Opinion
2:22-CV-849-RSM-DWC
03-27-2023
In Re MCG Health Data Security Issue Litigation
Noting Dated: April 14, 2023
REPORT AND RECOMMENDATION
David W. Christel, Chief United States Magistrate Judge
The District Court referred this action to United States Magistrate Judge David W. Christel. Dkt. 11. Currently before the Court is Defendant MCG Health's Motion to Dismiss. Dkt. 35. After reviewing the relevant record, the Court recommends the Motion to Dismiss be granted-in-part and denied-in-part as follows: the claims alleged in Counts 6, 13, and 17 in-part be allowed to proceed; the claims alleged in Counts 1 in-part, 2, 8, 12, 14, and 18 in-part be dismissed without prejudice; the claims alleged in Counts 1 in-part, 3-5, 7, 9-11, 15, 16, 17 in part, 18 in-part, 19, and 20-22 be dismissed with prejudice; and Plaintiffs be given leave to file an amended complaint that includes only Counts 1, 2, 6, 8, 12-14, 17, and 18; however, the negligence per se claim contained in Count 1 and the claims alleged by Plaintiff Strecker in Counts 17 and 18 are dismissed with prejudice and may not be included in the amended complaint.
I. Background
Plaintiffs have filed a consolidated class action complaint (“Complaint”) alleging that “MCG Health is a healthcare consulting company that provides patient care guidelines and health plans that include care strategies, analytics, software solutions, and other services to hospitals, government programs, and health plans across the country.” Dkt. 32, ¶ 1. The Complaint alleges that, on June 10, 2022, MCG Health publicly disclosed that an unauthorized individual had obtained the private information of approximately 1,100,000 people that was stored on MCG Health's computer network on March 25, 2022. Dkt. 32, ¶¶ 2-3. Plaintiffs contend the data breach was a direct result of MCG Health's failure to implement adequate and reasonable cyber-security procedures and protocols. Id. at ¶ 7.
As a result of MCG Health's alleged failures, Plaintiffs assert the following causes of action: (1) negligence; (2) breach of third-party beneficiary contract; (3) breach of confidence; (4) unjust enrichment; (5) invasion of privacy; (6) violation of the Washington State Consumer Protection Act; (7) violation of the Washington State Uniform Health Information Act; (8) violation of the California Confidentiality of Medical Information Act; (9) violation of the California Consumer Privacy Act; (10) violation of California's Unfair Competition Law; (11) violation of the Illinois Consumer Fraud Act; (12) violation of the Indiana Deceptive Consumer Sales Act; (13) violation of the Kansas Data Breach Requirements Act; (14) violation of the Kansas Consumer Protection Act; (15) violation of the Kentucky Computer Security Breach Notification Act; (16) violation of the Kentucky Consumer Protection Act; (17) violation of the Louisiana Database Security Breach Notification Law; (18) violation of the Louisiana Unfair Trade Practices and Consumer Protection Law; (19) violation of the Mississippi Consumer Protection Act; (20) violation of the New Mexico Unfair Practices Act; (21) violation of the Ohio Deceptive Trade Practices Act; and (22) declaratory and injunctive relief. Dkt. 32.
MCG Health filed the Motion to Dismiss on October 31, 2022. Dkt. 35. On December 9, 2022, Plaintiffs filed their Response and, on January 13, 2023, MCG Health filed its Reply. Dkts. 54, 56. The Court has reviewed the relevant record and finds this matter can be decided without oral argument. Therefore, the Court declines MCG Health's request for oral argument.
II. Standard of Review
A defendant may move for dismissal when a plaintiff “fails to state a claim upon which relief can be granted.” Fed.R.Civ.P. 12(b)(6). To grant a motion to dismiss, the Court must be able to conclude that the moving party is entitled to judgment as a matter of law, even after accepting all factual allegations in the complaint as true and construing them in the light most favorable to the non-moving party. Fleming v. Pickard, 581 F.3d 922, 925 (9th Cir. 2009). To survive a motion to dismiss, a plaintiff must merely cite facts supporting a “plausible” cause of action. Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 555-56 (2007). A claim has “facial plausibility” when the party seeking relief “pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 672 (2009). Although the Court must accept as true a complaint's well-pleaded facts, conclusory allegations of law and unwarranted inferences will not defeat an otherwise proper Rule 12(b)(6) motion. Vasquez v. L.A. County, 487 F.3d 1246, 1249 (9th Cir. 2007).
III. Discussion
Plaintiffs have asserted twenty-two claims for relief in the Complaint under various theories of common law and state statutory provisions. Dkt. 32. MCG Health contends Plaintiffs have failed to state claims upon which relief can be granted as to all twenty-two claims -alleging, first, Plaintiffs have failed to state common law claims and, second, have failed to sufficiently allege state statutory claims. Dkt. 35.
The Court notes MCG Health has raised multiple arguments to support dismissal of several of the claims. See Dkt. 35. The Court addresses each argument in turn. If the Court determines a claim has survived an argument posited by MCG Health, the Court will move to the next argument asserted by MCG Health regarding that specific claim. If the Court determines a claim should be dismissed, the Court will not discuss additional arguments raised by MCG Health related to the dismissed claim.
A. Choice of Law
Both Plaintiffs and MCG Health agree that a “choice of law” analysis is unnecessary at this time. Dkts. 35, 54. Therefore, the Court will apply Washington State law to Plaintiffs' common law claims and the law of the state wherein each state statutory claim arises.
B. Kentucky and Mississippi Consumer Protection Act Claims (Counts 16 & 19)
In the Response, Plaintiffs state they do no oppose dismissal of their claims under the Kentucky Consumer Protection Act (Count 16) and the Mississippi Consumer Protection Act (Count 19). As Plaintiffs do not oppose dismissal of these claims, the Court recommends Counts 16 and 19 be dismissed with prejudice.
C. Negligence (Count 1)
Plaintiffs assert MCG Health is liable under a theory of negligence and negligence per se. Dkt. 32, ¶¶ 276-305. Under Washington law, to state a claim for negligence, Plaintiffs must adequately allege “(1) the existence of a duty to the plaintiff, (2) a breach of that duty, (3) a resulting injury, and (4) the breach as the proximate cause of the injury.” Degel v. Majestic Mobile Manor, 129 Wash.2d 43, 914 P.2d 728, 731 (1996). The existence of a duty “is a question of law and depends on mixed considerations of logic, common sense, justice, policy, and precedent.” Snyder v. Med. Serv. Corp., 145 Wash.2d 233, 35 P.3d 1158, 1164 (2001). “Duty in a negligence action is a threshold question” and “may be predicated ‘on violation of statute or of common law principles of negligence.'” Jackson v. City of Seattle, 158 Wash.App. 647, 244 P.3d 425, 428 (2010) (quoting Burg v. Shannon & Wilson, Inc., 110 Wash.App. 798, 43 P.3d 526, 530 (2002)); Alhadeff v. Meridian on Bainbridge Island, LLC, 167 Wash.2d 601, 220 P.3d 1214, 1222 (2009) (same).
MCG Health argues that, by suing for damages allegedly incurred in the as a result of the data breach, Plaintiffs improperly seek to impose tort liability on MCG Health for the criminal acts of a third-party. Dkt. 35 at 17. MCG Health is correct that, under Washington law, “an actor ordinarily owes no duty to protect an injured party from harm caused by the criminal acts of third parties.” Parrilla v. King Cty., 138 Wash.App. 427, 157 P.3d 879, 884 (2007). Indeed, the Washington Supreme Court has “not yet found a duty to protect a third party from the criminal acts of another absent a special relationship.” Robb v. City of Seattle, 176 Wash.2d 427, 295 P.3d 212, 216 (2013).
While Plaintiffs reference a “special relationship” in the Complaint, in the Response, Plaintiffs do not assert a special relationship exists. Dkt. 54. Rather, they argue that a special relationship is not necessary if a duty arises under a statute. Id. at 20. First, Plaintiffs assert MCG Health had a duty under industry standards, which it failed to meet. Dkt. 32, ¶ 279. Plaintiffs do not clearly allege how MCG Health's conduct fell below industry standards beyond providing conclusory allegations that MCG Health's systems must have fallen below industry standards because a data breach occurred. Allegations that a system is inadequate because a negative result occurred is conclusory. As such, Plaintiffs' claim that MCG Health's system fell below an ill-defined standard is conclusory. Therefore, the Court finds Plaintiffs failed to properly allege that MCG Health's data security was inadequate resulting in a breach of a duty.
Second, Plaintiffs contend that MCG Health owed Plaintiffs a duty under the Health Insurance Portability and Accountability Act (“HIPAA”). “To the extent that HIPAA universally has been held not to authorize a private right of action, to permit HIPAA regulations to define per se the duty and liability for breach is no less than a private action to enforce HIPAA, which is precluded.” Poore-Rando v. United States, 2017 WL 3917165, at *5 (W.D. Wash. Sept. 7, 2017) (citation omitted). Therefore, the Court finds Plaintiffs have not alleged a duty under HIPAA.
Third, Plaintiffs assert MCG Health owed a duty under Section 5 of the Federal Trade Commission (“FTC”) Act, 15 U.S.C. § 45. Dkt. 32, ¶ 282. Plaintiffs, however, may not base MCG Health's alleged standard of conduct on the FTC Act because it fails the first and second prongs of the Restatement (Second) of Tort's test. These two prongs require that the purpose of the statute must be to protect (1) a class of persons that includes the person whose interest is invaded and (2) the particular interest which the plaintiff alleges has been invaded. See Restatement (Second) of Torts § 286(a), (b). The Supreme Court states that “[t]he paramount aim of [the FTC Act] is the protection of the public from the evils likely to result from the destruction of competition or the restriction of it in a substantial degree.” FTC v. Raladam Co., 283 U.S. 643, 647-48, 51 S.Ct. 587, 75 L.Ed. 1324 (1931). “Section 5 in particular seeks to protect ‘consumer[s]' and ‘competitor[s]' from ‘unfair trade practice[s].'” SELCO Cmty. Credit Union v. Noodles & Co., 267 F.Supp.3d 1288, 1296 (D. Colo. 2017) (quoting FTC v. Sperry & Hutchinson Co., 405 U.S. 233, 244, 92 S.Ct. 898, 31 L.Ed.2d 170 (1972)).
Plaintiffs allege no harm from “the destruction of competition,” and Plaintiffs do not sufficiently allege they are customers nor competitors of MCG Health. See Dkt. 32. Plaintiffs' health care providers may be customers of MCG Health, but the Complaint does not contain allegations showing Plaintiffs were customers of MCG Health. See id. The Court concludes that Section 5 of the FTC Act is not designed to protect either the class of persons that includes Plaintiffs or the interest that Plaintiffs allege MCG Health invaded. Thus, Section 5 of the FTC Act fails under Section 286 of the Restatement, and Plaintiffs cannot allege that MCG Health owes it a duty predicated on this statute.
For the above stated reasons, the Court finds Plaintiffs failed to allege MCG Health had a duty to Plaintiffs under the allegations in the Complaint. As a result, Plaintiffs have not sufficiently alleged negligence.Accordingly, the Court recommends Plaintiffs' negligence claim, Count 1, be dismissed without prejudice.
As Plaintiffs have not alleged a duty, the Court finds Plaintiffs have not stated a negligence claim and declines to consider the remaining elements of a negligence claim.
To the extent Plaintiffs raise a negligence per se claim, this claim fails. See Dkt. 32, ¶288. “Washington does not recognize negligence per se as a separate cause of action.” Veridian Credit Union v. Eddie Bauer, LLC, 295 F.Supp.3d 1140, 1155 (W.D. Wash. 2017). Although the violation of a statute or the breach of a statutory duty “may be considered by the trier of fact as evidence of negligence,” RCW 5.40.050, Plaintiffs may not assert a separate cause of action for negligence per se in Washington. Accordingly, the Court recommends the negligence per se claim, alleged within Count 1, be dismissed with prejudice.
D. Third-Party Beneficiary Contract (Count 2)
In Count 2, Plaintiffs contend MCG Health entered into written contracts with clients to perform services that include providing care strategies, consulting, analytics, and other services. Dkt. 32, ¶ 307. Plaintiffs allege MCG Health agreed to implement adequate security to safeguard Plaintiffs' private information and to timely notify them of a breach. Id. at ¶ 308. Plaintiffs state the “contracts were made expressly for the benefit of Plaintiffs[.]” Id. at 309.
A third-party beneficiary contract exists when the contracting parties, at the time they enter into the contract, intend that the promisor will assume a direct obligation to the claimed beneficiary. Postlewait Constr., Inc. v. Great Am. Ins. Cos., 106 Wash.2d 96, 99, 720 P.2d 805 (1986). The test of intent is an objective one: Whether performance under the contract necessarily and directly benefits the third party. Id. An incidental, indirect, or inconsequential benefit to a third party is insufficient to demonstrate an intent to create a contract directly obligating the promisor to perform a duty to a third party. Del Guzzi Constr. Co. v. Global Northwest Ltd., 105 Wash.2d 878, 886, 719 P.2d 120 (1986).
Here, Plaintiffs make conclusory allegations that the contracts between MCG Health and its customers include agreements to implement adequate security to safeguard Plaintiffs' private information and to timely notify them of a breach. See Dkt. 32. Plaintiffs do not include the contract language. While the Court finds Plaintiffs' allegations are tenuous, if the contract did include language agreeing to implement security measures to safeguard Plaintiffs' information and timely notify of a breach, the Court finds that could be sufficient to show MCG Health did assume some direct obligation to third-party Plaintiffs. Therefore, at this early stage in these proceedings, Plaintiffs have sufficiently alleged they are a third-party beneficiary.
However, Plaintiffs have not sufficiently alleged that MCG Health breached a contract. Plaintiffs contend MCG Health agreed to implement adequate security. Their position is that, because there was a data breach, MCG Health did not implement adequate security. “[T]he existence of an adequate data security infrastructure and two data breaches in the same year are not mutually exclusive.” Griffey v. Magellan Health Inc., 562 F.Supp.3d 34, 50 (D. Ariz. 2021). As Plaintiffs have only provided conclusory allegations that MCG Health's security measures were inadequate because there was a breach, the Court finds Plaintiffs have not sufficiently alleged a breach of third-party beneficiary contract regarding MCG Health's security measures.
Plaintiffs also allege MCG Health breached a contract by failing to timely notify Plaintiffs of the breach. Regardless of whether MCG Health failed to timely notify Plaintiffs of the data breach, Plaintiffs have failed to allege how any delay caused Plaintiffs to incur expenses or damaged Plaintiffs. For example, there are no allegations that any expenses incurred for monitoring services were caused by the delay. Further, Plaintiffs' allegations regarding identity theft appear to have occurred before MCG Health detected the data breach and, thus, any notification delay would not have caused those damages. In sum, the Complaint contains allegations that the intrusion caused by the data breach, not the notification delay, resulted in alleged damages. Therefore, Plaintiffs have not sufficiently alleged damages for a breach of a third-party beneficiary contract regarding MCG Health's alleged untimely notification of the breach. See In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F.Supp.2d 942, 1010 (S.D. Cal. 2014), order corrected, 2014 WL 12603117 (S.D. Cal. Feb. 10, 2014) (finding plaintiffs failed to allege how a delay -- and not the intrusion - caused the damages).
For the above stated reasons, Plaintiffs have not stated a breach of a third-party beneficiary contract. Therefore, the Court recommends Plaintiffs' breach of a third-party beneficiary contract claim, Count 2, be dismissed without prejudice.
E. Breach of Confidence (Count 3)
In Count 3, Plaintiffs contend they entrusted their private information to MCG Health with the implicit understanding that MCG Health would take precautions to protect the information and the information would not be disclosed or disseminated to the public or any unauthorized third parties. Dkt. 32, ¶¶ 313-24. Plaintiffs' assert MCG Health's disclosure of Plaintiffs' private information was in violation of MCG Health's assumption of a duty of confidence. Id. at ¶ 321.
“Washington has not recognized breach of confidence as a common law cause of action.” Snapp v. Burlington N. Santa Fe Ry., 2012 WL 3157137, at *5 (W.D. Wash. Aug. 3, 2012), reversed on other grounds by Snapp v. United Transp. Union, 547 Fed.Appx. 824 (9th Cir. 2013).Therefore, the Court recommends Plaintiffs' breach of confidence claim, Count 3, be dismissed with prejudice.
Washington has noted independent breach of confidentiality claims in cases involving trade secrets. See Boeing Co. v. Sierracin Corp., 108 Wash.2d 38 (1987). However, the Court finds trade secret cases are distinguishable from the data breach case at hand.
F. Unjust Enrichment (Count 4)
In Count 4, Plaintiffs contend MCG Health was unjustly enriched because MCG Health pays for data security from funds that include payments received on behalf of or for the benefit of Plaintiffs. Dkt. 32, ¶¶ 325-340. Plaintiffs assert MCG Health enriched itself by saving costs it reasonably should have expended on security measures that would have prevented the hacking incident. Id. at ¶ 332. Plaintiffs state MCG Health should be compelled to disgorge into a common fund or trust the proceeds that they unjustly received from Plaintiffs or, in the alternative, refund the amounts Plaintiffs overpaid for MCG Health's services. Id. at ¶ 340.
In Young v. Young, the Washington Supreme Court determined that “[u]njust enrichment is a method of recovery for the value of [a] benefit retained, absent any contractual relationship, because notions of fairness and justice require it.” 164 Wash.2d 477, 191 P.3d 1258, 1262 (2008). To state a claim for unjust enrichment, Plaintiffs must plead sufficient facts showing: (1) MCG Health received a benefit, (2) at Plaintiffs' expense, and (3) the circumstances make it unjust for MCG Health to retain the benefit without payment. See id. Additionally, the fact that a party profits at the expense of another is insufficient to trigger liability under unjust enrichment; rather, the enrichment must be unjust as between the two parties to a transaction. Cox v. O'Brien, 150 Wn.App. 24, 37 (2009).
Plaintiffs' allegations are insufficient to show a claim for unjust enrichment. Plaintiffs do not allege that they entered into a transaction with MCG Health. Rather, Plaintiffs allege Plaintiffs' medical provider entities contracted with MCG Health to provide services to the medical providers. Plaintiffs also do not allege facts showing they conferred a benefit to MCG Health. Again, the medical providers sought a service and provided payment for that service. Because Plaintiffs failed to allege a transaction between Plaintiffs and MCG Health, Plaintiffs have failed to plead an unjust enrichment claim. See M.L. v. Craigslist, Inc. 202 WL 6434845, *16 (W.D. Wash. April 17, 2020) (finding claim of unjust enrichment failed as a matter of law where the plaintiff did not enter into a transaction with the defendant; rather, the defendant entered into a transaction with traffickers).
Additionally, Plaintiffs assert that, because a data breach occurred, MCG Health did not use all the funds paid to it by the medical providers to protect Plaintiff's private information. See Dkt. 32. However, there are no allegations showing MCG Health did not use the funds for data security. Plaintiff provides conclusory allegations that MCG Health saved costs it should have reasonably expended on data security. These conclusory allegations are insufficient to show unjust enrichment. See Feins v. Goldwater Bank NA, 2022 WL 17552440, at *7 (D. Ariz. Dec. 9, 2022) (finding no unjust enrichment in data breach case where the plaintiff alleged only that he paid money for the defendant's services and expected part of his payment to be for data protection and that a data breach occurred); Griffey, 562 F.Supp.3d at 50 (“[T]he existence of an adequate data security infrastructure and two data breaches in the same year are not mutually exclusive.”).
For these reasons, the Court finds Plaintiffs have failed to state an unjust enrichment claim. Therefore, the Court recommends Plaintiffs' unjust enrichment claim, Count 4, be dismissed with prejudice.
G. Invasion of Privacy (Count 5)
Plaintiffs assert MCG Health's data breach resulted in an invasion of privacy. Dkt. 32, ¶¶ 341-38. Plaintiffs contend they reasonably expected the private information entrusted to MCG Health would be kept private and would not be disclosed to any unauthorized third-party. Id. at ¶ 342.
The Washington State Supreme Court “has explicitly held that the common law right of privacy exists in Washington and adopted the Restatement's definition of this right.” Finder v. Finder, 108 Wash.App. 1013 (2001) (citing Reid v. Pierce County, 136 Wn.2d 195, 205-06, 961 P.2d 333 (1998)). To establish a claim for invasion of privacy based upon public disclosure of private facts, a plaintiff must establish (1) the defendant gave publicity in a matter concerning the private life of the plaintiff; and (2) the matter publicized is a kind that (a) would be highly offensive to a reasonable person, and (b) is not a legitimate concern to the public. White v. Township of Winthrop, 128 Wn.App. 588, 594, 116 P.3d 1034 (2005) (quoting Reidv. Pierce County, 136 Wn.2d 195, 205, 961 P.2d 333 (1998)). For the purposes of an invasion of privacy claim, publicity means “communication to the public at large so that the matter is substantially certain to become public knowledge.” ... “[Communication to a single person or a small group does not qualify.” Fisher v. State ex rel. Dep't of Health, 125 Wash.App. 869, 106 P.3d 836, 840 (2005).
The Complaint alleges MCG Health failed to secure Plaintiffs' private information from disclosure to unauthorized third parties and enabled the disclosure of personal information in a manner that was highly offensive without Plaintiffs' consent. Dkt. 32, ¶ 343. Plaintiffs have not sufficiently alleged that MCG Health gave publicity to a matter concerning Plaintiffs' private lives. Plaintiffs allege that cybercriminals obtained the information. There are no allegations that MCG Health publicized Plaintiffs' private information to more than a small group of people. Thus, Plaintiffs have not sufficiently alleged an invasion of privacy claim. The Court, therefore, recommends the invasion of privacy claim, Count 5, be dismissed with prejudice. See e.g., Burton v. MAPCO Exp., Inc., 47 F.Supp.3d 1279, 1288 (N.D. Ala. 2014) (finding theft of data from a merchant did not constitute communication of the information stolen to the public and, therefore, did not meet the requirement of public disclosure); McNeil v. Best Buy Co., Inc., 2014 WL 1316935 (E.D.Mo. 2014) (“Plaintiff fails to identify any personal facts that were publicized, nor does he allege when such facts were publicized or to whom.... The alleged threat of some future publication is too speculative to state a claim ... and so Plaintiff's claim for public disclosure of private facts must be dismissed.”).
To the extent Plaintiffs are raising an invasion of privacy by intrusion claim, this fails. Invasion of privacy by intrusion requires intent and there are no allegations that MCG Health intended for the private information to be received by unauthorized third parties. See Fisher v. State ex rel. Dep't of Health, 125 Wash.App. 869, 879, 106 P.3d 836, 840 (2005); Purvis v. Aveanna Healthcare LLC, 563 F.Supp.3d 1360, 1377 (N.D.Ga. 2021) (holding that a plaintiff failed to state an invasion of privacy claim by alleging a third party carried out a data breach and the defendant “failed to take sufficient precautions to prevent this intrusion”).
H. State Statutory Claims
MCG Health also argues Plaintiffs' state statutory claims should be dismissed because: (1) the claims are insufficiently pled under Rule 9(b); (2) Plaintiffs lack standing to sue; (3)
Plaintiffs have not alleged damages; (4) the state statute does not apply to MCG Health; (4) the claims are inadequately pled; or (5) MCG Health did not disclose information. Dkt. 35.
a. Rule 9(b) (Counts 11, 12, 14)
MCG Health first asserts Plaintiffs have failed to plead with particularity their claims under the consumer protection and unfair practices statutes of Illinois, Indiana, and Kansas. Dkt. 35. Under Rule 9(b), “a party must state with particularity the circumstances constituting fraud or mistake.” Fed.R.Civ.P. 9(b). Thus, to avoid dismissal under Rule 9(b), a claim sounding in fraud must state the time, place, and specific content of the false representations as well as the identities of the parties to the misrepresentation. Sanford v. MemberWorks, Inc., 625 F.3d 550, 558 (9th Cir. 2010) (citing Edwards v. Marin Park, Inc., 356 F.3d 1058, 1066 (9th Cir. 2004)). In other words, Plaintiffs must allege “the who, what, when, where, and how” of the alleged fraud. Cooper v. Pickett, 137 F.3d 616, 627 (9th Cir. 1997); see also Macris v. Bank of Am., N.A., 2012 WL 273120, at *11 (E.D. Cal. Jan. 30, 2012) (stating that the plaintiffs must allege “the names of the persons who made the allegedly fraudulent misrepresentations, their authority to speak, to whom they spoke, what they said or wrote, and when it was said or written”) (internal quotation omitted).
Illinois Consumer Fraud Act. In Count 11, Plaintiffs allege MCG Health violated the Illinois Consumer Fraud Act (“ICFA”) because MCG Health engaged in deceptive and unfair trade acts and practices in connection with the sale and advertisement of its services. Dkt. 32, ¶ 414; see also Dkt. 32, ¶¶ 410-22. If a plaintiff's ICFA claim “rests on allegations of deceptive conduct, then Rule 9(b) applies and the plaintiff must plead with particularity the circumstances constituting fraud.” Vanzant v. Hill's Pet Nutrition, Inc., 934 F.3d 730, 738 (7th Cir. 2019). However, courts within the Seventh Circuit (where Illinois is located), “have indicated that similar allegations relating to data breaches under the ICFA should be subject to the liberal pleading rule of Federal Rule of Civil Procedure 8(a), rather than Rule 9(b).” Sweet v. BJC Health Sys., 2021 WL 2661569, at *6 (S.D. Ill. June 29, 2021) (citing Perdue v. Hy-Vee, Inc., 455 F.Supp.3d 749, 769 (C.D. Ill. 2020)); see also Windy City Metal Fabricators & Supply, Inc. v. CIT Tech. Fin. Servs, Inc., 536 F.3d 663, 670 (7th Cir. 2008)). Regardless of whether Rule 8 or Rule 9 applies to this IFCA claim, the Court finds Plaintiffs have not stated a claim. The Illinois Supreme Court has concluded “that the General Assembly did not intend the Consumer Fraud Act to apply to fraudulent transactions which take place outside Illinois.” Avery v. State Farm Mut. Auto. Ins. Co., 216 Ill.2d 100, 185 (2005); Tarzian v. Kraft Heinz Foods Co., 2019 WL 5064732, at *3 (N.D. Ill. Oct. 9, 2019) (internal quotations omitted) (“The ICFA . . . does not apply to fraudulent transactions which take place outside Illinois.”).
Plaintiffs allege Count 11 is brought by Plaintiff Price. See Dkt. 32, ¶ 410. Plaintiff Price is a resident and citizen of the state of Illinois. Id. at ¶ 23. The Complaint alleges Plaintiff Price was a patient of IU Health, an Indiana University Health Affiliated Covered Entity. Id. at ¶ 166. There are no allegations Plaintiff Price was a patient of an entity located in Illinois. There are no allegations MCG Health contracted with an entity located in Illinois or that any data breach occurred in Illinois. The only connection to Illinois appears to be Plaintiff Price's residence. As the ICFA does not apply to fraudulent transactions which take place outside Illinois, Plaintiffs have failed to state a claim under ICFA. The Court, therefore, recommends the ICFA claim, Count 11, be dismissed with prejudice.
Indiana Deceptive Consumer Sales Act. In Count 12, Plaintiffs allege MCG Health violated the Indiana Deceptive Consumer Sales Act (“IDCSA”) because MCG Health engaged in unfair and deceptive practices and acts by knowingly using computer systems and data security practices that were inadequate to safeguard Plaintiffs' information. Dkt. 32, ¶ 428. Plaintiffs contend MCG Health's unfair and deceptive practices were done as part of a “scheme, artifice, or device with intent to defraud or mislead and constitute incurable deceptive acts under the IDCSA.” Id. at ¶ 429.
To state a claim under the IDCSA, a plaintiff must allege that the defendant engaged in one or more deceptive acts, as defined in the Act. See Ind. Code § 24-5-0.5-4(a). There are two possible types of actionable deceptive acts under the Act - “uncured” deceptive acts and “incurable” deceptive acts. McKinney v. State, 693 N.E.2d 65, 68 (Ind. 1998). Under the IDCSA, “where a movant ... [does] not distinguish between its allegations of ‘deceptive acts' and ‘incurable deceptive acts' ... the entire complaint must be judged by Rule [9(b) ] standards.” Young v. Harbor Mortor Works, Inc., 2009 WL 187793, at *6 (N.D. Ind. Jan. 27, 2009) (quoting SMC Corp. v. Peoplesoft USA Inc., 2004 WL 2538641, at *4 (S.D.Ind. Oct.12, 2004)). In the Complaint, Plaintiffs do not specifically identify whether they are alleging “uncured” or “incurable” deceptive acts under the IDCSA, nor do they allege any facts supporting a claim of an “uncured” deceptive act. In fact, Plaintiffs allege MCG Health's conduct was part of a scheme, artifice, or device with intent to defraud. Dkt. 32, ¶ 429. Accordingly, because the basis for Plaintiffs' IDCSA claim is fraud, they must meet the pleading requirements of Rule 9(b).
Plaintiffs' allegations are conclusory. Plaintiffs assert that MCG Health had knowledge that Plaintiffs' information would not be adequately protected and stored Plaintiffs' information in an unsecure electronic environment. Dkt. 32, ¶¶ 427-28. Plaintiffs contend MCG Health, knowing the systems were inadequate, deceptively failed to tell Plaintiffs in order to continue to obtain their information. First, Plaintiffs do not allege how MCG Health had knowledge of inadequacies in its security systems and, as stated above, there is no assumed correlation between a data breach and inadequate security systems. Second, MCG Health did not encourage Plaintiffs to use its services; rather, MCG Health contracted with medical providers with whom Plaintiffs sought treatment. Thus, MCG Health did not continue to encourage Plaintiffs to use its services despite allegedly knowing of its data insecurities. Accordingly, Plaintiffs have failed to meet the Rule 9(b) pleading requirements and have not stated an IDCSA claim. The Court, therefore, recommends the IDCSA claim, Count 12, be dismissed without prejudice.
Kansas Consumer Protection Act. In Count 14, Plaintiffs allege MCG Health violated the Kansas Consumer Protection Act (“KCPA”) when MCG Health engaged in unfair, deceptive, or unconscionable practices and acts by soliciting and collecting Plaintiffs' information with the knowledge that the information would not be adequately protected. Dkt. 32, ¶ 446. Plaintiffs contend MCG Health acted intentionally, knowingly, and maliciously and recklessly disregarded Plaintiffs' rights. Id. at ¶ 448.
Based on the allegations of the Complaint, it is difficult to discern the actions MCG Health took or failed to take that violated the KCPA. See Dkt. 32. However, it appears Plaintiffs state MCG Health concealed information from Plaintiffs in a manner that was unfair, deceptive, intentional, knowing, and malicious. Id. at ¶ 447-48. Plaintiffs assert they lacked knowledge and expertise in information security and did not have access to MCG Health's data systems. Id. at ¶ 448. Plaintiffs appear to be alleging MCG Health fraudulently concealed information from Plaintiffs or engaged in unconscionable acts.
The KCPA prohibits deceptive acts or practices in connection with a consumer transaction. K.S.A. § 50-626(a). Among other things, deceptive acts or practices include a wide variety of knowing misrepresentations, id. § 50-626(a)(1), and willful failure to state a material fact, id. § 50-626(a)(3). It also prohibits suppliers from engaging in any unconscionable act or practice in connection with a consumer transaction. K.S.A. § 50-627(a). Courts have held that Rule 9(b) applies to KCPA claims if the gravamen of the claim sounds in fraud. See Thompson v. Jiffy Lube Intern., Inc., 505 F.Supp.2d 907, 932 (D. Kan. 2007). Rule 9(b) has been applied to claims based on fraudulent concealment where the defendants allegedly failed to disclose information to customers. Id. As Plaintiffs allege MCG Health deceptively and maliciously concealed information and engaged in unconscionable acts, the Court finds Rule 9(b) pleading requirements apply to Count 14.
In applying Rule 9(b) requirements, the Court finds Plaintiffs have not stated a claim with sufficient particularity. Plaintiffs' allegations that MCG Health knew about the security deficiencies in its data systems are conclusory. Moreover, there are insufficient allegations to show MCG Health knew of the data breach, failed to act, and willfully failed to disclose to Plaintiffs any data system deficiencies. Plaintiffs have not alleged who at MCG Health made fraudulent misrepresentations, their authority to speak, what they said or wrote, and when it was said or written. Rather, Plaintiffs have simply alleged the elements of the cause of action without sufficient factual support. Accordingly, Plaintiffs have failed to meet Rule 8 or Rule 9(b) pleading requirements and have not stated an KCPA claim. The Court, therefore, recommends the KCPA claim, Count 14, be dismissed without prejudice.
b. Lack of Standing (Counts 13 & 21)
In the Motion to Dismiss, MCG Health argues Plaintiffs lack standing to bring claims under the Kansas Data Breach Requirements Act (“Kansas DBRA”) (Count 13) and the Ohio Deceptive Trade Practices Act (“Ohio DTPA”) (Count 21). Dkt. 35 at 30-32.
Kansas DBRA. In Count 13, Plaintiff Linda Crawford sues MCG Health, on behalf of herself and the Kansas Subclass, alleging that Kansas law requires MCG Health to notify Plaintiff Crawford if it becomes aware of a data breach that was reasonably likely to have caused misuse of Plaintiff Crawford's information without unreasonable delay. Dkt. 32, ¶¶ 432-36. Plaintiff Crawford alleges that MCG Health's failure to disclose the data breach in a timely and accurate matter violated the Kansas DBRA. Id. at ¶ 438.
MCG Health argues the Kansas statute authorizes the Kansas Attorney General to bring an action and that it can find no authority authorizing a private right of action under the Kansas DBRA. See Dkt. 35. The Kansas DBRA contains ambiguous language as to private enforceability and provides that the statute's remedies are “non-exclusive.” See Kan. Stat. Ann. § 50-7a02 (providing that “the attorney general is empowered to bring an action in law or equity to address violations of this section” and that “[t]he provisions of this section are not exclusive”). MCG Health has not identified any authority instructing the Court to construe the statutory language as precluding private rights of action. Dkt. 35 at 30-31. Absent such authority, the Court finds Plaintiffs' claims under the Kansas DBRA, Count 13, should not be dismissed. See In re Equifax, Inc., Customer Data Sec. Breach Litig., 362 F.Supp.3d 1295, 1341 (N.D.Ga. 2019) (declining to interpret a claim under the Kansas DBRA as not allowing a private right of action); In re Target Corp. Data Sec. Breach Litig., 66 F.Supp.3d 1154, 1169 (D. Minn. 2014) (same).
To the extent MCG Health argues Count 13 should be dismissed for failure to plausibly claim MCG Health's notice was untimely or deficient, the Court finds this argument was not argued with sufficient particularity in the Motion to Dismiss. See Dkt. 35 at 43-44. Therefore, the Court declines to consider this argument.
Ohio DPTA. In Count 21, Plaintiff Marjorita Dean brings a claim under the Ohio DPTA on behalf of herself and the Ohio Subclass. Dkt. 32, ¶¶ 509- 517. Plaintiffs assert MCG Health engaged in deceptive trade practices by failing to comply with applicable laws pertaining to data security by soliciting and collecting Plaintiff Dean's and the New Mexico Subclass's personal information. Id. at ¶ 513. Plaintiffs state MCG Health acted intentionally, knowingly, and maliciously and that Plaintiff Dean and the Ohio Subclass lacked knowledge and expertise in information security and did not have access to MCG Health's data systems. Id. at ¶ 515.
The Complaint appears to contain a typographical error stating “New Mexico;” the Court, however, declines to change the wording of the Complaint.
Courts have held “consumers lack standing to bring claims under the [Ohio] DTPA[.]” Phillips v. Philip Morris Companies Inc., 290 F.R.D. 476, 485 (N.D. Ohio 2013). A minority of courts have found the statute does not expressly limit the type of individuals who can person a claim. See Bower v. IBM, Inc., 495 F.Supp.2d 837 (S.D. Ohio 2007). However, in Phillips, the district court stated that “[t]he vast majority of federal courts and all lower state courts to address the issue have concluded that relief under the DPTA is not available to consumers.” Id. at 482. The Court finds the majority of cases persuasive and, therefore, concludes Plaintiffs cannot bring this claim. See In re Toyota RAV4 Hybrid Fuel Tank Litig., 534 F.Supp.3d 1067, 1117 (N.D. Cal. 2021). Accordingly, Plaintiffs do not have standing to pursue a claim under the Ohio DTPA. The Court, therefore, recommends the Ohio DPTA claim, Count 21, be dismissed with prejudice.
c. Improper Defendant (Counts 7, 9)
MCG Health contends lawsuits cannot be brought against it under the Washington Uniform Health Care Information Act (“UHCIA”) (Count 7) and the California Consumer Privacy Act (“CCPA”) (Count 9) because these two state statutes do not authorize a cause of action against MCG Health. Dkt. 35, 33-35.
Washington UHCIA. In Count 7, Plaintiffs allege MCG Health violated the Washington UHCIA. Dkt. 32, ¶¶ 361-68. Under the Washington UHCIA, “a health care provider, an individual who assists a health care provider in the delivery of health care, or an agent and employee of a health care provider may not disclose health care information about a patient to any other person without the patient's written authorization.” Wash. Rev. Code Ann. § 70.02.020. “‘Health care provider'” means a person who is licensed, certified, registered, or otherwise authorized by the law of this state to provide health care in the ordinary course of business or practice of a profession.” Wash. Rev. Code § 70.02.010(19). “By its plain language, then [the statute] creates a right of action solely against a health care provider or facility who has not complied.” Fisher v. State ex rel. Dep't of Health, 125 Wash.App. 869, 876 (2005). There are no allegations MCG Health is a health care provider or a health care facility. Therefore, Plaintiffs have failed to state a claim under the Washington UHCIA. Accordingly, the Court recommends Plaintiffs' UHCIA claim, Count 7, be dismissed with prejudice.
Plaintiffs assert RCW 70.02.005(4) expands to information held by persons other than health care providers. Dkt. 54, 41. RCW 70.02.005(4) states that a patient's interest in the proper use and disclosure of the patient's health care information survives even when the information is held by persons other than health care providers. However, there is no indication the cause of action can be pursued against a person other than a health care provider. See State v. Scherf, 192 Wash.2d 350, 362, 429 P.3d 776, 785 (2018) (finding RCW 70.02.005(4) does not carve out a duty to non-health-care providers). Therefore, Plaintiffs' argument is unpersuasive.
CCPA. In Count 9, Plaintiffs allege MCG Health violated the CCPA. Dkt. 32, ¶¶ 38799. Under the business associate exemption, the CCPA does not apply to “[a] business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, ... to the extent that the business associate maintains, uses, and discloses patient information in the same manner as medical information or protected health information as described [above].” Cal. Civ. Code § 1798.146(a)(3). The parties do not dispute MCG Health is a business associate of a covered entity. See Dkts. 35, 54, 56. Therefore, the Court finds the CCPA does not apply to MCG Health in this case. See Mullinix v. U.S. Fertility, LLC, 2021 WL 4935975, at *5 (C.D. Cal. Apr. 21, 2021). Accordingly, the Court recommends the CCPA claim, Count 9, be dismissed with prejudice.
d. Lack of Damages (Counts 6, 7, 10-12, 16-19, 21)
MCG Health argues several of Plaintiffs' claims must be dismissed because Plaintiffs have failed to allege actual damages. Dkt. 35 at 33. Specifically, MCG Health states Plaintiffs allege no out of pocket losses and, therefore, Plaintiffs cannot recover money damages or restitution under the Washington Consumer Protection Act (Count 6), the Washington Uniform Health Care Information Act (Count 7), California's Unfair Competition Law (Count 10), the Illinois Consumer Fraud Act (Count 11), the Indiana Deceptive Consumer Sales Act (Count 12), the Kentucky Consumer Protection Act (Count 16), the Louisiana Database Security Breach Notification Law (Count 17), the Louisiana Unfair Trade Practices and Consumer Protection Law (Count 18), Mississippi Consumer Protection Act (Count 19), and the Ohio Deceptive Trade Practices Act (Count 21). Id.
The Court has already determined Counts 7, 11, 12, 16, 19, and 21 should be dismissed. Thus, the Court will not further discuss these counts. The Court also notes that MCG Health has addressed these ten claims collectively asserting no out-of-pocket expenses were alleged and thus no claims under ten different state statutes can be maintained. Dkt. 35 at 33. MCG Health's arguments are conclusory and do not provide specific citations related to the damages asserted as to each claim. Id. In response, Plaintiffs appear to argue that, in general, damages need not be out-of-pocket expenses. See Dkt. 54 at 39-40. Plaintiffs fail to indicate which allegations in the Complaint show the required damages for these ten state statutes. While the Court finds the parties' briefing lacking, MCG Health has provided enough details to put Plaintiffs and this Court on notice of the damages argument. Therefore, the Court will discuss the remaining counts, Counts 6, 10, 17, and 18.
Washington Consumer Protection Act. In Count 6, Plaintiffs allege MCG Health's conduct violated the Washington Consumer Protection Act (“CPA”). Dkt. 32, ¶¶ 349-60. To prevail under the CPA, a plaintiff must establish each of the following elements: “(1) unfair or deceptive act or practice; (2) occurring in trade or commerce; (3) public interest impact; (4) injury to plaintiff in his or her business or property; (5) causation.” Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 105 Wash.2d 778, 719 P.2d 531, 533-35 (1986); Wash. Rev. Code § 19.86.060. “Monetary damages need not be proved; unquantifiable damages may suffice.” Panag v. Farmers Ins. Co. of Washington, 166 Wash.2d 27, 58, 204 P.3d 885, 900 (2009). Here, MCG Health only argues that Plaintiffs did not sufficiently allege out-of-pocket losses, barring their claims for money damages. Dkt. 35, 33. As damages may be unquantifiable under the Washington CPA, the Court finds MCG Health has not sufficiently shown this claim should be dismissed for failing to adequately allege damages.. At this time, the Court finds the Washington CPA claim, Count 6, should proceed.
California's Unfair Competition Law. In Count 10, Plaintiff Batt alleges, on behalf of herself and the California Subclass, that MCG Health violated California's Unfair Competition Law (“UCL”). Dkt. 32, ¶¶ 400-09. To assert a UCL claim, a private plaintiff needs to have “suffered injury in fact and ... lost money or property as a result of the unfair competition.” See Rubio v. Capital One Bank, 613 F.3d 1195, 1203 (9th Cir. 2010). That is, a plaintiff “must demonstrate some form of economic injury.” Kwikset Corp. v. Superior Court, 51 Cal.4th 310, 320, 323 (2011). There are “innumerable ways in which economic injury from unfair competition may be shown.” Id. For example, a plaintiff may “(1) surrender in a transaction more, or acquire in a transaction less, than he or she otherwise would have; (2) have a present or future property interest diminished; (3) be deprived of money or property to which he or she has a cognizable claim; or (4) be required to enter into a transaction, costing money or property, that would otherwise have been unnecessary.” Id. This is “qualitatively more restrictive than federal injury in fact, embracing as it does fewer kinds of injuries.” Id. at 324. “Numerous courts have held that a plaintiff's ‘personal information' does not constitute money or property under the UCL.” In re iPhone Application Litig., 2011 WL 4403963, at *14 (N.D. Cal. Sept. 20, 2011).
Plaintiff Batt alleges she expended time to address the data breach and to attempt to ameliorate and mitigate the future consequences of the breach. Dkt. 32, ¶ 185. She also alleges she suffers from stress, anxiety, and frustration because of the data breach, loss of privacy, damage to and diminution in the value of her personal information, and the continued risk of fraud, identity theft, and misuse resulting from her personal information. Id. at ¶¶ 184, 186-87. Plaintiff Batt has not alleged an injury-in-fact. The time and expense for monitoring her credit is not sufficient, nor are her allegations regarding the loss of the value of her personal information. While Plaintiffs contend Plaintiff Batt overpaid for services, they have not alleged she would have not sought services from the medical providers had she known about MCG Health's data security systems. Moreover, MCG Health offered to pay for credit monitoring services.
For these reasons, the Court finds Plaintiffs have not sufficiently pled damages under the California UCL. See Gardner v. Health Net, Inc., 2010 WL 11597979, at *12 (C.D. Cal. Aug. 12, 2010) (holding plaintiff failed to establish UCL standing where plaintiff alleged time and expense monitoring credit and loss of value of personal information but the defendant had offered credit monitoring services); Ruiz v. Gap, Inc., No. 07-5739 SC, 2009 WL 250481, at *3 (N.D. Cal. Feb. 3, 2009) (denying motion to amend complaint to add UCL claims, because plaintiff could not establish UCL standing based on costs associated with monitoring credit and loss of value of personal information where defendant offered credit monitoring services), aff'd, 380 Fed.Appx. 689 (9th Cir. 2010). Accordingly, the Court recommends Plaintiffs' California UCL claim, Count 10, be dismissed with prejudice.
Louisiana Database Security Breach Notification Law. In Count 17, Plaintiffs Gaye Ictech and Cynthia Strecker assert a claim under the Louisiana Database Security Breach Notification Law (“LDSBNL”) on behalf of themselves and the Louisiana Subclass. Dkt. 32, ¶¶ 469-77. A claim under the LDSBNL requires a plaintiff to plead “actual damages.” Pinero v. Jackson Hewitt Tax Serv. Inc., 594 F.Supp.2d 710, 716 (E.D. La. 2009) (quoting La. Rev. Stat. 51:3075). A Louisiana federal court interpreting Louisiana law construed the term “actual damages” narrowly, meaning that the plaintiff must allege that someone “actually used the disclosed information to his detriment.” Ponder v. Pfizer, Inc., 522 F.Supp.2d 793, 798 (M.D. La. 2007). Thus, for a claim under LDSBNL, it is not enough to merely complain about the “current burden” of monitoring credit, scrutinizing account statements, and closing and opening accounts. Id.
Plaintiff Ictech alleges she received an increase in targeted and suspicious spam calls and experienced multiple fraudulent charges on the debit card that was provided to and used to pay for health services prior to the data breach. Dkt. 32, ¶¶ 204-05. Plaintiff Ictech also alleges increased stress and anxiety, damage to and diminution in the value of her confidential information, and the continued risk of fraud, identity theft and misuse of her personal information. Id. at ¶¶ 207-09. Plaintiff Strecker alleges only that she spent time monitoring her credit reports, experienced increased stress and anxiety, had damage to and diminution in the value of her confidential information, and was exposed to continued risk of fraud, identity theft and misuse of her personal information. Id. at ¶¶ 212, 214-16.
The Court finds, at this time, Plaintiff Ictech's claims that she suffered multiple fraudulent charges on her debit card is sufficient to state actual damages under the LDSBNL. While Plaintiff Ictech's connection between the fraudulent charges and the data breach is tenuous, at this stage in the proceedings, the Court finds the allegations are sufficient to survive the Motion to Dismiss. The Court, however, finds Plaintiff Strecker has not sufficiently alleged any actual damage. She has not alleged that a third party actually used her information to her detriment. See In re Arthur J. Gallagher Data Breach Litig., 2022 WL 4535092, at *7 (N.D. Ill. Sept. 28, 2022) (dismissing claim under LDSBNL where the plaintiff did not allege a third party actually used his information to his detriment). For these reasons, the Court recommends the LDSBNL claim, Count 17, proceed as to Plaintiff Ictech, on behalf of herself and the Louisiana Subclass, and be dismissed with prejudice as to Plaintiff Strecker.
Louisiana Unfair Trade Practices and Consumer Protection Law. In Count 18, Plaintiffs Ictech and Strecker allege, on behalf of themselves and the Louisiana Subclass, that MCG Health violated the Louisiana Unfair Trade Practices and Consumer Protection Law (“LUTPA”). Dkt. 32, ¶¶ 478-88. Under the LUTPA, “[a]ny person who suffers any ascertainable loss of money or movable property, corporeal or incorporeal, as a result of the use or employment by another person of an unfair or deceptive method, act, or practice declared unlawful by R.S. 51:1405, may bring an action individually but not in a representative capacity to recover actual damages.” La. Stat. Ann. § 51:1409. The parties have not cited to any case law interpreting “actual damages” under the LUTPA. See Dkts. 35, 54, 56. As discussed above, Plaintiff Ictech's claims that she suffered multiple fraudulent charges on her debit card is sufficient to state actual damages. Therefore, the Court recommends the LUPTA claim, Count 18, proceed at this time as to Plaintiff Ictech, on behalf of herself and the Louisiana Subclass, and be dismissed with prejudice as to Plaintiff Strecker.
e. Failure to State a Claim (Counts 6, 10-12, 14, 16, 18-21)
In the Motion to Dismiss, MCG Health asserts Plaintiffs have inadequately pled several state statutory claims. Dkt. 35. Specifically, MCG Health argues Plaintiffs allegations rely on circular inferences and, thus, Plaintiffs have not sufficiently pled claims for relief under the Washington Consumer Protection Act (Count 6), California's Unfair Competition Law (Count 10), the Illinois Consumer Fraud Act (Count 11), the Indiana Deceptive Consumer Sales Act (Count 12), the Kansas Consumer Protection Act (Count 14), the Kentucky Consumer Protection Act (Count 16), the Louisiana Unfair Trade Practices and Consumer Protection Law (Count 18), the Mississippi Consumer Protection Act (Count 19), the New Mexico Unfair Practices Act (Count 20), and the Ohio Deceptive Trade Practices Act (Count 21). As discussed above, the Court finds Counts 10, 11, 12, 14, 16, 19, and 21 should be dismissed. Therefore, the Court will only discuss MCG Health's arguments as to Counts 6, 18, 20.
Washington CPA. In Count 6, Plaintiffs allege MCG Health violated the Washington CPA by engaging in unlawful, unfair, and fraudulent practices. Dkt. 32, ¶¶ 349-60. As stated above, “[t]o prevail in a private CPA claim, the plaintiff must prove (1) an unfair or deceptive act or practice, (2) occurring in trade or commerce, (3) affecting the public interest, (4) injury to a person's business or property, and (5) causation.” Panag, 166 Wn.2d 27, 37 (2009) (citing Hangman Ridge, 105 Wn.2d at 784). “The CPA is to be ‘liberally construed that its beneficial purposes may be served.'” Panag, 166 Wn.2d at 37 (quoting RCW 19.86.920). If deception is alleged, the plaintiff “need not show that the act in question was intended to deceive, but that the alleged act had the capacity to deceive a substantial portion of the public.'” Hangman Ridge, 105 Wn.2d at 785. “Deception exists ‘if there is a representation, omission or practice that is likely to mislead' a reasonable consumer.” Panag, 166 Wn.2d at 50.
MCG Health argues “Plaintiffs' generic allegations that MCG [Health] failed to design and adopt data security processes to safeguard Plaintiffs' information fail to satisfy these elements.” Dkt. 35 at 35-36. Based on the Washington courts' definition and the liberal construction the court applies to the Washington CPA, Plaintiffs allegations sufficiently constitute an “unfair act” under the statute. Plaintiffs allege that MCG Health failed to take proper measures to protect their private information with respect to its data security systems. See Dkt. 32, ¶ 49. Plaintiffs allege it was foreseeable that MCG Health's failure to take reasonable security measures to protect Plaintiffs' private information would result in harm to thousands of customers, and MCG Health's failure did, in fact, result in this harm. Id. at ¶¶ 125-42. While the Court finds Plaintiffs' allegations that MCG Health did not take reasonable security measures is tenuous, based on similar cases in this district, the Court finds Plaintiffs have sufficiently stated a Washington CPA claim. See Veridian Credit Union v. Eddie Bauer, LLC, 295 F.Supp.3d 1140, 1162 (W.D. Wash. 2017) (finding similar data breach allegations sufficient to state a claim under the Washington CPA); Buckley v. Santander Consumer USA, Inc., 2018 WL 1532671, at *4 (W.D. Wash. March 29, 2018) (allowing Washington CPA claim to proceed where the plaintiff alleged the defendant failed to take reasonably adequate security measures because it foreseeably put the plaintiff at a risk of harm and the harm occurred). Accordingly, the Court recommends Plaintiffs' Washington CPA claim, Count 6, proceed at this time.
Louisiana Unfair Trade Practices and Consumer Protection Law. In Count 18, Plaintiffs Ictech and Strecker allege, on behalf of themselves and the Louisiana Subclass, that MCG Health violated the Louisiana Unfair Trade Practices and Consumer Protection Law (“LUTPA”). Dkt. 32, ¶¶ 478-88.As stated above, under the LUTPA, “[a]ny person who suffers any ascertainable loss of money or movable property, corporeal or incorporeal, as a result of the use or employment by another person of an unfair or deceptive method, act, or practice declared unlawful by R.S. 51:1405, may bring an action individually but not in a representative capacity to recover actual damages.” La. Stat. Ann. § 51:1409. “To succeed on a LUTPA claim, the plaintiff must show that the alleged conduct offends established public policy and is immoral, unethical, oppressive, unscrupulous, or substantially injurious.” Walker v. Hixson Autoplex of Monroe, L.L.C., 245 So.3d 1088, 1095 (La. 2017).
The Court finds only Plaintiff Ictech, on her behalf and on behalf of the Louisiana Subclass, has alleged actual injuries and can proceed on this claim.
Plaintiffs' conclusory allegations that, because of the data breach, MCG Health did not implement and maintain adequate data security is insufficient to show MCG Health's conduct meets the level necessary for a claim under LUTPA. In their Response, Plaintiffs do not cite to any allegations in the Complaint that supports their LUTPA claim. See Dkt. 54 at 47-48. Rather, Plaintiffs state only that “MCG [Health] offers no explanation or argument for why the factual allegations that it failed to implement and maintain adequate data security would fail as a matter of Louisiana law.” Id. at 48. The Complaint contains conclusory allegations that MCG Health's practices and acts were immoral, unethical, oppressive, unscrupulous, or substantially injurious. See Dkt. 32, ¶ 485. Conclusory allegations providing only a threadbare recital of the elements of a cause of action are insufficient to state a claim. See Iqbal, 556 U.S. at 678 (“Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.”). Therefore, the Court finds Plaintiffs have not stated a claim under the LUTPA. Accordingly, the Court recommends Plaintiffs' remaining LUTPA claim, Count 18, as alleged by Plaintiff Ictech, on her behalf and on behalf of the Louisiana Subclass, be dismissed without prejudice.
New Mexico Unfair Practices Act. In Count 20, Plaintiffs Linda Booth and Blanca Garcia allege MCG Health's conduct violated the New Mexico Unfair Trade Practices Act (“UPA”). Dkt. 32, ¶¶ 500-08. To bring a claim under the New Mexico UPA, a “plaintiff must show that: (1) the defendant made a statement that was either false or misleading; (2) the false or misleading representation was knowingly made in connection with the sale of goods or services in the regular course of the defendant's business; and (3) the representation was of the type that may, tends to, or does deceive or mislead any person.” Charlie v. Rehoboth McKinley Christian Health Care Servs., 598 F.Supp.3d 1145, 1160 (D.N.M. 2022).
It is unclear from the Complaint what, if any, statement MCG Health made that was false or misleading. See Dkt. 32, ¶¶ 500-08. To the extent Plaintiffs are alleging MCG Health's contracts with the covered medical entities where Plaintiffs sought medical treatment were false and misleading, these conclusory allegations are insufficient. Plaintiffs contend that MCG Health was required to enter into contracts to “ensure that it will implement adequate safeguards to prevent unauthorized use or disclosure of Private Information.” Id. at ¶ 41. Plaintiffs have not alleged what language was contained within the contracts and have only provided conclusory allegations that any such contract term was false or misleading. Plaintiffs' assertions are that, because a data breach has occurred, MCG Health did not have adequate safeguards in place. As stated above, the fact of a data breach is not sufficient, by itself, to show that MCG Health made false or misleading statements regarding data security. See Griffey, 562 F.Supp.3d at 50; Feins, 2022 WL 17552440, at *8 (finding conclusory allegations that statements in a privacy policy were false or misleading simply because a data breach occurred was insufficient to state a claim under the New Mexico UPA). The Court finds Plaintiffs have not stated a claim under the New Mexico UPA. Therefore, the Court recommends Plaintiffs' New Mexico UPA claim, Count 20, be dismissed with prejudice.
f. Failure to Disclose (Count 8)
MCG Health contends Plaintiff Batt's California Medical Information Act (“CMIA”) claim should be dismissed because Plaintiff Batt does not allege that MCG Health disclosed medical information. Dkt. 35 at 43.
A provision of the CMIA mandates that health care providers and contractors shall not “disclose” medical information. Cal. Civ. Code §56.10(a). In order to plead a violation of §56.10(a), a plaintiff must plead an “affirmative communicative act” by the defendant, which does not occur if the information is stolen. Sutter Health v. Superior Court, 227 Cal.App.4th 1546, 1556 (2014); see also Regents of Univ. of Cal. v. Superior Court, 220 Cal.App.4th 549, 564, (2013) (“disclose” under CMIA means an “affirmative act of communication”). Plaintiff Batt alleges that MCG Health disclosed Plaintiff Batt's medical information because Plaintiff Batt's information was viewed by unauthorized individuals as a result of the data breach. Dkt. 32, ¶ 376. Plaintiff Batt does not allege MCG Health intentionally posted her information, or that whatever affirmative act might have caused her information to become accessible via the internet was done with the intent to communicate that information. Based on the meaning of “disclose,” Plaintiff Batt has not pled a plausible violation of § 56.10(a) of CMIA. See Stasi v. Inmediata Health Grp. Corp., 501 F.Supp.3d 898, 922 (S.D. Cal. 2020) (finding the plaintiffs did not allege “disclosure” under § 56.10(a) where information was viewed as a result of a data breach).
Plaintiffs no longer argue they have shown MCG Health is liable under § 56.10(a) as alleged in the Complaint. See Dkt. 54 at 35-36. They assert, however, that MCG Health is liable under § 56.101(a). Id. In the Complaint, Plaintiff Batt alleges MCG Health violated § 56.101 through its willful and knowing failure to maintain and preserve the confidentiality of Plaintiff Batt's medical information. Dkt. 32, ¶¶ 378-82. The first sentence of § 56.101(a) in the CMIA provides that every health care provider and contractor “who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein.” Cal. Civ. Code § 55.101(a). The second sentence provides that any health care provider or contractor “who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall be subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36.” Section 56.36(b) provides that nominal and actual damages are available when information is “negligently released.” Id. at § 56.36(b).
Plaintiff Batt provides conclusory allegations that her information has been viewed by unauthorized individuals. See Dkt. 32, ¶¶ 379-80. Moreover, when reviewing the allegations specific to Plaintiff Batt there are no allegations Plaintiff Batt's information was viewed or that she had any damages related to the unauthorized use of her information. See id. at ¶¶ 181-87. For example, Plaintiff Batt does not allege her information was found on the dark web or that any fraudulent activity has occurred. Id. “[I]t cannot be said that section 56.101 imposes liability if the health care provider simply loses possession of the medical records.” Sutter Health, 227 Cal.App.4th at 1556. Beyond conclusory allegations, Plaintiff Batt has not sufficiently alleged an unauthorized individual viewed her medical information. As such, Plaintiffs have not alleged a claim under § 56.101. See id. (finding no claim under § 56.101 where the allegations where that the defendant's negligent storage of information resulted in a change of possession of the information to an unauthorized individual but the allegations did not allege the information was viewed).
For the above stated reasons, the Court finds Plaintiffs have not stated a claim under the CMIA. Accordingly, the Court recommends Plaintiffs' CMIA claim, Count 8, be dismissed without prejudice.
I. Injunctive and Declaratory Relief (Count 22)
Plaintiffs assert a claim for injunctive and declaratory relief based on the federal Declaratory Judgment Act, 28 U.S.C. § 2201. See Dkt. 32, ¶ 519. The Declaratory Judgment Act “only creates a remedy.” See Stock West, Inc. v. Confederated Tribes of the Colville Reservation, 873 F.2d 1221, 1225 (9th Cir. 1989). Further, “[a] permanent injunction is a form of relief that the court may grant when a plaintiff succeeds on a substantive cause of action that lends itself to this remedy.” Dinkins v. Schinzel, 2017 WL 4891524, at *2 (D. Nev. Oct. 30, 2017). Although Plaintiffs may continue to request declaratory and injunctive relief, these items are requests for relief and not separate legal causes of action. See Barton v. Capital One Bank (USA), N.A., 2013 WL 12173918, at *8 (N.D. Cal. Apr. 4, 2013); Santos v. Countrywide Home Loans, 2009 WL 3756337, at *5 (E.D. Cal. Nov. 6, 2009) (“Declaratory and injunctive relief are not independent claims, rather they are forms of relief.”). Thus, the Court recommends Plaintiffs' cause of action for declaratory and injunctive relief, Count 22, be dismissed with prejudice.
J. Kentucky Computer Security Breach Notification Act (Count 15)
After review of the relevant filings, the Court finds MCG Health seeks dismissal of Plaintiffs' claim under the Kentucky Computer Security Breach Notification Act (“CSBNA”) (Count 15) in a general argument regarding claims related to the timeliness of the data breach notification. See Dkt. 35 at 43-44. MCG Health argues that Plaintiffs' allegations that they did not timely receive notice from MCG health, which is weaved throughout the Complaint, fails to state a claim. Id.
In Count 15, Plaintiffs Jay Taylor and Shelley Taylor allege, on behalf of themselves and the Kentucky Subclass, that MCG Health violated the Kentucky CSBNA by failing to timely notify these Plaintiffs of the data breach. Dkt. 32 at ¶¶ 451-459. Under the Kentucky CSBNA,
Any information holder shall disclose any breach of the security of the system, following discovery or notification of the breach in the security of the data, to any resident of Kentucky whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay . . .Ky. Rev. Stat. Ann. § 365.732(2).
Plaintiffs allege MCG Health did not notify Plaintiffs of the data breach until approximately two and a half months after the breach occurred. Dkt. 32, ¶ 5. Regardless of whether the notification period was reasonable, Plaintiffs Jay Taylor and Shelley Taylor have not sufficiently alleged any damages. They do not allege what kind of “damages” they experienced that could have been mitigated had they learned of the breach earlier. See Dkt. 32, ¶¶ 188-201, 451-59. Plaintiffs Jay Taylor and Shelley Taylor have not alleged their information was misused; they have only alleged they suffered lost time spent monitoring their information, stress and anxiety, damage to and diminution in value of their information, and the existing and continuing risk of fraud, identity theft, and misuse of their information. Id. at ¶¶ 190, 192-94, 197, 199-201. The allegations of harm are insufficient to warrant an inference that any alleged delay in notifying Plaintiffs of the security breach caused them a cognizable injury and damages. See e.g. Savidge v. Pharm-Save, Inc., 2017 WL 5986972, at *8 (W.D. Ky. Dec. 1, 2017) (finding no cognizable injury under § 365.732(2) and, thus, no negligence per se).
As Plaintiffs have not sufficiently alleged damages related to the alleged untimely notification, they have not stated a cognizable claim under the Kentucky CSBNA. Therefore, the Court recommends Plaintiffs' Kentucky CSBNA claim, Count 15, be dismissed with prejudice.
IV. Leave to Amend
In their Response, Plaintiffs “respectfully request leave to amend under Federal Rule of Civil Procedure 15.” Dkt. 54 at 52. In general, the appropriate remedy is to grant leave to amend to allow defendant an opportunity to cure defects in its pleadings, rather than simply dismissing the claim. See Bly-Magee v. California, 236 F.3d 1014, 1019 (when dismissing for failure to comply with Rule 9(b) “leave to amend should be granted unless the district court determines that the pleading could not possibly be cured by the allegation of other facts”); Balistreri v. Pacifica Police Dep't, 901 F.2d 696, 701 (In a motion to dismiss under Rule 12(b)(6), “leave to amend should be granted if it appears at all possible that the plaintiff can correct the defect”)(internal quotation marks omitted). Plaintiffs are represented by competent counsel, have filed an amended complaint (the Consolidated Class Action Complaint), and have not articulated how they would amend to cure the deficiencies identified in the Motion to Dismiss and discussed in this Report and Recommendation. However, at this time, the Court finds Plaintiffs may be able to cure some of the defects of the Complaint. Therefore, the Court recommends Plaintiffs be given leave to amend all counts that the Court recommends be dismissed without prejudice -Counts 1, 2, 8, 12, 14, and 18.
V. Conclusion
For the above stated reasons, the Court recommends the Motion to Dismiss (Dkt. 35) be granted-in-part and denied-in-part as follows:
• The claims alleged in Counts 6, 13, and 17 in-part of the Complaint be allowed to proceed;
• The claims alleged in Counts 1 in-part, 2, 8, 12, 14, and 18 in-part of the Complaint be dismissed without prejudice;
• The claims alleged in Counts 1 in-part, 3-5, 7, 9-11, 15, 16, 17 in-part, 18 in-part, 19, and 20-22 of the Complaint be dismissed with prejudice; and
• Plaintiffs be given leave to file an amended complaint that includes only Counts 1, 2, 6, 8, 12-14, 17, and 18; however, the negligence per se claim contained in Count 1 and the claims alleged by Plaintiff Strecker in Counts 17 and 18 are dismissed with prejudice and may not be included in the amended complaint.
Pursuant to 28 U.S.C. § 636(b)(1) and Fed.R.Civ.P. 72(b), the parties shall have fourteen (14) days from service of this report to file written objections. See also Fed.R.Civ.P. 6. Failure to file objections will result in a waiver of those objections for purposes of de novo review by the district judge, see 28 U.S.C. § 636(b)(1)(C), and can result in a waiver of those objections for purposes of appeal. See Thomas v. Arn, 474 U.S. 140, 142 (1985); Miranda v. Anchondo, 684 F.3d 844, 848 (9th Cir. 2012) (citations omitted). Accommodating the time limit imposed by Fed.R.Civ.P. 72(b), the Clerk is directed to set the matter for consideration on April 14, 2023, as noted in the caption.