exist.” Spokeo, 578 U.S. at 340. “[F]ears of hypothetical future harm” are not concrete injuries. Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917, 926 (11th Cir. 2020) (en banc). And the parties agree that a request for nominal damages is not sufficient to establish injury-in-fact for standing, although it might be enough-for the purpose of pleading a cognizable cause of action-to satisfy the damages element of at least some of the causes of action Plaintiffs bring under Florida law.
A plaintiff who seeks injunctive relief to prevent future harm can satisfy the injury-in-fact requirement by asserting a “risk of future harm” that “is sufficiently imminent and substantial.” TransUnion, 141 S.Ct. at 2210. However, for a damages claimant, “the mere risk of future harm, standing alone, cannot qualify as a concrete harm . . . unless the exposure to the risk of future harm itself causes a separate concrete harm.” Id. at 2210-11.
Although Defendants removed this action from state court to this Court, Plaintiffs bear the burden of establishing standing because they are now asserting this Court's jurisdiction. See DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 339, 342 & n.3 (2006) (holding that the plaintiffs bore the burden in removed case even where they had initially moved to remand, noting that “[w]hatever the parties' previous positions on the propriety of a federal forum, plaintiffs, as the parties seeking to establish federal jurisdiction, must make the showings required for standing”). In any event, both sides have tried to convince the Court that Plaintiffs have standing, but the Court is not persuaded.
At the pleading stage of a case, “a plaintiff must allege facts that, taken as true, ‘plausibly' state that the elements of standing are met.” Hunstein v. Preferred Collection & Mgmt. Servs., Inc., 48 F.4th 1236, 1241 (11th Cir. 2022) (en banc). Courts “will not ‘imagine or piece together an injury sufficient to give [a] plaintiff standing when it has demonstrated none,' and [courts] are powerless to ‘create jurisdiction by embellishing a deficient allegation of injury.'” Muransky, 979 F.3d at 925 (first alteration in original) (quoting Miccosukee Tribe of Indians of Fla. v. Fla. State Athletic Comm'n, 226 F.3d 1226, 1229-30 (11th Cir. 2000)).
B. Application
Applying these principles here, the allegations of injury in the Amended Complaint do not describe an injury in fact that supports Article III standing. At bottom, Plaintiffs assert only that a data breach occurred, and “[e]vidence of a mere data breach does not, standing alone, satisfy the requirements of Article III standing.” Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332, 1344 (11th Cir. 2021). Plaintiffs have not alleged facts supporting standing to seek either injunctive relief or damages in federal court.
The only knowledge Plaintiffs profess to have regarding the ransomware attack comes from what UF Health included in its notice-that sensitive information “may have” been accessed by a third party. In essence, Plaintiffs allege that a ransomware attack occurred and that they were notified of it. They filed this lawsuit based on those events and those events only. That the information that allegedly was accessed is sensitive-containing names, addresses, Social Security numbers, and medical information-does not mean that Plaintiffs have suffered an injury-in-fact.
1. Risk of Future Harm
As earlier noted, assertions of potential future injury can support standing to pursue injunctive relief. But to the extent Plaintiffs seek injunctive relief, their allegations fall short of what is necessary to establish injury in fact based on a risk of future harm.
Not just any allegations of potential future injury will suffice for standing purposes. “[A] person exposed to a future risk of harm may pursue forwardlooking, injunctive relief to prevent the harm from occurring, at least so long as the risk of harm is sufficiently imminent and substantial.” Trans Union, 141 S.Ct. at 2210; accord Tsao, 986 F.3d at 1338-39 (“[A]t the very least,” there must be “a showing that there is a ‘substantial risk' that the harm will occur.” (quoting Clapper v. Amnesty Int'l USA, 568 U.S. 398, 414 n.5 (2013)). And to be “imminent,” a “[t]hreatened injury must be certainly impending.” Id. at 1338 (quoting Clapper, 568 U.S. at 409). “[A]llegations of possible future injury are not sufficient.” Id. (quoting Clapper, 568 U.S. at 409).
The Amended Complaint is laced with speculation, including the phrases “personal information can be sold,” (Am. Compl. ¶ 60); “[t]h[e] information . . . can be used to commit myriad financial crimes, ” id. ¶ 31; “[unauthorized individuals can easily access” the information, id. ¶ 43; the “information may end up for sale on the dark web, or simply fall into the hands of companies that will use the detailed [information] for targeted marketing,” id.; “[c]riminals can also purchase” information obtained from data breaches, id. ¶ 60; “the loss of an individual's Social Security number . . . can lead to identity theft and extensive financial fraud,” id. ¶ 61; and “thieves may obtain” licenses and benefits using the information, id. ¶ 66. But such generalities and speculation do not establish injury-in-fact.
Plaintiffs' allegations are too speculative to support “substantial' or “imminent” risk. Plaintiffs claim to be exposed to an increased risk of identity theft, but because they only speculate as to whether their or anyone else's information was accessed, they do not allege any facts supporting a conclusion that whatever risk may exist rises to the level of “certainly impending.” They allege no use or attempted use of their or anyone else's data. Although “actual misuse is not necessary for a plaintiff to establish standing following a data breach, . . . without specific evidence of some misuse of class members' data, a named plaintiffs burden to plausibly plead factual allegations sufficient to show that the threatened harm of future identity theft was ‘certainly impending'-or that there was a ‘substantial risk' of such harm-will be difficult to meet.” Tsao, 986 F.3d at 1343-44; see also In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., Civ. Action No. 19-md-2904, 2021 WL 5937742, at *9- 10 (D.N.J. Dec. 16, 2021) (concluding that the alleged injury to “Group III” plaintiffs in MDL action was “simply too conjectural” where they “alleged no facts to support an inference that their particular information was accessed, stolen, or misused”). “[T]he risk of harm here is not sufficiently imminent or substantial to confer standing, even for a claim seeking purely injunctive relief.” C.C. v. Med-Data Inc., Case No. 21-2301-DDC-GEB, 2022 WL 970862, at *8 (D. Kan. Mar. 31, 2022).
2. Standing for Damages Claims
Plaintiffs' assertions of concrete injury in support of standing on their damages claims also fall short. Their allegations do not plausibly establish that they have suffered a concrete harm, and they cannot rely on a risk of future harm for their damages claims “unless the exposure to the risk of future harm itself causes a separate concrete harm.” TransUnion, 141 S.Ct. at 2211. Plaintiffs have not alleged a separate concrete harm, and as noted above they have not sufficiently asserted a substantial and imminent risk of future harm in any event.
Plaintiffs assert in the Amended Complaint that they have been damaged by loss of value of their PHI and PIL But they do not explain how their personal information has lost value-nor could they, not knowing whether the ransomware attackers possess the information. And they assert neither actual use nor attempted use of their, or anyone else's, information.
Plaintiffs also assert harm in having to take action to protect against future identity theft and unauthorized use of their information. But they “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” Clapper, 568 U.S. at 416.
In arguing that Plaintiff have standing but do not allege cognizable damages for Rule 12(b)(6) purposes, Defendants agreed at oral argument that it is at least “a close call” and that they are between “[a] rock and a hard spot.” For their part, in their response to Defendants' 12(b)(6) motion Plaintiffs dug in on their claim for “nominal damages” and did not elaborate on any actual damages at all. But they acknowledge that nominal damages are not sufficient for Article III standing purposes. So, those allegations do not suffice.
As both sides acknowledge, often the question “whether the plaintiff ‘has a cognizable injury sufficient to confer standing is closely bound up with the question . . . whether and how the law will grant him relief,'” but “we must ‘not . . . conflate Article Ill's requirement of injury in fact with a plaintiff s potential causes of action, for the concepts are not coextensive.'” Debernardis v. IQ Formulations, LLC, 942 F.3d 1076, 1084 (11th Cir. 2019) (second alteration in original) (quoting Braden v. Wal-Mart Stores, Inc., 588 F.3d 585, 591 (8th Cir. 2009)).
Plaintiffs explained at oral argument that in seeking to establish standing they are focusing not on social security numbers and the potential for identity theft but instead on medical information that was potentially exposed. Regardless of whether the information Plaintiffs rely on is social security numbers or medical information, however, their allegations are speculative and based on what “may” have happened. Plaintiffs apparently choose to focus on disclosure of their medical information so that they can attempt to analogize their alleged harm to the common law tort of “disclosure of private information,” which the Trans Union Court noted could amount to a concrete intangible harm. But finding a common law analog for a harm is part of the analysis in cases involving “bare” statutory violations-like the circuit court decisions Plaintiff cited at oral argument-not cases like this one where the Plaintiffs' claims are already common law causes of action. Moreover, even if this “analogous common law harm” rubric were in play here, the Eleventh Circuit explained in Hunstein that the tort of disclosure of private information requires “publicity”-that is, the “making public”-of private information. See Hunstein, 48 F.4th at 124549. Here, as in Hunstein, there are no allegations of such publicity; instead, Plaintiffs allege only that private actors “may have” accessed their information, not that anyone made that information public. And as noted earlier, the allegations of access by even one person in this case are speculative at best.
In sum, Plaintiffs do not allege facts supporting a conclusion that they have suffered an injury in fact. Their assertions boil down to "fears of hypothetical future harm,” which are not concrete injuries. Muransky, 979 F.3d at 926. Absent an injury that “actually exist[s],” Spokeo, 578 U.S. at 340, Plaintiffs do not have standing to pursue their damages claims.
III. Conclusion
The allegations of injury in the Amended Complaint are speculative and insufficient to satisfy the injury-in-fact requirement of Article HI standing. This Court therefore lacks subject-matter jurisdiction to hear Plaintiffs' claims. Because this action was removed from state court and this Court has determined that it lacks subject-matter jurisdiction, it is ORDERED as follows:
1. Pursuant to 28 U.S.C. § 1447(c), this action is REMANDED to the Circuit Court for the Fifth Judicial Circuit in and for Lake County, Florida, Case No. 35-2021-CA-001536.
2. After remand, the Clerk shall close this case.
ORDER and ORDERED.