From Casetext: Smarter Legal Research

In re Mednax Servs., Customer Data Sec. Breach Litig.

United States District Court, Southern District of Florida
May 10, 2022
No. 21-MD-02994-RAR (S.D. Fla. May. 10, 2022)

Opinion

21-MD-02994-RAR

05-10-2022

In re MEDNAX SERVICES, INC., CUSTOMER DATA SECURITY BREACH LITIGATION


ORDER GRANTING IN PART DEFENDANTS' MOTION TO DISMISS

RODOLFO A. RUIZ II UNITED STATES DISTRICT JUDGE.

THIS CAUSE comes before the Court upon Defendants' Motion to Dismiss Plaintiffs' Consolidated Amended Complaint [ECF No. 84] (“Motion”). The Court having reviewed the briefs, the record, and applicable law, and being otherwise fully advised, it is hereby

The Motion is fully briefed and includes supplemental briefing in light of the Court's order in Desue v. 20/20 Eye Care Network, Inc., No. 21-61275, 2022 WL 796367 (S.D. Fla. Mar. 15, 2022). See [ECF Nos. 92, 96, 100-01].

ORDERED AND ADJUDGED that Defendants' Motion is GRANTED IN PART as set forth herein.

BACKGROUND

This multidistrict litigation (“MDL”) action arises from two data breaches that occurred in June and July 2020 (“Data Breaches”), when a phishing attack on Defendants' email service disclosed the protected health information (“PHI”) and personally identifiable information (“PII”) of Plaintiffs and similarly situated persons-allegedly including their names, addresses, email addresses, dates of birth, medical records, patient account numbers, health insurance information, Social Security numbers, and/or limited treatment or clinical information, such as diagnosis, provider names, dates of service, and other medical information. Consolidated Am. Compl. for Damages (“Amended Complaint”) [ECF No. 71] ¶¶ 1-4. Defendant Mednax is a physician-led healthcare organization offering various clinical, support, and consulting services. Id. at 1. Defendant Pediatrix, a subsidiary of Defendant Mednax, provides maternal, newborn, and pediatric subspecialty services. Id. at 2. Defendant American Anesthesiology is a healthcare services provider and a former subsidiary of Defendant Mednax now owned by North American Partners in Anesthesia. Id. Following the Data Breaches, Defendants allegedly waited nearly six months before notifying their patients that their PHI and PII may have been compromised. Id. at 3.

Plaintiffs allege that Defendants “betrayed Plaintiffs' trust by failing properly to safeguard and protect their PHI and PII and by publicly disclosing their PHI and PII without authorization in violation of numerous laws and statutes.” Am Compl. ¶ 1. Plaintiffs maintain that these actions have caused them numerous and imminent injuries. Id. ¶¶ 7-9. On behalf of themselves and putative Class Members, they seek actual damages, statutory damages, punitive damages, and restitution, with attorney's fees, costs, and expenses, under the statutes of twelve states as well as breach of fiduciary duty of confidentiality of medical records, breach of implied contract, negligence, and negligent training and supervision under common law. Id. ¶ 10. They also seek various forms of declaratory and injunctive relief. Id. ¶¶ 10, 12.

In June 2021, six cases were transferred to this MDL from the Southern District of Florida, Southern District of California, Western District of Missouri, District of South Carolina, and District of Arizona. See [ECF Nos. 3-7, 19]. Defendants now move to dismiss Plaintiffs' Amended Complaint for lack of Article III standing and, alternatively, for failure to state a claim upon which relief can be granted.

LEGAL STANDARD

I. Lack of Subject Matter Jurisdiction under Fed.R.Civ.P. 12(b)(1)

The United States Constitution's case-or-controversy clause in Article III requires that plaintiffs “must establish that they have standing to sue” in federal court. Raines v. Byrd, 521 U.S. 811, 818 (1997). Thus, standing is a “threshold question in every federal case, determining the power of the court to entertain the suit.” Warth v. Sedlin, 422 U.S. 490, 498 (1975).

In the class action context, Article III requires two distinct inquiries to determine whether a class representative has “standing to represent a class.” Fox v. Ritz-Carlton Hotel Co., L.L.C., 977 F.3d 1039, 1046 (11th Cir. 2020) (quoting Mills v. Foremost Ins. Co., 511 F.3d 1300, 1307 (11th Cir. 2008)). A class representative must satisfy the individual standing prerequisites for each claim he or she asserts and “must also be part of the class and possess the same interest and suffer the same injury as the class members.” Id. (quoting Prado-Steiman ex rel. Prado v. Bush, 221 F.3d 1266, 1279 (11th Cir. 2000)) (cleaned up); see also Preisler v. Eastpoint Recovery Grp., Inc., No. 20-62268, 2021 WL 2110794, at *3 (S.D. Fla. May 25, 2021). To be clear, if the case has “at least one individual plaintiff who has demonstrated standing, ” the Court need not “consider whether the other plaintiffs have standing to maintain the suit.” Wilding v. DNC Servs. Corp., 941 F.3d 1116, 1124-25 (11th Cir. 2019) (quoting Arlington Heights v. Metro. Hous. Dev. Corp., 429 U.S. 252, 264 & n.9 (1977)) (alteration omitted).

To establish the individual standing prerequisites, a plaintiff must have “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016). These three elements must be supported “with the manner and degree of evidence required at the successive stages of the litigation.” Wilding, 941 F.3d at 1124 (quoting Lujan v. Defs. Of Wildlife, 504 U.S. 555, 561 (1992)); see also 31 Foster Children v. Bush, 329 F.3d 1255, 1263 (11th Cir. 2003) (“How much evidence is necessary to satisfy [the standing requirement] depends on the stage of litigation at which the standing challenge is made.”). And “plaintiffs must demonstrate standing for each claim that they press and for each form of relief that they seek.” TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2208 (2021).

A plaintiff has suffered an injury in fact if he or she has “suffered ‘an invasion of a legally protected interest' that is ‘concrete and particularized' and ‘actual or imminent, not conjectural or hypothetical.'” Spokeo, 578 U.S. at 339 (quoting Lujan, 504 U.S. at 560). “Central to assessing concreteness is whether the asserted harm has a ‘close relationship' to a harm traditionally recognized as providing a basis for a lawsuit in American courts-such as a physical harm, monetary harm, or various intangible harms . . . .” TransUnion, 141 S.Ct. at 2200. Concrete intangible harms may include reputational harms, disclosure of private information, and intrusion on seclusion. Id. at 2204 (collecting cases).

Beyond establishing that a plaintiff has suffered an injury in fact, he or she must allege a “causal connection between the injury and the conduct complained of'; in other words, the injury must be “fairly traceable to the challenged action of the defendant.” Lujan, 504 U.S. at 560 (cleaned up). However, Article III standing does not require that defendants be the most immediate cause, or even a proximate cause, of plaintiffs' injuries; it requires only that those injuries be fairly traceable to defendants. See Lexmark Int'l, Inc. v. Static Control Components, Inc., 572 U.S. 118, 134 n.6 (2014). “Even harms that flow indirectly from the action in question can be said to be ‘fairly traceable' to that action for standing purposes.” Wilding, 941 F.3d at 1125 (quoting Focus on the Family v. Pinellas Suncoast Transit Auth., 344 F.3d 1263, 1273 (11th Cir. 2003)) (alteration omitted).

Article III standing may be challenged either facially or factually. A facial attack looks only to the face of the complaint and accepts its allegations as true. See Lawrence v. Dunbar, 919 F.2d 1525, 1528-29 (11th Cir. 1990). It “requires the court merely to look and see if the plaintiff has sufficiently alleged a basis of subject matter jurisdiction.” Stalley ex rel. U.S. v. Orlando Reg'l Healthcare Sys., Inc., 524 F.3d 1229, 1232 (11th Cir. 2008) (quotingMcElmurray v. Consol. Gov't of Augusta-Richmond Cnty., 501 F.3d 1244, 1250 (11th Cir. 2007)). A factual attack, by contrast, challenges the factual basis for jurisdiction notwithstanding any of the complaint's allegations. See Lawrence, 919 F.2d at 1528-29. In weighing a factual attack, a court is free to consider materials outside the pleadings, and the pleadings are afforded no presumptive truth. Id. at 1529; see also Butts v. ALN Grp., LLC, 512 F.Supp.3d 1301, 1305 (S.D. Fla. 2021).

II. Failure to State a Claim under Fed.R.Civ.P. 12(b)(6)

“To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). When reviewing a motion to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(6), a court must accept as true all factual allegations contained in the complaint, and plaintiffs should receive the benefit of all favorable inferences that can be drawn from the facts alleged. Iqbal, 556 U.S. at 678; Chaparro v. Carnival Corp., 693 F.3d 1333, 1337 (11th Cir. 2012). A court considering a Rule 12(b)(6) motion generally is limited to the facts contained in the complaint and attached exhibits but also may consider documents referred to in the complaint that are central to the claim and whose authenticity is undisputed. See Wilchombe v. TeeVee Toons, Inc., 555 F.3d 949, 959 (11th Cir. 2009). “Dismissal pursuant to Rule 12(b)(6) is not appropriate unless it appears beyond doubt that the plaintiff can prove no set of facts in support of his claim which would entitle him to relief.” Magluta v. Samples, 375 F.3d 1269, 1273 (11th Cir. 2004) (cleaned up).

III. Choice of Law

The parties disagree as to which states' laws the Court should apply to this case. Plaintiffs bring twenty-two claims under various state statutes as well as several common-law causes of action. Of course, “when considering questions of state law, the transferee court must apply the state law that would have applied to the individual cases had they not been transferred for consolidation.” In re Horizon Organic Milk Plus DHA Omega-3 Mktg. and Sales Prac. Litig., 955 F.Supp.2d 1311, 1322 (S.D. Fla. 2013) (quoting In re Temporomandibular Joint (TMJ) Implants Prods. Liab. Litig., 97 F.3d 1050, 1055 (8th Cir. 1996)) (cleaned up). The parties' disagreement concerns the causes of action under common law, to which the transferee court applies the choice-of-law rules of the state where the action was filed. Larsen v. Citibank FSB, 871 F.3d 1295, 1303 (11th Cir. 2017). Plaintiffs' claims sound in both tort and contract, so they require separate analyses.

a. Claims in Tort

The five transferor states apply three different tests for determining the applicable law in tort actions. Arizona, Florida, and Missouri-whose choice-of-law rules govern the tort claims of Plaintiffs B.W., Larsen, Fulks, and Cohen-apply the “most significant relationship” test from the Restatement (Second) of the Conflict of Laws. The four factors applied in this test are “(a) the place where the injury occurred, (b) the place where the conduct causing the injury occurred, (c) the domicile, residence, nationality, place of incorporation[, ] and place of business of the parties, and (d) the place where the relationship, if any, between the parties is centered.” eCapital, 519 F.Supp.3d at 1134 n.4 (quoting Grupo Televisa, S.A. v. Telemundo Commc'ns Grp., Inc., 485 F.3d 1233, 1240 (11th Cir. 2007)). “The first contact type-where the injury occurred-‘is generally the most important, as absent special circumstances, the state where the injury occurred would be the decisive consideration in determining the applicable choice of law.'” Id. (quoting Melton v. Century Arms, Inc., 243 F.Supp.3d 1290, 1299 (S.D. Fla. 2017) (Moreno, J.)).

See Dorman v. Emerson Elec. Co., 23 F.3d 1354, 1358 (8th Cir. 1994) (Missouri); eCapital Comm. Fin. Corp. v. Hitachi Cap. Am. Corp., 519 F.Supp.3d 1129, 1134 n.4 (S.D. Fla. 2021) (Florida); Barten v. State Farm Mut. Auto. Ins. Co., 28 F.Supp.3d 978, 982-83 (D. Ariz. 2014) (Arizona).

California-whose choice-of-law rules govern the tort claims of Plaintiffs Rumely, Bean, Jay, Soto, and Baum-applies the “governmental interest” test, under which “a jurisdiction ordinarily has the predominant interest in regulating conduct that occurs within its borders.” See Senne v. Kan. City Royals Baseball Corp., 934 F.3d 918, 933 (9th Cir. 2019) (quoting Mazza v. Am. Honda Motor Co., 666 F.3d 581, 592 (9th Cir. 2012)). And South Carolina-whose choice-of-law rules govern the tort claims of Plaintiffs Nielsen, Lee, and Clark-applies “the law of the state where the injury occurred.” See Butler v. Ford Motor Co., 724 F.Supp.2d 575, 581 (D.S.C. 2010).

The data breach context raises unique problems in choice-of-law analysis. In all five transferor states, the analysis centers on where the injury “occurred.” And because neither the Supreme Court nor the Eleventh Circuit has weighed in on where a breach of cloud-stored data is deemed to occur, district courts are left to apply conventional rules to unconventional cases. Gone are the days when all data was stored on local servers or mainframes, whose physical location readily determined the location of the injury-i.e., the breach. Instead, today's cases often involve data stored on the cloud-an interconnected and redundant storage mechanism distributed across datacenters whose locations may be unknown or even unknowable.

Plaintiffs allege that the Data Breaches impacted “Microsoft Office 365 business email accounts, ” which are cloud-based accounts. Am. Compl. ¶ 378; Reply [ECF No. 96] at 12 n.7.

This Court joins other courts in finding that the location of the breach itself is fortuitous in such cases; here, Florida is where the data was maintained, multiple Defendants are domiciled, and Defendants' security protocols allegedly broke down. See, e.g., Nat'l Union Fire Ins. Co. of Pittsburgh v. Tyco Integrated Sec., LLC, No. 13-80371, 2015 WL 3905018, at *13 (S.D. Fla. June 25, 2015) (applying Florida law although the injury was felt in Connecticut because defendant was headquartered in Florida, its “pertinent departments” were located in Florida, and “a substantial portion of [its] IT and cybersecurity operations [were] based in Florida, ” so, “more likely than not, [its] failure to safeguard the information is an event that took place in Florida”); Willingham v. Glob. Payments, Inc., No. 12-01157, 2013 WL 440702, at *14-15 (N.D.Ga. Feb. 5, 2013) (applying the law of the state where defendant was domiciled instead of where the injury was felt in part because “Defendant's principal place of business [was] in Georgia, the data breach occurred in Georgia, and to the extent, if any, Defendant breached a duty to consumers, it did so in Georgia”). Therefore, the Court deems the Data Breaches to have occurred in Florida and will apply Florida law to Plaintiffs' tort claims.

b. Claims in Contract

The contract claims of Plaintiffs Cohen, Fulks, Nielsen, Lee, and Clark are subject to the choice-of-law rules of Florida and South Carolina, under which contracts are governed by the law of the place where the alleged contract was formed. Plaintiffs allege that they “entered into an implied contract with each Defendant” when they “provided Defendants their PHI and PII.” Am. Compl. ¶¶ 657-58. Any such contract was formed in these Plaintiffs' home states, where they provided their PHI and PII to Defendants. So the contract claims of Plaintiffs Lee and Clark are subject to South Carolina law, those of Plaintiff Cohen are subject to Maryland law, those of Plaintiff Fulks are subject to North Carolina law, and those of Plaintiff Nielsen are subject to Virginia law.

See Oakwood Prods., Inc. v. SWK Techs., Inc., No. 20-04107, 2021 WL 5235224, at *4 (D.S.C. Nov. 10, 2021) (South Carolina); Pastor v. Union Cent. Life Ins. Co., 184 F.Supp.3d 1301, 1304-05 (S.D. Fla. 2002) (Florida).

The contract claims of Plaintiffs A.W. and Larsen are governed by the “most significant relationship” test from the Restatement (Second) of Conflict of Laws, which is followed by Missouri and Arizona. This test considers “(1) the place of contracting; (2) the place of negotiation of the contract; (3) the place of performance; (4) the location of the subject matter of the contract; [and] (5) the residence, nationality, place of incorporation, and place of business of the parties.” Birnstill, 907 F.2d at 797; Cavan, 182 F.Supp.3d at 959. Although the alleged contracts were formed in these Plaintiffs' home states, where they provided their PHI and PII to Defendants, Florida was the place of performance (in the data security context), the location of the subject matter (where IT or security personnel interfaced with and maintained the data), and Defendants' place of business (where Defendants allegedly failed to safeguard Plaintiffs' data). Accordingly, the Court will apply Florida law to these Plaintiffs' contract claims.

See Birnstill v. Home Sav. of Am., 907 F.2d 795, 797 (8th Cir. 1990) (Missouri); Cavan v. Maron, 182 F.Supp.3d 954, 959 (D. Ariz. 2016) (Arizona).

Plaintiffs Rumely, Bean, Jay, Soto, and Baum's contract claims are subject to California's choice-of-law rules, under which the same “governmental interest” analysis that governs tort claims also applies to contract claims. See Glob. Commodities Trading Grp. v. Beneficio de Arroz Choloma, S.A., 972 F.3d 1101, 1111 (9th Cir. 2020). Because the Data Breaches occurred in Florida, as discussed supra Legal Standard III.a, the Court will apply Florida law to these claims.

ANALYSIS

Defendants raise several arguments in favor of dismissal, including a lack of subject matter jurisdiction under Rule 12(b)(1) and failure to state a claim under Rule 12(b)(6). The Court addresses each argument in turn.

I. Plaintiffs Sufficiently Allege Article III Standing

Of the three Article III standing prerequisites-injury in fact, traceability, and redressability-Defendants challenge two: injury in fact and traceability. Defendants challenge Plaintiffs' standing as both facially and factually deficient.

a. Plaintiffs Allege Injuries in Fact

Defendants argue that all named Plaintiffs fail to allege injuries in fact. Mot. at 7-13. As a threshold matter, the Court need only find that one named Plaintiff has Article III standing to maintain suit. At issue is whether the injuries alleged by Plaintiffs are “concrete, ” “particularized, ” and “actual or imminent, not conjectural or hypothetical.” Lujan, 504 U.S. at 560. Collectively, Plaintiffs allege the following common injuries:

(i) loss of privacy; (ii) the imminent, immediate and continuing increased risk of identity theft, identity fraud and/or medical fraud; (iii) out-of-pocket expenses to purchase credit monitoring, internet monitoring, identity theft insurance and/or other [Data Breach] risk mitigation products; (iv) out-of-pocket expenses incurred to mitigate the increased risk of identity theft, identity fraud and/or medical fraud pressed upon them by the [Data Breaches], including the costs of placing a credit freeze and subsequently removing a credit freeze; (v) the value of their time spent mitigating the increased risk of identity theft, identity fraud and/or medical fraud pressed upon them by the [Data Breaches]; (vi) the lost benefit of their bargain when they paid for their privacy to be protected and it was not; and (vii) emotional distress.
Am. Compl. ¶ 432. Individually, Plaintiffs also allege the following specific injuries:
1) All Plaintiffs allege diminution in value of their PHI and PII. Id. ¶¶ 23, 47, 65, 83, 106, 131, 155, 181, 195, 219, 243, 265.
2) Plaintiffs A.W., B.W., Jay, Soto, Baum, Larsen, Lee, Cohen, and Clark allege that PHI and/or PII, including Social Security numbers, have been found available for purchase on the dark web. Id. ¶¶ 28, 88, 111, 136, 160-61, 224, 248, 270.
3) Plaintiffs Rumely, Nielsen, and Lee allege an uptick in spam and/or phishing emails, physical mail, text messages, and/or phone calls. Id. ¶¶ 49, 205, 230-31.
4) Plaintiff Nielsen alleges that she has suffered identity theft, that twelve bank accounts have been opened in her name, that her credit score has been damaged, that she has experienced errors in processing her medical bills, and that a four-year magazine subscription was started in her name. Id. ¶¶ 199-200, 203-04, 206.

The Court will focus first on Plaintiffs' common alleged injuries. The Eleventh Circuit and the Supreme Court have recently weighed in on whether certain types of injuries-including the risk of future harm-are sufficiently concrete to establish injuries in fact. Whether Plaintiffs suffer from a substantial risk of imminent identity, financial, and health fraud and theft is central to the Court's inquiry into whether their injuries are sufficiently concrete.

In Tsao v. Captiva MVP Restaurant Partners, the Eleventh Circuit distilled two relevant principles in considering whether the threat of future harm is concrete for standing purposes. 986 F.3d 1332, 1339 (11th Cir. 2021). First, the threat of future harm must be a “substantial risk” or “certainly impending.” Id. (quoting Clapper v. Amnesty Int'l USA, 568 U.S. 398, 416 (2013)). Second, if the threat of future harm does not meet that standard, a plaintiff cannot “conjure standing by inflicting some direct harm on itself to mitigate a perceived risk.” Id. In other words, any steps plaintiffs take to monitor their credit or financial statements for fraudulent activity establish an injury in fact only if plaintiffs have shown that they face a substantial or certainly impending threat of future harm. Id. The threat of future identity theft has been considered “certainly impending” or a “substantial risk” in cases where plaintiffs have alleged “actual misuse or actual access to personal data.” Id. at 1340. In short, “[e]vidence of a mere data breach does not, standing alone, satisfy the requirements of Article III standing.” Id. at 1344.

Just four months after the Eleventh Circuit's decision in Tsao, the Supreme Court in TransUnion addressed the question of whether a material risk of future harm is sufficiently concrete to confer standing. Prior to TransUnion, the Court had recognized that a material risk of future harm could satisfy the concreteness requirement only in a claim for injunctive relief. TransUnion, 141 S.Ct. at 2210 (citing Spokeo, 578 U.S. at 341-42). In TransUnion, the Court expounded that the material risk of future harm, without more, is not sufficiently concrete for purposes of Article III standing in a suit for damages. Id. at 2211. The Court further implied that emotional injury may be an independent harm caused by plaintiffs' exposure to the risk that their credit reports would be provided to third-party businesses. Id.

In Tsao, the Eleventh Circuit addressed a smattering of cases where courts found that threats of future harm were sufficient to establish injuries in fact. 986 F.3d at 1340. In those cases, plaintiffs alleged actual misuse or access of their data. Id. (citing Attias v. Carefirst, Inc., 865 F.3d 620, 626 n.2, 628 (D.C. Cir. 2017) (holding that there was a “substantial risk” of future harm where an unauthorized party accessed PII from a healthcare company's servers); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015) (finding a substantial risk of future harm where plaintiffs had already experienced fraudulent charges on their credit cards); Krottner v. Starbucks Corp., 628 F.3d 1139, 1142-43 (9th Cir. 2010) (holding that plaintiffs faced a “credible threat of harm” where a laptop was stolen containing their encrypted data and one plaintiff had a fraudulent bank account opened in his name)).

As to evidence that certain individuals' data affected by a given data breach has been misused, courts have found such evidence helpful in establishing a “substantial risk” of future harm for plaintiffs who remain unaffected. See McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 301-02 (2d Cir. 2021) (finding that courts have been more likely to conclude that plaintiffs have established a substantial risk of future injury where they can show that at least some part of the compromised dataset has been misused-even if plaintiffs' particular data subject to the same disclosure incident has not yet been affected); In re Zappos.com, Inc., 888 F.3d 1020, 1027-28 & n.7 (9th Cir. 2018) (explaining that although some plaintiffs in the suit had not yet suffered identity theft, allegations that other customers whose data was compromised had reported fraudulent charges helped establish that plaintiffs were at substantial risk of future harm).

Despite Defendants' characterizations of Tsao, Mot. at 7-9, the Eleventh Circuit did not foreclose the notion that the substantial risk of future identity theft could confer standing. In Tsao, plaintiffs alleged that their credit card data had been stolen (and not information such as Social Security numbers and dates of birth). 986 F.3d at 1344. Further, plaintiffs failed to allege any specific misuse of class members' data. Id. Based on these particular allegations, the Eleventh Circuit held that plaintiffs had failed to allege a “substantial risk” of future harm sufficient to confer standing. Id.

This Court recently grappled with how these new precedents govern standing issues related to establishing injury in fact in the data breach context. See Desue, 2022 WL 796367. In Desue, as here, plaintiffs pursued a medley of relief, including damages and injunctive relief. Id. at *4. The Court found that plaintiffs plausibly alleged an injury in fact based on actual misuse and actual access of their data. Id. These allegations established that the threat of future harm posed a “substantial risk” or was “certainly impending.” Id. (quoting Tsao, 986 F.3d at 1339).

Here, similarly, Plaintiffs allege both actual misuse and actual access of their personal data resulting from the Data Breaches. Am. Compl. ¶¶ 2-3. Specifically, Defendants confirmed that on June 17 and 22, 2020, unknown third parties gained access to Plaintiffs' data. Id. ¶¶ 19, 42, 60, 79, 102, 127, 152, 176, 190, 215, 239, 261. This data included names, guarantor names, addresses, email addresses, dates of birth, health insurance information, medical and/or treatment information, and billing and claims information. Id. Further, Plaintiffs Rumely, Nielsen, and Lee allege actual misuse of their personal data, including increased spam, the opening of fraudulent bank accounts, and identity theft. Id. ¶¶ 49, 199-200, 203-04, 206, 205, 230-31. Given that Plaintiffs allege actual access and misuse of their PHI and PII, they have established a “substantial risk” of future harm and, thus, injury in fact for purposes of Article III standing regarding their claim for injunctive relief.

As in Desue, because Plaintiffs' requested relief includes damages, the Court must take its analysis one step further. 2022 WL 796367, at *5. In a claim for damages, “the mere risk of future harm, standing alone, cannot qualify as a concrete harm-at least unless the exposure to the risk of future harm itself causes a separate concrete harm.” TransUnion, 141 S.Ct. at 2210-11. Here, in addition to establishing a substantial risk of future harm, Plaintiffs allege two separate concrete harms sufficient to satisfy the Court's holding in TransUnion: the suffering of emotional distress related to possible identity theft and the cost of the increased time Plaintiffs have spent and must continue to spend reviewing their financial information.

Defendants contend that allegations of emotional distress cannot confer standing, citing a case out of the Third Circuit, a case out of the Middle District of Florida, and a recent decision of the present Court. Mot. at 12-13. In Preisler, plaintiff relied solely on allegations of emotional harms to satisfy concreteness, so the present Court held that plaintiff's alleged harms were insufficient to confer standing. 2021 WL 2110794, at *6. In Reilly v. Ceridian Corp., the Third Circuit held that plaintiffs failed to allege any concrete injury, including that of emotional distress, because they did not allege any misuse of their information. 664 F.3d 38, 42 (3d Cir. 2011). Finally, in R.W. v. Armor Correctional Health Services, plaintiff's standing was not the issue in question. 830 F.Supp.2d 1295, 1303 (M.D. Fla. 2011). These cases are markedly different from this action. Here, Plaintiffs have established that their risk of future harm is substantial and imminent. Thus, the question in this case is not whether Plaintiffs' allegations of emotional distress, on their own, are sufficiently concrete to establish injuries in fact. Instead, it is whether allegations of emotional distress, coupled with the substantial risk of future harm, are sufficiently concrete to establish standing in a claim for damages. The Court concludes that they are. See TransUnion, 141 S.Ct. at 2211.

Because Plaintiffs' allegations of substantial risk of future harm and emotional injury are sufficient to establish injuries in fact, the Court need not address Defendants' remaining contentions. However, for the sake of completeness, it will do so.

First, Defendants contend that Tsao foreclosed the possibility that a plaintiff could base injuries in fact on actions related to the mitigation of future harms. Mot. at 10. But the Eleventh Circuit's holding requires a more nuanced reading than that proffered by Defendants. The Tsao Court held that injuries related to mitigating the risk of future identity theft were not concrete because plaintiffs did not sufficiently allege a substantial risk of future harm. In essence, if the risk of harm to plaintiffs is not substantial, their steps to mitigate a non-substantial risk do not create an injury. Here, however, Plaintiffs do allege a substantial and imminent risk of future identity theft, so injuries related to the mitigation of those risks-including time spent reviewing their financial accounts-are sufficiently concrete to establish injuries in fact. See In re Practicefrst Data Breach Litig., No. 21-00790, 2022 WL 354544, at *6 (W.D.N.Y. Feb. 2, 2022) (“‘Where plaintiffs have shown substantial risk of future identity theft or fraud, any expenses they have reasonably incurred to mitigate that risk likewise qualify as injury in fact.' Conversely, ‘where plaintiffs have not alleged a substantial risk of future identity theft, the time they spent protecting themselves against this speculative threat cannot create an injury.'” (quoting McMorris, 995 F.3d at 303)).

Second, Defendants cite a mix of data breach cases decided between 2016 and 2019 to dispute Plaintiffs' claim that the diminution in the value of their PHI and PII constitutes an injury in fact. Mot. at 10-11. The Court acknowledges these prior decisions. But upon careful consideration, the Court joins more recent decisions holding that, in the data breach context, plaintiffs need not reduce their PHI or PII to terms of dollars and cents in some fictitious marketplace where they offer such information for sale to the highest bidder. See, e.g., Klein v. Facebook, Inc., No. 20-08570, 2022 WL 141561, at *39 (N.D. Cal. Jan. 14, 2022); Calhoun v. Google LLC, 526 F.Supp.3d 605, 635 (N.D. Cal. 2021); In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F.Supp.3d 447, 461 (D. Md. 2020). Rather, Plaintiffs' “actual” (rather than “hypothetical”) diminution in value, Lujan, 504 U.S. at 560, occurred within the very marketplace in which they actually use their PHI and PII-the marketplace of credit, wherein the compromise of such information damages their ability to “purchase goods and services remotely and without the need to pay in cash or a check, ” In re Marriott, 440 F.Supp.3d at 462-and therefore is sufficiently concrete to confer standing.

Most cases Defendants cite are from district courts within this circuit (although the Eleventh Circuit itself has yet to weigh in on this issue). In re 21st Century Oncology Customer Data Sec. Breach Litig., 380 F.Supp.3d 1243, 1257 (M.D. Fla. 2019) (“The Court rejects this theory of injury in fact because Plaintiffs have not alleged that their personal information has an independent monetary value that is now less than it was before the Data Breach.”); Torres v. Wendy's Co., 195 F.Supp.3d 1278, 1283-85 (M.D. Fla. 2016) (holding that allegations of diminished value of PII following a data breach are insufficient for Article III standing); Provost v. Aptos, Inc., No. 17-02120, 2018 WL 1465766, at *4 (N.D.Ga. Mar. 12, 2018) (“The Court is not persuaded by the hypothetical diminution of value propounded by Plaintiff. Plaintiff has failed to allege with particularity any facts explaining how her personal identity information is less valuable than it was before the Breach.”); Khan v. Children's Nat'l Health Sys., 188 F.Supp.3d 524, 533-34 (D. Md. 2016) (holding that alleged diminished value of PII did not establish standing when plaintiff failed to “explain how the hackers' possession of that information has diminished its value, . . . [or] assert that she would ever actually sell her own personal information”); Chambliss v. CareFirst, Inc., 189 F.Supp.3d 564, 572 (D. Md. 2016) (similar).

Third, Defendants attack Plaintiffs' allegations that they suffered a loss of privacy as “conclusory” and therefore insufficient to establish injuries in fact. Mot. at 11. Defendants argue that “[c]ourts consistently hold that allegations of loss of privacy from a data incident, without more, are not enough to establish injury-in-fact.” Id. (emphasis added) (collecting cases). Defendants are correct. See, e.g., Khan, 188 F.Supp.3d at 533 (“[Defendant] argues that the data breach has caused a loss of privacy that constitutes an injury in fact. However, she has not identified any potential damages arising from such a loss and thus fails to allege a ‘concrete and particularized injury.'”). But here, there is “more.” As discussed supra, Plaintiffs are under a substantial and imminent risk of future identity theft because unauthorized third parties, and possibly criminals, gained access to their PHI and PII. Am. Compl. ¶¶ 25, 51, 67, 85, 108, 133, 157, 183, 197, 221, 245, 267. Thus, Plaintiffs' claims of loss of privacy are sufficient to confer standing.

Fourth, Defendants contend that Plaintiffs' allegations of having lost the benefit of their bargain do not establish injuries in fact. Mot. at 12. Many courts have cast doubt on this theory, especially in cases where plaintiffs do not sufficiently allege reliance on defendants' representations as to their security policies. See, e.g., Provost, 2018 WL 1465766, at *4. However, where plaintiffs allege that “there was an explicit or implicit contract for data security, that plaintiffs placed value on that data security, and that [defendants failed to meet their representations about data security, ” In re Marriott, 440 F.Supp.3d at 466, courts have consistently held these allegations sufficient to allege injuries in fact. Here, Plaintiffs allege facts sufficient to satisfy this theory of standing. Am. Compl. ¶ 292-303.

As discussed infra Analysis II.g, Plaintiffs' factual allegations as to breach of implied contract are insufficient to state a claim for relief. But the analyses under Rules 12(b)(1) and 12(b)(6) do not equate.

In sum, Plaintiffs' alleged injuries constitute injuries in fact sufficient to satisfy claims for injunctive relief and damages.

b. Plaintiffs Plausibly Allege Traceability

Defendants dispute the nexus between the Data Breaches and the misuse of Plaintiffs' information. Mot. at 13-20. Specifically, they argue that the data accessed in the Data Breaches did not contain enough information to support Plaintiffs' allegations that bad actors listed their information for sale on the dark web. Id. at 13-17. Further, they contend that Plaintiffs Rumely's and Lee's claims regarding an uptick in spam communications have not been linked to the Data Breaches. Id. at 17-18. They also argue that Plaintiff Nielsen's allegations of identity fraud and theft have no connection to the Data Breaches. Id. at 18-20.

Article III standing requires a “causal connection between the injury and the conduct complained of.” Lujan, 504 U.S. at 560 (cleaned up). In other words, the injury must be “fairly traceable to the challenged action of the defendant.” Id. The Supreme Court has cautioned federal courts not to “confuse weakness on the merits with absence of Article III standing.” Ariz. St. Leg. v. Ariz. Indep. Redistricting Comm n, 576 U.S. 787, 800 (2015) (alteration omitted). In the context of Article III standing, “fairly traceable” does not mean “certainly traceable.” Thus, to satisfy Article III's standing causation requirement, a plaintiff need not show proximate causation. Wilding, 941 F.3d at 1125. “[E]ven harms that flow indirectly from the action in question can be said to be ‘fairly traceable' to that action for standing purposes.” Id. (citing Focus on the Family, 344 F.3d at 1273). Plaintiffs need not show that defendants' actions are the very last step in the chain of causation. Id. at 1126.

Here, Plaintiffs allege that Defendants failed to protect their PHI and PII. Am. Compl. ¶ 1. Consequently, the Data Breaches occurred, whereby unauthorized persons gained access to Plaintiffs' private information. Id. ¶ 3. Following the Data Breaches, Plaintiffs experienced documented incidents of identity theft, economic losses, lost time, and emotional distress and are at substantial risk of future incidents of identity theft. See id. ¶¶ 16-282. While Defendants argue that these allegations are insufficient to satisfy traceability, Mot. at 13-20, the Court disagrees. Even if the data accessed in the Data Breaches did not provide all the information necessary to inflict these harms, they very well could have been enough to aid therein. And “[e]ven a showing that a plaintiff's injury is indirectly caused by a defendant's actions satisfies the fairly traceable requirement.” Resnick v. AvMed, Inc., 693 F.3d 1317, 1324 (11th Cir. 2012). Because we assume, at the pleading stage, that Plaintiffs will prevail on the merits of their claims, the Court has little difficulty in concluding that Defendants' failure to secure Plaintiffs' data is sufficiently traceable to Plaintiffs' alleged injuries. See Attias, 865 F.3d at 629 (holding that plaintiffs satisfied the traceability requirement for Article III standing by alleging that defendants failed to secure their data and thereby subjected them to a substantial risk of identity theft).

c. Defendants' Factual Challenge Is Premature

In addition to their facial attack, Defendants challenge Plaintiffs' standing on factual grounds. Specifically, Defendants contend the following:

1) Of the twelve Plaintiffs alleging their PII is available on the dark web, there is no evidence that information belonging to nine of them actually has been listed. Mot. at 13.
2) Of the remaining three Plaintiffs, whose Social Security numbers and other PII Defendant Mednax confirmed to be on the dark web, Mednax conducted an exhaustive internal search of all locations where it would expect their Social Security numbers to be located but found no evidence that it possesses them. Id. at 14-15.
3) Of the three Plaintiffs whose information Mednax found on the dark web, there were discrepancies between the PII found on the dark web and that possessed by Defendants. Id. at 15.
4) A thorough investigation revealed that no PHI or PII compromised in the Data Breaches is available on the dark web. Id. at 15-16.

In support of these arguments, Defendants cite the findings of their experts: Austin Berglas, who “led a team of analysts that scoured the dark web to investigate the veracity of these Plaintiffs' allegations, ” id. at 13, and Kathleen O'Hara, who conducted an “exhaustive search of all locations where Mednax would expect Social Security numbers to be located, ” id. at 15. Because this is a factual challenge, the Court may consider these experts' declarations even though they are presented outside the pleadings. See McElmurray, 501 F.3d at 1251.

As to the discrepancies in Plaintiffs' PHI and PII between data found on the dark web and that found in Defendants' possession, as discussed supra Analysis I.b, even if the data accessed in the Data Breaches did not provide all that was necessary to carry out Plaintiffs' documented incidents of misuse of their information, they conceivably could have been enough to aid therein.

And “[e]ven a showing that a plaintiff's injury is indirectly caused by a defendant's actions satisfies the fairly traceable requirement” of standing. Resnick, 693 F.3d at 1324.

As to Defendants' other arguments, without the aid of discovery, the Court is not prepared to find that Plaintiffs' claims warrant dismissal for lack of standing. The Supreme Court has explained, and the Eleventh Circuit recognizes, that “a plaintiff must offer more to support its standing at each successive stage of the litigation.” Tokyo Gwinnett, LLC v. Gwinnett Cnty., 940 F.3d 1254, 1266 (11th Cir. 2019) (citing Lujan, 504 U.S. at 561). “A more demanding approach is appropriate at the summary judgment stage, but it is not warranted before discovery at the motion to dismiss stage.” Id. Thus, in a factual challenge, the Court ordinarily must give plaintiffs an opportunity for discovery and for an appropriate hearing. McElmurray, 501 F.3d at 1251 (citing Williamson v. Tucker, 645 F.2d 404, 414 (5th Cir. 1981)). Particularly, “[w]hen an attack on jurisdiction implicates the merits of [p]laintiffs' cause of action, the Court should find that jurisdiction exists, and deal with the objection as a direct attack on the merits of the case under Rule 12(b)(6) and Rule 56.” Houston v. 7-Eleven, Inc., No. 13-1845, 2013 WL 6133834, at *4 (M.D. Fla. Nov. 21, 2013) (citing Lawrence, 919 F.2d at 1529-30; Morrison v. Amway Corp., 323 F.3d 920, 925 (11th Cir. 2003)).

In the data breach context, the Court finds In re Blackbaud, Inc., Customer Data Breach Litigation persuasive on this point. No. 20-02972, 2021 WL 2718439 (D.S.C. July 1, 2021). In that case, defendant argued that there was no causal connection between plaintiffs' injuries and defendant's actions because an expert report concluded there was “‘no evidence' that [p]laintiffs' PII was on the dark web or being marketed for sale.” Id. at *7. The court noted that causation was an essential element of several of plaintiffs' claims-including some of the same claims alleged here. Id. Because plaintiffs would have to prove that defendant caused their injuries to prevail on their substantive claims, the court found that the “facts necessary to prove jurisdiction overlap with facts necessary to prove the merits of the case such that [defendant's] motion is, essentially, an indirect attack on [p]laintiffs' alleged factual merits.” Id. at *8 (cleaned up). The court thus concluded that it could not consider defendant's factual attack at the motion to dismiss stage. Id.

Here, too, Defendants' contentions are indirect, if not direct, attacks on the merits of Plaintiffs' case. As such, those questions must be resolved at the summary judgment stage after both parties have had an opportunity to develop the record through discovery. See MSP Recovery LLC v. Progressive Select Ins. Co., No. 15-20616, 2015 WL 10457208, at *2 (S.D. Fla. May 18, 2015) (Moreno, J.) (“At the motion to dismiss stage, the Court finds it inappropriate to resolve this factual dispute. . . . In so ruling, the Court finds that it is prudent to address the standing issue at the summary judgment stage, where the Court may consider the entire factual record that the parties have developed during the course of discovery.”); Flexiteek Ams., Inc. v. PlasTEAK, Inc., No. 08-60996, 2009 WL 890613, at *1 (S.D. Fla. Apr. 1, 2009) (denying without prejudice defendants' motion to dismiss for lack of standing because the motion raised a factual dispute, such that it would be “prudent to address the standing issue at the summary judgment stage where the Court [could] consider the entire factual record” developed during discovery).

In support of their factual challenge, Defendants cite two cases that are inapposite here. Reply at 3 (citing Oleary v. HCA Healthcare, Inc., No. 19-80647, 2020 WL 597361, at *2-3 (S.D. Fla. Feb. 4, 2020); Eldridge v. Pet Supermarket, Inc., 446 F.Supp.3d 1063, 1072 (S.D. Fla. 2020)). In Oleary, defendants' factual challenge revealed that plaintiff had suffered no injury at all. 2020 WL 597361, at *3. And in Eldridge, plaintiff alleged no facts providing any possible link between defendant's actions and his injuries that could be elucidated in discovery. 446 F.Supp.3d at 1072.

Here, by contrast, Plaintiffs sufficiently allege injuries in fact-as discussed supra Analysis I.a-of the kind that are to be expected following a data breach. And, despite Defendants' declarations, several Plaintiffs allege that they were required to provide their Social Security numbers for their children to be treated by Defendants. Am. Compl. ¶¶ 38, 74, 97, 122, 202. Plaintiffs also provide a declaration of their own expert, Christopher Brinkworth, that contradicts some of Defendants' findings and thereby creates a factual dispute. Resp. at 21. Thus, in this case, it is clear that whether and to what extent Plaintiffs' injuries were caused by the Data Breaches must be left to the summary judgment stage after both parties are afforded the opportunity to conduct discovery.

Accordingly, all named Plaintiffs have established Article III standing, and Defendants' Motion to Dismiss for lack of subject matter jurisdiction is DENIED.

II. Analysis of Plaintiffs' Claims

a. Plaintiffs' Amended Complaint Is a Shotgun Pleading

Complaints that violate Rule 8(a)(2) or 10(b), or both, are “often disparagingly referred to as ‘shotgun pleadings.'” Weiland v. Palm Beach Cnty. Sheriff's Off., 792 F.3d 1313, 1320 (11th Cir. 2015). The “unifying characteristic” of shotgun pleadings is a failure “to give the defendants adequate notice of the claims against them and the grounds upon which each claim rests.” Id. at 1323. Shotgun pleadings “‘are flatly forbidden by the spirit, if not the letter, of' the Federal Rules of Civil Procedure, ” Hale v. Wells Fargo Bank, No. 21-80309, 2021 WL 767664, at *2 (S.D. Fla. Feb. 26, 2021) (quoting Barmapov v. Amuial, 986 F.3d 1321, 1321 (11th Cir. 2021)), because they “waste scarce judicial resources, inexorably broaden the scope of discovery, wreak havoc on appellate court dockets, and undermine the public's respect for the courts.” Barmapov, 986 F.3d at 1324. Consequently, district courts have inherent authority to dismiss shotgun complaints. Vibe Micro, Inc. v. Shabanets, 878 F.3d 1291, 1295 (11th Cir. 2018).

The Eleventh Circuit has identified four “sins” that characterize shotgun pleadings:

1) The “mortal sin” of “containing multiple counts where each count adopts the allegations of all preceding counts, causing each successive count to carry all that came before and the last count to be a combination of the entire complaint”;
2) “[T]he venial sin of being replete with conclusory, vague, and immaterial facts not obviously connected to any particular cause of action”;
3) “[T]he sin of not separating into a different count each cause of action or claim for relief”; and
4) “[T]he relatively rare sin of asserting multiple claims against multiple defendants without specifying which of the defendants are responsible for which acts or omissions, or which of the defendants the claim is brought against.”
Weiland, 792 F.3d at 1321-23. Defendants argue that Plaintiffs' Amended Complaint commits all four sins and therefore should be dismissed. Mot. at 22. The Court acknowledges that it certainly is not “virtually impossible to know which allegations of fact are intended to support which claim(s) for relief, ” Weiland 792 F.3d at 1325, and the Amended Complaint is a far cry from being “incomprehensible.” Jackson v. Bank of Am., N.A., 898 F.3d 1348, 1359 (11th Cir. 2018). But however relatively minor Plaintiffs' infractions may be, the Court must stick to its post amid the Eleventh Circuit's ongoing “salvo of criticism aimed at shotgun pleadings.” Weiland, 792 F.3d at 1321.

The Amended Complaint commits the first sin because it “adopts the allegations of all preceding counts, causing each successive count to carry all that came before.” Weiland, 792 F.3d at 1321. Every count “repeat[s] and reallege[s]” all preceding allegations. Am. Compl. ¶¶ 445, 457, 472, 487, 498, 508, 518, 529, 541, 551, 563, 571, 583, 602, 619, 634, 643, 652, 663, 672, 678, 682. This is forbidden. The Eleventh Circuit has relieved its district courts of having to divine which cumulatively incorporated factual allegations and legal conclusions are relevant to a given count. Weiland, 792 F.3d at 1321 n.11 (collecting cases). Plaintiffs must specifically articulate which facts and law go with which counts.

Defendants also contend that Plaintiffs' Amended Complaint is replete with vague, conclusory, or irrelevant allegations; that Plaintiffs lump together causes of action that are governed by the laws of different states; and that the Amended Complaint asserts multiple claims against Defendants without specifying which Defendant is responsible for which acts or omissions or which Defendant the claim is brought against. Mot. at 22-23. As to the second sin, the Court finds that the “macro-level studies and decade-old discussions” that “litter” the Amended Complaint, id. at 23, are perhaps inartful and do precious little to advance the ball in this litigation. But they do not rise to the level of “being replete with conclusory, vague, and immaterial facts” prohibited by the Eleventh Circuit. Weiland, 792 F.3d at 1322.

As to the third sin, the Court finds that Count XXII (negligent supervision and training) impermissibly lumps together two separate causes of action-negligent supervision and negligent training. See Desue, 2022 WL 796367, at *7 (citing Reed v. Royal Caribbean Cruises, Ltd., No. 19-24668, 2021 WL 2592914, at *8 (S.D. Fla. Apr. 23, 2021)). Ordinarily, the Court would require Plaintiffs to separate these two causes of action. But as discussed infra Analysis II.k, Plaintiffs allege no facts to support a finding of either negligent supervision or negligent training, so Count XXII is dismissed with prejudice and the point is moot.

As to the fourth sin, the Court agrees with Defendants that Plaintiffs' claims under Count XVIII (breach of implied contract) do not provide them with fair notice. Fair notice requires a plaintiff to plead “a short and plain statement of the claim showing the pleader is entitled to relief.” Fed.R.Civ.P. 8(a). “The point is to ‘give the defendant fair notice of what the claim is and the grounds upon which it rests.'” Twombly, 550 U.S. at 555. The complaint's “factual allegations must be enough to raise a right to relief above the speculative level.” Id.

Defendants correctly assert that they are denied fair notice because Count XVIII is not directed at any specific party. Mot. at 37. Plaintiffs allege summarily that they “entered into an implied contract with each Defendant, ” but they fail to identify which Plaintiffs purportedly entered into an implied contract with which Defendants, nor do they explain how they could have entered into an implied contract with more than one Defendant. See Am. Compl. ¶ 658. Therefore, Plaintiffs improperly engage in group pleading by not specifically indicating how each Defendant allegedly entered and subsequently breached a contract with each Plaintiff.

b. Plaintiffs Fail to State a Claim for Breach of the Covenant of Good Faith and Fair Dealing (Count I)

Defendants raise several arguments that Plaintiffs do not state a claim for breach of the covenant of good faith and fair dealing. Mot. at 24-26. Defendants primarily contend that Plaintiffs do not sufficiently allege the existence of a contract. Id. at 25. The Court will address this particular question infra Analysis II.g regarding Count XVIII for breach of an implied contract.

But the Court need not reach the question here, because the law of the states governing Plaintiffs' contract-based claims precludes an independent claim for breach of the covenant of good faith and fair dealing in the context of this case. Under Florida law,

Plaintiffs do not articulate whether their claim for breach of the covenant of good faith and fair dealing sounds in contract or tort. Because tort-based claims for breach of the covenant of good faith and fair dealing are generally treated more critically than those based in contract, the Court infers that Plaintiffs intend to plead this count under contract law. See, e.g., Jones v. Fulton Bank, N.A., 565 Fed.Appx. 251, 253 (4th Cir. 2014); Wang v. Bank of Am., No. 13-2711, 2014 WL 2883501, at *4 (N.D.Ga. June 24, 2014); Factory Direct Tires Inc. v. Cooper Tire & Rubber Co., No. 11-255, 2011 WL 13117118, at *6 (N.D. Fla. Oct. 24, 2011).

[a] breach of the implied covenant of good faith and fair dealing is not an independent cause of action, but attaches to the performance of a specific contractual obligation....[A] claim for the breach of the implied covenant of good faith and fair dealing cannot be maintained under Florida law in the absence of a breach of an express term of a contract.
Centurion Air Cargo, Inc. v. United Parcel Serv. Co., 410 F.3d 1146, 1151-52 (11th Cir. 2005). “North Carolina law recognizes a separate claim for breach of an implied covenant of good faith and fair dealing only in limited circumstances involving special relationships between the parties, such as cases involving contracts for funeral services and insurance.” First Protective Ins. Co. v. Rike, 516 F.Supp.3d 513, 532 (E.D. N.C. 2021) (cleaned up). Under South Carolina law, “[t]he implied covenant of good faith and fair dealing is not an independent cause of action separate from the claim for breach of contract....[A] claim for breach of the implied covenant of good faith and fair dealing is, essentially, subsumed by a breach of contract claim.” Synovus Bank v. Stevens Law Firm, No. 19-01411, 2020 WL 12788154, at *7 (D.S.C. July 20, 2020) (cleaned up) (“This court concludes that while it must dispose of an independent cause of action based on a breach of the implied covenant of good faith and fair dealing, a party is not precluded from relying on such a theory in support of a breach of contract action.”). “[T]here is no independent cause of action for breach of the implied covenant of good faith and fair dealing in Maryland.” Daniyan v. Viridian Energy LLC, No. 14-2715, 2015 WL 4031752, at *4 (D. Md. June 30, 2015). And under Virginia law, “[a] breach of the implied covenant of good faith and fair dealing must be raised in a claim for breach of contract.” Stoney Glen, LLC v. S. Bank & Trust Co., 944 F.Supp.2d 460, 465-66 (E.D. Va. 2013) (“Plaintiffs bring their breach of an implied duty of good faith and fair dealing claim as part of their count for breach of contract. Accordingly, Plaintiffs have raised the claim in the right context ....”).

Plaintiffs plead both breach of the covenant of good faith and fair dealing and breach of an implied contract as separate causes of action. Am. Compl. ¶¶ 445-56, 652-62. Plaintiffs do not identify any express term of their contract that Defendants allegedly breached. See id. And Plaintiffs allege no special relationship between themselves and Defendants. Id. ¶ 455. Accordingly, Defendants' Motion as to Count I is GRANTED. Because Count XVIII for breach of an implied contract is dismissed with prejudice for the reasons stated infra Analysis II.g, Count I is also DISMISSED with prejudice.

c. Plaintiff Cohen Fails to State a Claim under the Maryland Personal Information Protection Act (Count II)

Plaintiffs allege that Defendants Mednax and American Anesthesiology violated the Maryland Personal Information Protection Act (“MPIPA”) (Count II), which requires businesses to implement and maintain reasonable security practices and procedures based on the personal information they collect. In re Marriott, 440 F.Supp.3d at 487. Defendants argue that Plaintiff Cohen's attempt to bring a claim under the MPIPA fails because the statute does not provide for a private right of action. Mot. at 27. The Court agrees with Defendants.

Under Maryland law, the “primary focus in determining whether there is an implied private right of action under a given statute is on the legislative intent.” IVTx, Inc. v. United Healthcare of Mid-Atl., Inc., 112 F.Supp.2d 445, 447 (D. Md. 2000). In the MPIPA, the legislature expressed no intention to create a direct private right of action for violation of its terms but rather stated that a violation constitutes “an unfair or deceptive trade practice” that “[i]s subject to the enforcement and penalty provisions” of the Maryland Consumer Protection Act (“MCPA”). Md. Comm. Law § 14-3508. Plaintiffs cite no case law holding otherwise. See Resp. at 30. Accordingly, Defendants' Motion as to Count II is GRANTED. Count II is DISMISSED without prejudice to Plaintiff Cohen to allege an unfair or deceptive trade practice under the MPIPA as part of her claim under the MCPA.

d. Most Plaintiffs Fail to State Claims under State Consumer Protection Statutes (Counts III-IV, VI-XVI)

Defendants raise a host of arguments as to why Plaintiffs fail to state a claim under each of the state consumer protection statutes invoked by the Amended Complaint. The Court addresses each argument in turn.

1. Damages (All Counts)

Defendants state generally that Plaintiffs have not plausibly alleged damages caused by any unfair trade practices. Mot. at 27-28. But the Court has found otherwise. As discussed supra Analysis I.a, Plaintiffs' alleged injuries constitute injuries in fact sufficient to satisfy claims for damages, and no further discussion of damages is warranted.

Plaintiffs' claim under the Florida Deceptive and Unfair Trade Practices Act (“FDUTPA”) requires further analysis, which the Court provides infra Analysis II.d.3.

2. Extraterritorial Application (Counts VIII and XI)

Plaintiffs assert that Defendants violated FDUTPA, which prohibits “[u]nfair methods of competition, unconscionable acts or practices, and unfair or deceptive acts or practices in the conduct of any trade or commerce.” Fla. Stat. § 501.204(1). Plaintiffs also claim Defendant American Anesthesiology violated New York General Business Law section 349 (“NYGBL”), which prohibits “[d]eceptive acts or practices in the conduct of any business, trade[, ] or commerce or in the furnishing of any service in [New York].” N.Y. Gen. Bus. Law § 349(a). Defendants argue that Plaintiffs' claims under FDUTPA (Count VIII) and the NYGBL (Count XI) fail because those statutes do not apply extraterritorially. Mot. at 28.

As to FDUTPA, Defendants point out that no Plaintiff hails from Florida or claims to have received medical care in Florida. Id. Be that as it may, “all of the federal courts in the Southern District of Florida that have considered this issue have . . . held that ‘FDUTPA applies to nonFlorida residents if the offending conduct took place predominantly or entirely in Florida.'” Felice v. Invicta Watch Co. of Am., Inc., No. 16-62772, 2017 WL 3336715, at *2-3 (S.D. Fla. Aug. 4, 2017) (quoting Karhu v. Vital Pharm., Inc., No. 13-60768, 2013 WL 4047016, at *10 (S.D. Fla. Aug. 9, 2013)). And as discussed supra Legal Standard III.a, under Florida law, the Data Breaches are deemed to have occurred in Florida.

As to the NYGBL, “an out-of-state victim possesses standing to sue under Section 349 so long as some part of the underlying transaction occurred in New York State.” Wright v. Publishers Clearing House, Inc., 439 F.Supp.3d 102, 110 (E.D.N.Y. 2020) (citations omitted). Defendant American Anesthesiology is headquartered in New York, so to the extent it was responsible for overseeing or contributing to the protocols for properly safeguarding Plaintiffs' and putative Class Members' PHI and PII, it did so in New York.

3. Damages under Florida Law (Count VIII)

FDUTPA allows recovery of only direct damages for the “diminished value of the goods or services.” In re Brinker Data Incident Litig., No. 18-686, 2020 WL 691848, at *13 (M.D. Fla. Jan. 27, 2020); see also Rollins, Inc. v. Heller, 454 So.2d 580, 585 (Fla. 3d DCA 1984). Defendants argue that Plaintiffs' FDUTPA claim (Count VIII) fails because Plaintiffs do not allege any such diminution in value of the goods and services they received from Defendants. Mot. at 29. Plaintiffs counter that their claims as to the diminished value of their PHI and PII are sufficient to meet this standard. Resp. at 32.

A consumer claim for damages under FDUTPA has three elements: (1) an objectively deceptive act or unfair practice; (2) causation; and (3) actual damages. Carriuolo v. Gen. Motors Co., 823 F.3d 977, 983 (11th Cir. 2016) (citing City First Mortg. Corp. v. Barton, 988 So.2d 82, 86 (Fla. 4th DCA 2008)). Florida courts consider actual damages, in the FDUTPA context, to be a “term of art.” Casa Dimitri Corp. v. Invicta Watch Co. of Am., 270 F.Supp.3d 1340, 1352 (S.D. Fla. 2017). Generally, actual damages constitute “the difference in the market value of the product or service in the condition in which it was delivered and its market value in the condition in which it should have been delivered according to the contract of the parties.” Rollins, Inc. v. Butland, 951 So.2d 860, 869 (Fla. 2d DCA 2006) (quoting Heller, 454 So.2d at 585) (describing this measurement as being “well-defined in the case law”). “[FDUTPA] entitles a consumer to recover damages attributable to the diminished value of the goods or services received, but does not authorize recovery of consequential damages to other property attributable to the consumer's use of such goods or services.” Fort Lauderdale Lincoln Mercury, Inc. v. Corgnati, 715 So.2d 311, 314 (Fla. 4th DCA 1998) (quoting Urling v. Helms Exterminators, Inc., 468 So.2d 451, 454 (Fla. 1st DCA 1985)).

Plaintiffs ultimately fail to sufficiently allege damages attributable to the diminished value of the healthcare services they received from Defendants. As discussed supra Analysis I.a, the damages alleged in the Amended Complaint-including the diminution in value of PHI and PII as reiterated in Plaintiffs' Response, as well as future risk of identity theft and emotional distress- are sufficient to plead injuries in fact under Article III. However, in the FDUTPA context, they amount to “merely ‘other property' that was damaged as a result of” the use of Defendants' healthcare services. In re Brinker, 2020 WL 691848, at *13 (quoting Corgnati, 715 So.2d at 314).

In other words, they are consequential damages insufficient to state a claim under FDUTPA. See In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F.Supp.2d 942, 994 (S.D. Cal. 2014) (“[T]o the extent Plaintiffs are alleging an entitlement ‘to the value of their Personal Information,' but have not alleged a monetary loss relating to the disclosure of their Personal Information, these allegations fail under [FDUTPA].”).

4. Heightened Pleading Requirements and Reliance (Counts III-IV, VIX, XII, and XIV-XVI)

According to Defendants, Counts III, IV, VI, VII, VIII, IX, X, XII, XIV, XV, and XVI must be dismissed because Plaintiffs fail to meet the heightened pleading requirements of Rule 9(b). Mot. at 29-30. Each of the state consumer protection statutes underlying these claims requires Plaintiffs to meet the Rule 9(b) standard, at least to the extent that their claims are based on alleged misrepresentations or omissions. Id. Defendants further argue that Counts III, IV, VI, VII, X, XIV, and XV must be dismissed because Plaintiffs do not allege facts showing actual reliance on Defendants' alleged misrepresentations or omissions as required by the statutes underlying these claims. Id. at 30-31. Because these issues are intertwined, the Court addresses them together.

See Davidson v. Kimberly-Clark Corp., 889 F.3d 956, 964 (9th Cir. 2018) (California Unfair Competition Law and California Consumer Legal Remedies Act); Barr v. Flagstar Bank, FSB, 303 F.Supp.3d 400, 416 (D. Md. 2018) (MCPA); BHR Recovery Cmtys., Inc. v. Top Seek, LLC, 355 F.Supp.3d 416, 424 (E.D. Va. 2018) (Virginia Consumer Protection Act); Packrite, LLC v. Graphic Packaging Int'l, Inc., No. 17-1019, 2018 WL 4112827, at *7 (M.D. N.C. Aug. 29, 2018) (North Carolina Unfair and Deceptive Trade Practices Act); In re Banner Health Data Breach Litig., No. 16-02696, 2017 WL 6763548, at *6 (D. Ariz. Dec. 20, 2017) (Arizona Consumer Fraud Act); Parrish v. Bank, No. 15-0913, 2016 WL 3906814, at *2 (W.D. Okla. July 14, 2016) (Oklahoma Consumer Protection Act); Budach v. NIBCO, Inc., No. 14-04324, 2015 WL 3853298, at *6 (W.D. Mo. June 22, 2015) (Missouri Merchandising Practices Act); Blair v. Wachovia Mortg. Corp., No. 11-566, 2012 WL 868878, at *3 (M.D. Fla. Mar. 14, 2012) (FDUTPA); Goodman v. HTC Am., Inc., No. 11-1793, 2012 WL 2412070, at *16 (W.D. Wash. June 26, 2012) (Washington Consumer Protection Act); Berry v. Indianapolis Life Ins. Co., 608 F.Supp.2d 785, 800 (N.D. Tex. 2009) (Texas Deceptive Trade Practices Act).

See Barr, 303 F.Supp.3d at 416 (MCPA); Dimas v. JPMorgan Chase Bank, N.A., No. 17-05205, 2018 WL 809508, at *9 (N.D. Cal. Feb. 9, 2018) (California Unfair Competition Law); BHR Recovery, 355 F.Supp.3d at 424 (Virginia Consumer Protection Act); Schellenbach v. GoDaddy.com, LLC, 321 F.R.D. 613, 624 (D. Ariz. 2017) (Arizona Consumer Fraud Act); Coleman-Anacleto v. Samsung Elecs. Am., Inc., No. 16-02941, 2016 WL 4729302, at *10 (N.D. Cal. Sept. 12, 2016); Bumpers v. Cmty. Bank of N. Va., 747 S.E.2d 220, 226 (N.C. 2013) (North Carolina Unfair and Deceptive Trade Practices Act); Penn-Am. Ins. Co. v. Zertuche, 770 F.Supp.2d 832, 840 (W.D. Tex. 2011) (Texas Deceptive Trade Practices Act).

“Rule 9(b) requires the Plaintiffs to allege ‘the time, place, and contents of the false representations, as well as the identity of the person making the misrepresentation and what he obtained thereby.'” In re Marriott, 440 F.Supp.3d at 489 (quoting Harrison v. WestinghouseSavannah River Co., 176 F.3d 776, 784 (4th Cir. 1999)). “But where a claim of fraud is based on an omission, meeting Rule 9(b)'s particularity requirement takes a different form.” Id. (citing Lombel v. Flagstar Bank F.S.B., No. 13-704, 2013 WL 5604543, at *6 (D. Md. Oct. 11, 2013); Willis v. Bank of Am. Corp., No. 13-02615, 2014 WL 3829520, at *8 (D. Md. Aug. 1, 2014) (“Rule 9(b) is less strictly applied with respect to claims of fraud by concealment or omission of material facts, as opposed to affirmative misrepresentations, because an omission cannot be described in terms of the time, place, and contents of the misrepresentation or the identity of the person making the misrepresentation.”) (cleaned up)). In Maryland, for example, “[a] consumer relies on a material omission . . . where it is substantially likely that the consumer would not have made the choice in question had the commercial entity disclosed the omitted information.” Id. (quoting Willis, 2014 WL 3829520, at *22) (cleaned up).

Regrettably, Plaintiffs do not raise this distinction in their Response.

Here, the Amended Complaint provides particularized allegations that Defendants engaged in unfair and deceptive trade practices for a number of reasons, including failing to state a material fact (e.g., that their privacy safeguards were inadequate), e.g., Am. Compl. ¶ 479; concealment and suppression regarding representations made in Defendants' privacy notice, e.g., id.; omitting and suppressing that they did not reasonably or adequately secure Plaintiffs' and putative Class Members' PHI and PII, e.g., id. ¶ 479; and omitting and suppressing their noncompliance with their common-law and statutory duties to protect Plaintiffs' and putative Class Members' PHI/PII privacy risks, e.g., id. As to reliance, Plaintiffs plead that they relied on Defendants' claims and that they would have sought medical treatment from a different provider had they known about Defendants' inadequate security practices. Id. ¶¶ 37, 57, 76, 99, 124, 149, 173, 187, 212. Accordingly, Plaintiffs' Amended Complaint meets the particularity requirements of Rule 9(b) and sufficiently alleges reliance on Defendants' material omissions.

5. Alleged Omissions (Counts VI, IX, XIV, and XV)

For claims based on alleged omissions under the consumer protection statutes of California, Missouri, Texas, and Virginia, plaintiffs must allege that defendants failed to disclose information that defendants knew-or, under Missouri law, should have known-at the time of the relevant transactions. Here, Defendants argue that Counts VI, IX, XIV, and XV must be dismissed because Plaintiffs Rumely, A.W., Soto, and Nielsen do not allege when they received healthcare services from physicians affiliated with Defendants or that Defendants knew or should have known about any alleged data security flaws when Plaintiffs received healthcare services. Mot. at 31-32. The Court agrees with Defendants.

See In re Nexus 6P Prod. Liab. Litig., 293 F.Supp.3d 888, 927 (N.D. Cal. 2018) (California Unfair Competition Law); Allen v. FCA U.S. LLC, No. 17-00007, 2017 WL 1957068, at *2-3 (W.D. Va. May 10, 2017) (Virginia Consumer Protection Act); Wright v. Bath & Body Works Direct, Inc., No. 12-00099, 2012 WL 12088132, at *2 (W.D. Mo. Oct. 17, 2012) (Missouri Merchandising Practices Act); Willowbrook Foods, Inc. v. Grinnell Corp., 147 S.W.3d 492, 506-07 (Tex. App. 2004) (Texas Deceptive Trade Practices Act).

Plaintiffs' arguments to the contrary are unavailing. First, they contend that Defendants disseminated their privacy notice before providing services to Plaintiffs and thereby acknowledged their duties to protect Plaintiffs' and putative Class Members' PHI and PII. Resp. at 34-35. Acknowledgment of a duty does not equate to awareness of inability to perform it-much less to material omission. Second, Plaintiffs point to studies showing an increase in healthcare-related cyberattacks as of 2014 as evidence that “Defendants were on notice” of their inadequate data security. Id. at 35. But they fail to articulate why reports of cyberattacks in general would have revealed deficiencies in Defendants' security measures in particular. Thus, Plaintiffs fail to allege that Defendants omitted information they knew or should have known about flaws in their data security protocols.

6. Relation to the Sale of Merchandise under Missouri Law (Count IX)

Plaintiffs allege that Defendant Mednax violated the Missouri Merchandising Practices Act (“MMPA”) (Count IX), which provides a private right of action to any person who sustains ascertainable loss in connection with the purchase or lease of merchandise as a result of certain practices declared unlawful. Mo. Rev. Stat. § 407.025(1). Defendants ask the Court to dismiss Count IX because Plaintiffs allege no unlawful act in relation to any “merchandise” Plaintiffs purchased from Defendant Mednax. Mot. at 32.

The Court finds Kuhns v. Scottrade, Inc.-another case arising from a data breach-highly instructive on this point. 868 F.3d 711, 719 (8th Cir. 2017) (“[T]he alleged unlawful act must occur in relation to a sale of merchandise, and an ascertainable pecuniary loss must occur in relation to the plaintiff's purchase or lease of that merchandise.”) The Kuhns court found that although “intangible services may qualify as merchandise” for purposes of the MMPA, defendant sold brokerage services and not data security services and thus was not liable under the statute. 868 F.3d at 719. Likewise, Defendant Mednax sold healthcare services and not data security services. Any data security it provided to Plaintiffs was merely incidental-not in relation-to what it actually sold them. Thus, Plaintiff A.W. does not plausibly allege how any acts regarding the security of her information occurred in relation to the sale of merchandise under the MMPA.

Plaintiffs' attempt to distinguish this case from Kuhns is of no moment. Plaintiffs argue that “the subject of the consumer transaction between the parties is Plaintiffs' and Class Members' PHI.” Resp. at 35. The Court infers that patients who seek medical care do so for the sake of their personal health-not for the sake of information about their personal health.

7. Duty to Disclose (Counts III and X)

Plaintiffs assert that Defendants Mednax and American Anesthesiology violated the MCPA (Count III) and that Defendant Mednax violated the North Carolina Unfair and Deceptive Trade Practices Act (“NCUDTPA”) (Count X). Under both statutes, plaintiffs must show that defendants owed a duty to disclose before defendants can be held liable for alleged omissions.

See City of High Point v. Suez Treatment Sols. Inc., 485 F.Supp.3d 608, 635-36 (M.D. N.C. 2020) (NCUDTPA); Ademiluyi v. PennyMac Mortg. Inv. Trust Holdings I, LLC, 929 F.Supp.2d 502, 531 (D. Md. 2014) (MCPA).

A plaintiff alleging a duty to disclose under the MCPA

must prove that the defendant took affirmative action to conceal the cause of action and that the plaintiff could not have discovered the cause of action despite the exercise of reasonable diligence, and that, in such cases, the affirmative act on the part of the defendant must be more than mere silence; there must be some act intended to exclude suspicion and prevent injury, or there must be a duty on the part of the defendant to disclose such facts, if known.
Ademiluyi, 929 F.Supp.2d at 531 (quoting Frederick Road Ltd. P'ship v. Brown & Sturm, 756 A.2d 963, 976 n.14 (Md. 2000)). Similarly, under the NCUDTPA, a duty to disclose arises where “a party has taken affirmative steps to conceal material facts from the other; or . . . one party has knowledge of a latent defect in the subject matter of the negotiations about which the other party is both ignorant and unable to discover through reasonable diligence.” Suez Treatment Sols., 485 F.Supp.3d at 636 (cleaned up).

Here, Plaintiffs plead that Defendants' duty to disclose arose from their possession of exclusive knowledge regarding their data security, active concealment of the state of their security, and incomplete representations about the security and integrity of their computer and data systems. Am. Compl. ¶¶ 483, 556. They further claim that Defendants purposefully withheld material facts from Plaintiffs and putative Class Members. Id. These allegations are sufficient to state a claim under the MCPA and NCUDTPA.

8. Equitable Claims under California Law (Counts VI and VII)

Plaintiff Rumely brings claims under California's Unfair Competition Law (“UCL”) (Count VI) and Consumer Legal Remedies Act (“CLRA”) (Count VII), which are equitable in nature; therefore, Plaintiff Rumely must allege that he lacks an adequate remedy at law. See Sonner v. Premier Nutrition Corp., 971 F.3d 834, 839 n.2, 844 (9th Cir. 2020); In re Cal. Gasoline SpotMkt. Antitrust Litig., No. 20-03131, 2021 WL 1176645, at *7-8 (N.D. Cal. Mar. 29, 2021). The CLRA also requires that plaintiffs provide at least 30 days' notice to the alleged wrongdoer before filing an action for damages. Cal. Civ. Code § 1782(a); Allen v. Similasan Corp., No. 120376, 2013 WL 5436648, at *3 (S.D. Cal. Sept. 27, 2013).

Defendants contend, and Plaintiffs do not deny, that Plaintiff Rumely fails to allege either that there is no adequate legal remedy for his alleged injuries or that he complied with the pre-suit notice required by the CLRA. Mot. at 33; see Resp. at 36-37. Therefore, Plaintiff Rumely's claims under the UCL and CLRA must be dismissed.

9. Federally Regulated Actions under Oklahoma Law (Count XII)

Plaintiffs claim that Defendant Mednax violated the Oklahoma Consumer Protection Act (“OCPA”) (Count XII), which protects consumers from certain business practices declared to be unlawful. Okla. Stat. tit. 15, §§ 751 et seq. The OCPA includes a safe harbor provision exempting from its application “[a]ctions or transactions regulated under laws administered by” a “regulatory body or officer acting under statutory authority of this state or the United States.” Id. § 754(2). Plaintiffs allege that Defendant Mednax failed to comply with duties imposed by the FTC Act, HIPAA, and HITECH. Am. Compl. ¶¶ 449, 479, 490, 511, 512, 545, 587, 607, 624, 637. Defendants argue that Count XII must be dismissed because Defendant Mednax's actions in safeguarding Plaintiffs Bean's and Baum's PHI and PII are federally regulated under these statutes. Mot. at 33; Reply at 21.

Plaintiffs do not dispute that a healthcare provider's actions taken to safeguard its patients' PHI and PII are federally regulated. Instead, they offer up two arguments to get around the OCPA's safe harbor provision: 1) the FTC Act, HIPAA, and HITECH do not provide for private rights of action available to Plaintiffs in lieu of an OCPA claim, and 2) HIPAA and HITECH do not govern deceptive misrepresentations by healthcare providers. Resp. at 37-38. These arguments miss the mark.

As to Plaintiffs' first argument, the relevant inquiry is not whether the law conferring relevant jurisdiction to a regulatory body provides for a right of action; it is whether the regulatory body acting pursuant to the law provides an administrative recourse for Plaintiffs to seek remedies. See Thomas v. Metro. Life Ins. Co., 540 F.Supp.2d 1212, 1228-29 (W.D. Okla. 2008) (holding that the safe harbor provision of the OCPA barred plaintiffs' claims because recourse was available under the “broad enforcement and regulatory powers provided to the Oklahoma Insurance Commissioner to regulate the kinds of acts alleged as wrongful”). So, while it is true that HIPAA provides no private right of action, it does provide for an individual to lodge a written complaint with the Secretary of Health and Human Services through the Office for Civil Rights, which has the discretion to investigate the complaint and impose civil sanctions. Brown v. Hill, 174 F.Supp.3d 66, 71 (D.D.C. 2016); see also Royce v. Veterans Affairs Reg'l Office, No. 08-1993, 2009 WL 1904332, at *6 (D. Col. July 1, 2009) (noting that “HIPAA expressly provides the penalties for improper disclosures of medical information and limits enforcement to the Secretary of HHS” (citation and footnote omitted)).

As to Plaintiffs' second argument, the relevant inquiry is not whether federal law governs deceptive misrepresentations by healthcare providers; it is whether the actions or transactions underlying those misrepresentations are regulated under laws administered by a federal agency. See Williams v. CSC Credit Servs., Inc., No. 07-0255, 2007 WL 1959219, at *3 (N.D. Okla. June 29, 2007) (“The underlying ‘action or transaction,' [defendant's] alleged error when reporting plaintiffs' credit, falls squarely within the scope of the FCRA, even to the extent that plaintiffs allege that [defendants'] conduct was malicious and willful.... Therefore, plaintiffs' claims are exempt from coverage under the OCPA, and plaintiffs can not pursue relief under the OCPA as part of this case.”). The actions underlying Plaintiffs Bean's and Baum's claims are those taken by Defendant Mednax in the course of safeguarding or failing to safeguard their personal information-actions that fall squarely within the scope of HIPAA.

For these reasons, Count XII is preempted by the OCPA's safe harbor provision.

10. Class Actions under South Carolina Law (Count XIII)

Plaintiffs assert that Defendants Mednax and American Anesthesiology violated the South Carolina Unfair Trade Practices Act (Count XIII). Unfortunately for Plaintiffs, this statute “expressly prohibits the pursuit of class action claims.” Fejzulai v. Sam's W., Inc., 205 F.Supp.3d 723, 725 (D.S.C. 2016). So the class claims of Plaintiffs Lee and Clark must be dismissed.

11. Injury to Business or Property under Washington Law (Count XVI)

Plaintiffs claim that Defendant Mednax violated the Washington Consumer Protection Act (“WCPA”) (Count XVI), which provides for recovery for injury to “business or property.” Wash. Rev. Code § 19.86.090. Defendants argue that Plaintiff Jay's WCPA claim must be dismissed because she alleges no injury to business or property. Mot. at 33-34. But Plaintiff Jay's alleged injuries pertain to her personal information, including-as discussed supra Analysis I.a- diminution in its value within the marketplace of credit. Cf. Calhoun, 526 F.Supp.3d at 635; In re Marriott, 440 F.Supp.3d at 492 n.17. Accordingly, the Court finds that Plaintiff Jay plausibly alleges injury to property under the WCPA.

In their Reply, Defendants raise a new argument that the WCPA “requires that a plaintiff be injured in his or her business property”-as opposed to “business or property” as provided in the statute. Reply at 23. In support, Defendants rely on a previously uncited case where the disjunctive or is missing from a single clause within the order owing to an obvious scrivener's error. See Pickard v. Sears, Inc., No. 050674, 2007 WL 445983, at *1 (W.D. Wash. Feb. 7, 2007). While the Court assumes this is a good-faith effort to spin the law in Defendants' favor, rather than a blatant attempt to mislead the Court, the Court nonetheless encourages the parties to exercise a level of care necessary to avoid such mistakes in the future.

12. Summary of State Consumer Statute Counts

For the foregoing reasons, Defendants' Motion is GRANTED as to Counts VI, VII, VIII, IX, XII, XIII, XIV, and XV and DENIED as to Counts III, IV, X, XI, and XVI. Counts VIII, IX, XIV, and XV are DISMISSED without prejudice and with leave to amend. Counts VI, VII, XII and XIII are DISMISSED with prejudice.

e. Plaintiff Rumely States a Claim under the California Confidentiality of Medical Information Act (Count XVII)

Plaintiffs claim that Defendant Mednax violated the California Confidentiality of Medical Information Act (“CMIA”) (Count XVII), which creates a private right of action against a healthcare provider that releases a patient's medical information without the patient's authorization. Cal. Code Civ. §§ 56.10, et seq. Defendants argue that Count XVII fails because Plaintiff Rumely does not plausibly allege that his “medical records” were viewed by an unauthorized individual. Mot. at 34 (citing Regents of the Univ. of Cal. v. Super. Ct. of L.A. Cnty, 163 Cal.Rptr.3d 205, 221 (Cal.Ct.App. 2013)). Unfortunately for Defendants, the term medical records does not appear anywhere in the statute. Instead, the CMIA covers “medical information, ” which it broadly defines to include PII as well as PHI:

[A]ny individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the identity of the individual.
Cal. Civ. Code § 56.05(i) (emphasis added).

As a threshold matter, a plaintiff bringing a CMIA claim must plausibly allege that his or her medical information was actually viewed. Stasi v. Inmediata Health Grp. Corp., 501 F.Supp.3d 898, 923 (S.D. Cal. 2020). Plaintiff Rumely alleges that his “unencrypted personal information was viewed by unauthorized persons, as evidenced by the fact that [he] has experienced an uptick in phishing emails since the [Data Breaches].” Am. Compl. ¶ 650. This allegation is “sufficient to withstand a motion to dismiss.” In re Premera Blue Cross Customer Data Sec. Breach Litig., 198 F.Supp.3d 1183, 1202 (D. Or. 2016) (finding plausible an allegation that medical information was “actually viewed” when plaintiff “received a letter from [defendant] notifying her that her personal information may have been compromised” and that “she discovered on her credit report an inquiry for a car loan that she did not recognize and that her checking account was fraudulently accessed around the same time period”); see also In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., No. 19-2284, 2020 WL 2214152 (S.D. Cal. May 7, 2020) (finding plaintiffs' allegation that they “received a letter stating their medical information was exposed in a data breach” sufficiently plausible to withstand a motion to dismiss when “the only evidence that it had actually been viewed was an increase in medical-related spam emails and phone calls”). Accordingly, Defendants' Motion as to Count XVII is DENIED.

f. Plaintiff Rumely States a Claim under the California Customer Records Act (Count V)

Plaintiffs bring an action under the California Customer Records Act (“CRA”) (Count V), which requires businesses operating in California to maintain reasonable security practices to protect their customers from disclosure of personal information and to timely notify them of a data breach. Cal. Civ. Code §§ 1798.81-82. Defendant Mednax does not deny that it failed to provide disclosure of the Data Breaches “in the most expedient time possible and without unreasonable delay, ” as required by the statute. Id. § 1798.82(a); see Mot. at 35. Instead, it argues that Plaintiff Rumely fails to allege that he suffered any cognizable injury and that Defendant Mednax failed to “maintain reasonable security procedures and practices.” Cal. Civ. Code § 1798.81.5(b); Mot. at 35.

To allege a “cognizable injury” arising from delay, a plaintiff must allege “incremental harm suffered as a result of the alleged delay in notification, ” not merely the data breach itself. Dugas v. Starwood Hotels & Resorts Worldwide, Inc., No. 16-00014, 2016 WL 6523428, at *7 (S.D. Cal. Nov. 3, 2016); see also In re Sony, 996 F.Supp.2d at 1010. Plaintiffs allege that Defendant Mednax waited nearly six months after discovering the Data Breaches to notify Plaintiff Rumely and putative Class Members. Am. Compl. ¶ 42. Once notified of the Data Breaches, Plaintiffs allege that Plaintiff Rumely enrolled himself and his children in an identity protection and monitoring service and investigated the validity of Defendant Mednax's disclosure. Id. ¶¶ 43, 55.

Defendants argue that Plaintiffs do not allege actual damages flowing from the months-long disclosure delay as required by the CRA. Mot. at 35. This is technically correct; Plaintiffs allege injury from the data breach itself but do not explicitly allege that the delay prevented Plaintiff Rumely from taking the necessary steps to protect his family's PHI and PII at an earlier time. See generally Am. Compl. But courts applying the CRA have inferred from plaintiffs' postdisclosure remedial actions-coupled with allegations of harm by the data breach-that timely disclosure would have prompted a swifter response and that the delay caused the type of cognizable injury-i.e., ongoing compromise of unprotected data-required by the statute. See, e.g., In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 16-02752, 2017 WL 3727318, at *41 (N.D. Cal. Aug. 30, 2017) (“A reasonable inference from these allegations is that if Plaintiffs had been aware of the Data Breaches a year to two years earlier, Plaintiffs could have taken earlier measures to mitigate the harms that they suffered from the Data Breaches.”). The Court agrees that this inference is reasonable and holds that Plaintiff Rumely sufficiently alleges harm caused by the delay in disclosure.

Defendants further contend that Plaintiffs provide “only conclusory allegations regarding any supposed insufficiencies” rather than facts demonstrating that Defendants failed to maintain reasonable cybersecurity practices as required by the CRA. Mot. at 35. The Court disagrees. Plaintiffs allege that their PHI and PII were maintained and/or exchanged in unencrypted email accounts, in violation of industry best practice. See Am. Compl. ¶¶ 375, 378. At the pleading stage, these are sufficient allegations of unreasonable cybersecurity practices under the CRA. See In re Sony, 996 F.Supp.2d at 966 (holding that plaintiffs adequately alleged that defendant failed to employ reasonable security measures to protect their information, including failing to use industry-standard encryption).

This is a perfect example of why Plaintiffs' Amended Complaint is a shotgun pleading. The factual allegations necessary to support Plaintiffs' CRA claims are not presented under Count V or anywhere in its vicinity. The Court cautions Plaintiffs that its patience for chasing down cumulatively incorporated factual allegations has been exhausted. All such instances of this practice must be remedied if the Second Amended Complaint is to survive another motion to dismiss.

Accordingly, Defendants' Motion as to Count V is DENIED.

g. Plaintiffs Do Not State a Claim for Breach of Implied Contract (Count XVIII)

Plaintiffs claim that Defendants breached an implied contract with Plaintiffs and putative Class Members to take reasonable measures to safeguard their PHI and PII and to provide them with prompt, adequate notice of any data breach or unauthorized access of their personal information (Count XVIII). Am. Compl. ¶¶ 659, 661. Defendants raise three arguments in favor of dismissal: 1) Defendants never contractually agreed to safeguard Plaintiffs' PHI and PII; 2) Plaintiffs' claims are not directed at any specific party and thus do not provide Defendants with fair notice; and 3) Plaintiffs do not allege proximate causation. Mot. at 35-38.

As to Defendants' argument on contract formation, the claims of Plaintiffs Lee and Clark are subject to South Carolina law, those of Plaintiff Cohen are subject to Maryland law, those of Plaintiff Fulks are subject to North Carolina law, those of Plaintiff Nielsen are subject to Virginia law, and those of Plaintiffs A.W., Larsen, Rumely, Bean, Jay, Soto, and Baum are subject to Florida law. See supra Legal Standard III.b. The law governing the existence of a contract is identical in these states: an implied contract requires proof of the same elements as an express contract, including mutual assent and meeting of the minds. So only a single analysis is necessary.

See J.R. v. Walgreens Boots Alliance, Inc., 470 F.Supp.3d 534, 558 (D.S.C. 2020) (South Carolina) McConnell v. Servinsky Eng'g, PLLC, 22 F.Supp.3d 610, 618-19 (W.D. Va. 2014) (Virginia); Jenks v. Bynum Trans., Inc., 104 So.3d 1217, 1224 (Fla. 1st DCA 2012) (Florida); Slick v. Reinecker, 839 A.2d 784, 787 (Md. Ct. Spec. App. 2003) (Maryland); Snyder v. Freeman, 266 S.E.2d 593, 602 ( N.C. 1980) (North Carolina).

Plaintiffs allege the following:

1) Plaintiffs sought treatment from Defendants, and Defendants agreed to treat Plaintiffs. Am. Compl. ¶¶ 653-54.
2) Before providing treatment to Plaintiffs, each Defendant provided Plaintiffs with a privacy notice, which Plaintiffs were required to read and sign. Id. ¶¶ 655-56.
3) Plaintiffs, as part of their agreement with each Defendant, provided their PHI and PII, thus entering an implied contract with each Defendant whereby Defendants became obligated to reasonably safeguard Plaintiffs' PHI and PII as well as provide Plaintiffs with prompt, adequate notice of any data breach or unauthorized access of their personal information. Id. ¶¶ 657-59.
4) Plaintiffs and Defendants had a meeting of the minds to support an implied contract because, as part of the treatment provided to Plaintiffs, Defendants accepted the responsibility to safeguard Plaintiffs' PHI and PII, Plaintiffs provided their PHI and PII to Defendants, and Defendants accepted payment from Plaintiffs for the safety and security of their PHI and PII. Id. ¶ 660.

Whereas the terms of an express contract are stated in words, the existence and terms of an implied contract are manifested by conduct. In considering whether an implied contract exists, a court should give “the effect which the parties, as fair and reasonable men, presumably would have agreed upon if, having in mind the possibility of the situation which has arisen, they had contracted expressly in reference thereto.” Bromer v. Fla. Power & Light Co., 45 So.2d 658, 660 (Fla. 1949). Many federal courts have held that an implied contract to safeguard customers' sensitive data could reasonably be found to exist in transactions where consumers are solicited or invited to provide personal information in exchange for a good or service. See, e.g., In re Brinker, 2020 WL 691848, at *5 (holding plaintiffs' allegations that defendant “solicited and invited” them to “eat at its restaurants and make purchases using their credit or debit cards” sufficient to allege an implicit agreement that defendant “would utilize [p]laintiffs' confidential information for the agreed payment and nothing else, thereby creating an obligation that [defendant] use reasonable measures to safeguard and protect [c]ustomer data”) (quotation omitted); Torres v. Wendy's Int'l, LLC, No. 16-210, 2017 WL 8780453, at *3 (M.D. Fla. Mar. 21, 2017) (holding plaintiff's allegations that “defendant invited its customers to pay for their purchases with credit cards containing confidential information” sufficient to allege an implicit agreement to “protect its customers' confidential information as a reasonable and prudent merchant would”).

See, e.g., All Seasons Restoration, Inc. v. Forde, No. 19-00247, 2021 WL 784644, at *3 (E.D. N.C. Mar. 1, 2021); In re Brinker, 2020 WL 691848, at *4; State Constr. Corp. v. Slone Assocs., Inc., 385 F.Supp.3d 449, 463 (D. Md. 2019); Doe v. Alger, 228 F.Supp.3d 713, 727-28 (W.D. Va. 2016); Storms v. Goodyear Tire & Rubber Co., 775 F.Supp. 862, 866 (D.S.C. 1991).

Here, by contrast, Plaintiffs allege no invitation or solicitation by Defendants indicating that Defendants implicitly assented to secure their PHI and PII in exchange for remuneration. See Brush v. Miami Beach Healthcare Grp. Ltd., 238 F.Supp.3d 1359, 1369 (S.D. Fla. 2017). Plaintiffs' allegations reveal only that they provided their personal information as required to receive healthcare services from Defendants-not data security services beyond the privacy requirements already imposed on Defendants by federal law. Id.

Although not cited by Plaintiffs, the Court acknowledges a split in authority on this question between Brush and Farmer v. Humana, Inc., No. 21-1478, 2022 WL 732126 (M.D. Fla. Jan. 25, 2022), a data breach case presented with similar facts. The Farmer court held that because plaintiff was required to provide defendant, a healthcare provider, a variety of PII-including his name, Social Security number, and date of birth-he presumably expected to receive an implicit assurance that the information would be protected. Farmer, 2022 WL 732126, at *6. Thus, the court reasoned, a jury could reasonably conclude that an implicit agreement to safeguard the data was necessary to effectuate the contract, so plaintiff adequately alleged the existence of an implied contract to safeguard his PHI and PII. Id. The Court declines to adopt this “consumer expectation” theory of contract formation. Unilateral and subjective expectations in a transaction cannot be inferred to coalesce into the meeting of the minds required to establish an implied contract. See Monahan v. WHM, LLC, No. 09-80198, 2010 WL 11504336, at *5 (S.D. Fla. Mar. 18, 2010).

The fact that Plaintiffs had to acknowledge Defendants' privacy notice is of no consequence because such notices are not contractual in nature. Brush, 238 F.Supp.3d at 1367. Rather, they inform patients of their rights under federal law-specifically, HIPAA-and the duties imposed on healthcare providers by these statutory provisions. Id. Because Defendants are required by law to adhere to HIPAA without receiving any consideration from Plaintiffs or any other patient, these provisions cannot create contractual obligations. Id. Accordingly, the Court cannot infer from Plaintiffs' allegations the mutual assent and meeting of the minds required to form an implied contract for data security services based on the parties' conduct. Id.

The Court addresses Defendants' second argument supra Analysis II.a in the context of shotgun pleadings. As to Defendants' final argument, the Court will address the issue of proximate causation infra Analysis II.h regarding Count XIX for negligence. Defendants' Motion as to Count XVIII is GRANTED. Count XVIII is DISMISSED with prejudice.

h. Plaintiffs State a Claim for Negligence, with a Caveat (Count XIX)

Plaintiffs claim that Defendants owed Plaintiffs and putative Class Members a duty and breached that duty by failing to exercise reasonable care and failing to safeguard and protect their PHI and PII (Count XIX). Am. Compl. ¶¶ 663-64. Plaintiffs' claims sound in theories of both common-law negligence and negligence per se based on alleged violations of Section 5 of the FTC Act. Id. ¶¶ 667, 671. Defendants assert that they owed Plaintiffs no common-law duty to safeguard their personal information from criminal theft, that Section 5 cannot form the basis of a negligence per se claim, that their conduct proximately caused no alleged loss, that some Plaintiffs fail to allege any cognizable damages, and that the economic loss rule bars Plaintiffs' claims. Mot. at 38-47.

All Plaintiffs' tort claims are governed by Florida law. See supra Legal Standard III.a. Under Florida law, “[a] negligence claim requires a plaintiff to show that (1) defendants owe plaintiffs a duty, (2) defendants breached the duty, (3) defendants' breach injured plaintiffs, and (4) plaintiffs' damage was caused by the injury to the plaintiff as a result of the defendant's breach of duty.” Resnick, 693 F.3d at 1325 (quoting Delgado v. Laundromax, Inc., 65 So.3d 1087, 1089 (Fla. 3d DCA 2011)) (cleaned up).

Because the overwhelming majority of Defendants' Motion focuses on the law of Plaintiffs' home states, the Court will not engage in any significant analysis of these arguments. See Mot. at 38-47.

Federal courts in Florida have well established that entities which collect sensitive, private data from consumers and store such data on their networks have a duty to protect the information.“[E]stablishing the existence of a duty under [Florida's] negligence law is a minimum threshold legal requirement that opens the courthouse doors . . . and is ultimately a question of law for the court rather than a jury.” Virgilio v. Ryland Grp., Inc., 680 F.3d 1329, 1339 (11th Cir. 2012). “Where a defendant's conduct creates a foreseeable zone of risk, the law generally will recognize a duty placed upon [the] defendant either to lessen the risk or [to] see that sufficient precautions are taken to protect others from the harm that the risk poses.” Kaisner v. Kolb, 543 So.2d 732, 735 (Fla. 1989). Where, as here, a business “collect[s] sensitive, private data from consumers, ” it has “a duty to protect that information.” Brush, 238 F.Supp.3d at 1365.

See Farmer, 2022 WL 732126, at *4; In re Brinker, 2020 WL 691848, at *7; Stephens v. Availity, L.L.C., No. 19-236, 2019 WL 13041330, at *4 (M.D. Fla. Oct. 1, 2019); Brush, 238 F.Supp.3d at 1365; Weinberg v. Advanced Data Processing, Inc., 147 F.Supp.3d 1359, 1363 (S.D. Fla. 2015).

Defendants contend that they owed no “common-law duty to safeguard Plaintiffs' information from criminal theft.” Mot. at 39. This argument fails. See In re Brinker, 2020 WL 691848, at *8 (“[Defendant], by collecting personal information and payment card data, had control over the information and had a duty to use reasonable care in protecting that data from theft.”).

Defendants further argue that, despite the holdings of federal courts in Florida, the Court should find no existence of a duty because no state court has ever recognized such a duty. Reply at 24. Under Florida law, a duty may arise from four general sources: “(1) legislative enactments or administration regulations; (2) judicial interpretations of such enactments or regulations; (3) other judicial precedent; and (4) a duty arising from the general facts of the case.” Clay Elec. Coop., Inc. v. Johnson, 873 So.2d 1182, 1185 (Fla. 2003). Judicial precedent recognizes Florida's undertaker's doctrine, under which a duty to act carefully arises “[w]henever one undertakes to provide a service to others, whether one does so gratuitously or by contract.” Id. at 1186. Despite Defendants' urging to narrowly construe its duty within the data security context, the Court finds that their duty to safeguard Plaintiffs' PHI and PII fits nicely within Florida's existing undertaker's doctrine. The facts of the case also indicate that by handing over their personal information, Plaintiffs placed their data in a foreseeable zone of risk that Defendants had a duty to mitigate. See Kaisner, 543 So.2d at 735.

Plaintiffs also sufficiently allege that Defendants breached their duty. Specifically, they plead that Defendants “fail[ed] to exercise reasonable care” and “fail[ed] to safeguard and protect Plaintiffs' and Class Members' PHI and PII.” Am. Compl. ¶ 664. See Farmer, 2022 WL 732126, at *5 (finding plaintiff's allegations that defendants “failed to implement industry protocols and exercise reasonable care in protecting and safeguarding the PII and PHI of [plaintiff] and failed to heed industry warnings and alerts to provide adequate safeguards to protect the PII and PHI” sufficient to plead that defendants breached their duty (cleaned up)). They further allege that “[i]t was reasonably foreseeable that Defendants' failure to exercise reasonable care in safeguarding and protecting Plaintiffs' and Class Members' PHI and PII would result in an unauthorized third party gaining access to such information for no lawful purpose.” Am Compl. ¶ 665. See Torres, 2017 WL 8780453, at *4 (finding allegations that defendant “had ample reasons to anticipate the hack, but failed to take action to prevent it, ” sufficient to allege a foreseeable zone of risk).

In Resnick, the Eleventh Circuit discussed the causation element at length. 693 F.3d at 1326 (“[T]o prove that a data breach caused identity theft, the pleadings must include allegations of a nexus between the two instances beyond allegations of time and sequence.”). Plaintiffs alleged that they “became victims of identity theft for the first time in their lives ten and fourteen months after the laptops containing their sensitive information were stolen.” Id. They further alleged that: (1) “the sensitive information on the stolen laptop was the same sensitive information used to steal [p]laintiffs' identity, ” id. at 1327; (2) “the identity thief used [p]laintiffs' sensitive information” to change an address and open a bank account, id.; (3) “prior to the data breach, [none of the plaintiffs] had ever had their identities stolen or their sensitive information compromised in any way, ” id. at 1326; and (4) “[a plaintiff] took substantial precautions to protect herself from identity theft, including not transmitting sensitive information over the Internet or any unsecured source; not storing her sensitive information on a computer or media device; storing sensitive information in a safe and secure physical location; and destroying documents she receive[d] in the mail that may contain any of her sensitive information, ” id. (cleaned up).

Considering plaintiffs' complaint and “applying common sense to [its] understanding of [the] allegation, ” the Resnik court held that plaintiffs' claim “that the data breach caused their identities to be stolen move[d] from the realm of the possible into the plausible.” 693 F.3d at 1326. The panel noted, however, that had plaintiffs alleged fewer facts, the complaint may not have survived a motion to dismiss. Id. at 1327.

Here, Plaintiffs allege the following similar facts:

1) Plaintiffs allege that their PHI and PII were found available for purchase on the dark web following the Data Breaches. Am. Compl. ¶¶ 34, 96, 119, 144, 170, 256, 278.
2) Plaintiffs allege that their PHI and PII found for sale on the dark web contained the same information provided to medical providers that contracted with Defendant Mednax. Id. ¶¶ 30, 165.
3) Plaintiff Nielsen alleges that she has suffered identity theft, that twelve bank accounts have been opened in her name, that her credit score has been damaged, that she has experienced errors in processing her medical bills, and that a four-year magazine subscription was started in her name. Id. ¶¶ 199-200, 203-04, 206.
4) Plaintiffs allege that considering the geographic distribution of Plaintiffs and the inclusion of multiple Plaintiffs' PHI and PII in one sample database, it can be reasonably assumed that the data likely came from the same source data breach. Id. ¶¶ 31, 93, 116, 141, 167, 227, 253, 275.
5) Plaintiffs allege that they exercise care in sharing their sensitive PHI and PII, do not knowingly transmit unencrypted sensitive PHI and PII over the internet or any other
unsecured source, and store any documents containing their sensitive PHI and PII in a safe and secure location or destroy the documents. Id. ¶¶ 21-22, 44-45, 62-63, 81-82, 104-05, 129-30, 153-54, 178-79, 192-93, 217-18, 241-42, 263-64.

A reasonable jury could find that these facts establish causation.

“Florida defines damages in negligence cases as ‘some actual harm.'” In re Brinker, 2020 WL 691848, at *8 (quoting Am. Optical Corp. v. Spiewak, 73 So.3d 120, 127 (Fla. 2011)). The Court has extensively discussed Plaintiffs' injuries supra Analysis I.a in relation to Article III standing. Damages do not necessarily equate with Article III's injury-in-fact requirement; they may overlap but are not synonymous. Id. But the Court finds that a reasonable jury could conclude that the injuries discussed in the standing context translate to actual harm in the negligence context. So there is no need to rehash them here.

Defendants contend that the economic loss rule bars Plaintiffs' negligence claims. Mot. at 46-47. In Florida, “the economic loss rule is a judicially created doctrine that sets forth the circumstances under which a tort action is prohibited if the only damages suffered are economic losses.” Tiara Condo. Ass'n, Inc. v. Marsh & McLennan Cos., Inc., 110 So.3d 399, 401 (Fla. 2013). The Florida Supreme Court has held that “the economic loss rule applies only in the products liability context.” Id. at 407. Thus, Plaintiffs' claims are not barred by the economic loss rule.

The lone flaw in Plaintiffs' negligence claim is in its reliance on allegations that Defendants breached Section 5 of the FTC Act and thus committed negligence per se. See Am. Compl. ¶¶ 666-69. Federal courts in Florida have held that a negligence per se claim cannot rest on a federal statute that does not provide a private right of action. In re Brinker, 2020 WL 691848, at *9 (citing Weinberg, 147 F.Supp.3d at 1365 (compiling cases)). “When a statute is silent as to whether it allows for a private cause of action, such a claim can only survive when the statute evidences legislative intent to create a private cause of action.” Id. (quoting Zarrella v. Pac. Life Ins. Co., 755 F.Supp.2d 1218, 1228 (S.D. Fla. 2010)). “There is no private cause of action implied under the Federal Trade Commission Act.” Id. (quoting Lingo v. City of Albany Dep't of Cmty. & Econ. Dev., 195 Fed.Appx. 891, 894 (11th Cir. 2006)); see also In re SuperValu, Inc., 925 F.3d 955, 96364 (8th Cir. 2019) (declining to impose a duty based on the FTC Act because “Congress empowered the Commission-and the Commission alone-to enforce [it]. Implying a cause of action would be inconsistent with Congress's anticipated enforcement scheme.”). Thus, violations of Section 5 cannot form the basis for a negligence per se claim.

For the reasons stated above, Defendants' Motion as to Count XIX is GRANTED. Count XIX is DISMISSED without prejudice to Plaintiffs to excise their invocation of negligence per se under Section 5 from their negligence claim.

i. Plaintiffs Do Not State a Claim for Invasion of Privacy by Public Disclosure of Private Facts (Count XX)

Plaintiffs assert a claim for invasion of privacy by public disclosure of private facts, alleging that “[b]y virtue of Defendants' failure to safeguard and protect Plaintiffs' and the other Class Members' PHI and PII and the resulting [Data Breaches], Defendants wrongfully disseminated and published Plaintiffs' and the other Class Members' PHI and PII to a large number [of] unauthorized persons in the public at large” (Count XX). Am. Compl. ¶ 674. Defendants correctly argue that this count fails because Plaintiffs do not allege that Defendants publicized the private information themselves. Mot. at 47-48.

“Florida courts recognize the invasion of privacy tort under common law.” T.G. v. Sears, Roebuck & Co., No. 06-61228, 2006 WL 8432512, at *6 (S.D. Fla. Nov. 20, 2006). “The elements for the tort of invasion of privacy by the disclosure of private facts are the following: (1) the publication, (2) of private facts, (3) that are offensive, and (4) are not of public concern.” Woodard v. Sunbeam Television Corp., 616 So.2d 501, 503 (Fla. 3d DCA 1993). Invasion of privacy is an intentional tort. Rowell v. Holt, 850 So.2d 474, 478 n.1 (Fla. 2003); Chase Manhattan Inv. Servs., Inc. v. Miranda, 658 So.2d 181, 182 (Fla. 3d DCA 1995). Thus, Florida courts routinely dismiss invasion-of-privacy claims where a plaintiff fails to allege that a defendant “intentionally divulged his PII” and instead asserts that “an unknown [person] stole the PII from [the defendant's] computer system.” Burrows v. Purchasing Power, LLC, No. 12-22800, 2012 WL 9391827, at *6 (S.D. Fla. Oct. 18, 2012); see also Farmer, 2022 WL 732126, at *6-7; Carlisi v. Spnntcom, Inc., No. 06-60751, 2006 WL 8432613, at *2 (S.D. Fla. Sept. 6, 2006) (“Here, Plaintiff alleges that Defendant is liable for invasion of privacy because Defendant negligently maintained its records allowing a third party to obtain private information about Plaintiff. This is insufficient to state a claim for the intentional tort of invasion of privacy because no cause of action can exist for the negligent commission of an intentional tort.”).

Plaintiffs' invasion-of-privacy claim fails because they do not allege that Defendants intentionally disclosed their PHI and PII to unauthorized persons. Instead, Plaintiffs plead that Defendants' negligent “failure to safeguard and protect Plaintiffs' and the other Class Members' PHI and PII” resulted in the disclosure. Am. Compl. ¶ 674. “This is insufficient to state a claim for the intentional tort of invasion of privacy because, ” although its elements are framed in the passive voice, “no cause of action can exist for the negligent commission of an intentional tort.” Carlisi, 2006 WL 8432613, at *2; see also Farmer, 2022 WL 732126, at *7; Burton v. MAPCO Exp., Inc., 47 F.Supp.3d 1279, 1288 (N.D. Ala. 2014) (“Even if the defendants were negligent, as alleged, in safeguarding [plaintiff's] account information, such negligence does not morph into an intentional act of divulging his confidential information.”).

Defendants' Motion as to Count XX is GRANTED. Because Plaintiffs cannot present a set of facts necessary to allege that Defendants intentionally disclosed their PHI and PII, Count XX is DISMISSED with prejudice.

j. Plaintiffs Fail to State a Claim for Breach of the Fiduciary Duty of Confidentiality (Count XXI)

Plaintiffs assert that they had a relationship of trust and confidence with Defendants because they entrusted their sensitive personal information to Defendants in exchange for receiving services. Am. Compl. ¶ 679. Thus, say Plaintiffs, Defendants owed Plaintiffs a common-law fiduciary duty to keep their medical information and other PHI and PII confidential-a duty Defendants breached by disclosing Plaintiffs' PHI and PII to unauthorized third parties (Count XXI). Id. ¶¶ 679-80.

Under Florida law, “[a] fiduciary relationship which is implied in law is based on the specific factual circumstances surrounding the transaction and the relationship of the parties.” Weinberg, 147 F.Supp.3d at 1367 (quoting First Nat'l Bank & Trust Co. of Treasurer Coast v. Pack, 789 So.2d 411, 415 (Fla. 4th DCA 2001)). “To establish a fiduciary relationship, a party must allege some degree of dependency on one side and some degree of undertaking on the other side to advise, counsel, and protect the weaker party.” Id. (quoting Jaffe v. Bank of Am., N.A., 667 F.Supp.2d 1299, 1319 (S.D. Fla. 2009)). Generally, “in an arms-length transaction, however, there is no duty imposed on either party to act for the benefit or protection of the other party.” Id.

Plaintiffs do not plausibly allege that they depended on Defendants or that Defendants undertook to counsel, act for, or protect Plaintiffs in any capacity. Because they cannot plead facts to establish any direct relationship, let alone a fiduciary one, Plaintiffs blandly assert that Defendants owed them a duty of confidentiality “because [they] entrusted their sensitive personal information to Defendants in exchange for receiving services.” Am. Compl. ¶ 679. But the mere receipt of confidential information is insufficient by itself to transform an arm's-length transaction into a fiduciary relationship. Stephens, 2019 WL 13041330, at *6; Weinberg, 147 F.Supp.3d at 1367.

Because Plaintiffs' pleading amounts to no more than the type of arm's-length transaction that gives rise to no fiduciary duty, Defendants' Motion is GRANTED as to Count XXI. Count XXI is DISMISSED with prejudice.

k. Plaintiffs Fail to State a Claim for Negligent Training and Supervision (Count XXII)

Plaintiffs claim that Defendants owed them a duty to train and supervise employees to ensure they recognized their duties to Defendants' patients and patients' parents and guardians and that Defendants breached this duty by allowing their employees to fall victim to a phishing scam (Count XXII). Am. Compl. ¶¶683-84. The Court addresses supra Analysis II.a how Count XXII fails under the Eleventh Circuit's shotgun pleading standards: negligent supervision and negligent training must be pled separately. But in addition to its deficiencies in form, Count XXII falls short in terms of substance.

Under Florida law, “[n]egligent supervision ‘occurs when, during the course of employment, the employer becomes aware or should have become aware of problems with an employee that indicated his unfitness, and the employer fails to take further actions such as investigating, discharge, or reassignment.'” Diaz v. Carnival Corp., 555 F.Supp.3d 1302, 1310 (S.D. Fla. 2021) (quoting Cruz v. Advance Stores Co., 842 F.Supp.2d 1356, 1359 (S.D. Fla. 2012)). Plaintiffs provide no factual support for a finding that any Defendant was aware or should have been aware of any problem with an employee, nor do they identify any employee or employees who were unfit. “On the other hand, negligent training occurs when an employer ‘was negligent in the implementation or operation of the training program' and the negligence causes a plaintiff's injury.” Id.; see also Gutman v. Quest Diagnostics Clinical Labs., Inc., 707 F.Supp.2d 1327, 1332 (S.D. Fla. 2010); Wynn v. City of Lakeland, 727 F.Supp.2d 1309, 1317 (M.D. Fla. 2010). Plaintiffs do not even allege that any Defendant has a training program-much less that it is deficient in its implementation or operation.

Accordingly, Defendants' Motion as to Count XXII is GRANTED. Count XXII is DISMISSED with prejudice.

III. Additional Argument by Defendant American Anesthesiology

Defendant American Anesthesiology raises the following three arguments in addition to those raised collectively by all Defendants:

1) The Amended Complaint improperly lumps together American Anesthesiology and the other Defendants. Mot. at 54-55.
2) Eleven Plaintiffs lack standing to sue American Anesthesiology because they do not allege any connection to American Anesthesiology. Id. at 55-59.
3) Plaintiffs cannot assert state-law claims when their own claims do not arise under the laws of those states. Id. at 59-60.

As to the first argument, the Court addresses supra Analysis II.a Plaintiffs' impermissible use of group pleading in Count XVIII (breach of implied contract). But the Court need go no further at this stage of the proceedings. Plaintiffs have alleged “Defendants' common ownership, common data security policies and protocols, common post-breach response[, ] and other joint and concerted data security related activities.” Resp. at 54. At the initial notice stage, this is sufficient. Without the aid of discovery, it would be premature for the Court to require Plaintiffs to demonstrate the specific actions taken-or not taken-by each Defendant that resulted in Plaintiffs' injuries.

The Court acknowledges-and Plaintiffs admit, see Am. Compl. ¶ 285-that American Anesthesiology was no longer owned by Mednax as of the Data Breaches. But whether their common data security policies and protocols were established before or after the divesture is a question of fact.

As to the second argument, the Court is unsure what “connection” American Anesthesiology expects Plaintiffs to plead. The Motion largely rehashes the requisite elements of Article III standing the Court discusses at length supra Analysis I. See Mot. at 55-59. The only “connection” Article III requires is a “causal connection between the injury and the conduct complained of.” Lujan, 504 U.S. at 560. This requirement-along with injury in fact and redressability-is all that matters with regard to standing. Id. The Court addresses in great detail supra Analysis I why Plaintiffs sufficiently establish all three of these prongs at this stage of the proceedings and need go no further. To the extent American Anesthesiology pleads that its actions-separate and apart from the actions of the other Defendants-lack a causal connection to Plaintiffs' injuries in fact, the Court is ill prepared to reach such a determination without the aid of discovery.

Although not stated explicitly, the Motion seems to argue that Article III standing requires privity between each Plaintiff and American Anesthesiology. See Mot. at 55 (“[O]nly [Plaintiffs] Nielsen and Lee allege any connection to [American Anesthesiology]. Plaintiffs without a connection to [American Anesthesiology] cannot sue [American Anesthesiology].”). Article III generally requires no showing of privity between a plaintiff and a defendant; however, this inquiry is pertinent to actions sounding in contract. Under the law of all states relevant to this case, a plaintiff must allege privity of contract with a defendant to establish standing in contract cases.

See 1500 Range Way Partners, LLC v. JPMorgan Chase Bank, Nat'l Ass'n, 800 F.Supp.2d 716, 721 (D.S.C. 2011) (South Carolina); Feheley v. LAI Games Sales, Inc., No. 08-23060, 2009 WL 2474061, at *3 (S.D. Fla. Aug. 11, 2009) (Florida); Cohen v. Feldman, No. 2665, 2020 WL 4047947, at *6 (Md. Ct. Spec. App. July 20, 2020) (Maryland); Am. Oil Co. v. AAN Real Estate, LLC, 754 S.E.2d 844, 846 (N.C. Ct. App. 2014) (North Carolina); Wells v. Shoosmith, 428 S.E.2d 909, 913 (Va. 1993) (Virginia).

Accordingly, all contract-based claims against American Anesthesiology by Plaintiffs A.W., B.W., Rumely, Bean, Jay, Soto, Baum, Larsen, Fulks, Cohen, and Clark must be dismissed.

The third argument is moot in light of the Court's findings as to choice of law, discussed supra Legal Standard III.

Accordingly, Defendants' Motion as to Counts I and XVIII is GRANTED as to Plaintiffs A.W., B.W., Rumely, Bean, Jay, Soto, Baum, Larsen, Fulks, Cohen, and Clark, and as against Defendant American Anesthesiology, for the additional reason that these Plaintiffs fail to allege privity of contract.

CONCLUSION

Plaintiffs have standing to bring this action, but many of their counts fail to state a claim upon which relief can be granted and therefore warrant dismissal. Accordingly, for the foregoing reasons, it is hereby

ORDERED AND ADJUDGED as follows:

1) Defendants' Motion [ECF No. 84] is GRANTED IN PART.

2) The following Counts are DISMISSED without prejudice and with leave to amend:

a. Count II (violation of the Maryland Personal Information Protection Act);

To be clear, as discussed supra Analysis II.c, Plaintiff Cohen must plead an MPIPA violation within her existing MCPA count-not as an independent count.

b. Count VIII (violation of the Florida Deceptive and Unfair Trade Practices Act);

c. Count IX (violation of the Missouri Merchandising Practices Act);

d. Count XIV (violation of the Texas Deceptive Trade Practices-Consumer Protection Act);

e. Count XV (violation of the Virginia Consumer Protection Act); and f. Count XIX (negligence).

3) The following Counts are DISMISSED with prejudice:

a. Count I (breach of the covenant of good faith and fair dealing);

b. Count VI (violation of the California Unfair Competition Law);

c. Count VII (violation of the California Consumer Legal Remedies Act);

d. Count XII (violation of the Oklahoma Consumer Protection Act);

e. Count XIII (violation of the South Carolina Unfair Trade Practices Act);

f. Count XVIII (breach of implied contract);

g. Count XX (invasion of privacy by public disclosure of private facts);

h. Count XXI (breach of the fiduciary duty of confidentiality); and i. Count XXII (negligent training and supervision).

4) Plaintiffs shall file a Second Amended Complaint in conformance with this Order on or before June 10, 2022.

5) The stay of discovery imposed by the Court in Pretrial Order No. 1, [ECF No. 12] at 4, and extended by the Order Granting Defendants' Motion to Stay Discovery, [ECF No. 70] at 7, is further extended for a period of forty-five (45) days from the date of this Order to allow the parties sufficient time to prepare a Second Amended Complaint and an answer or response.

6) The parties shall appear for a Status Conference to be held via Zoom on May 18, 2022, at 11:00 AM. Details will be provided by separate order.

DONE AND ORDERED.


Summaries of

In re Mednax Servs., Customer Data Sec. Breach Litig.

United States District Court, Southern District of Florida
May 10, 2022
No. 21-MD-02994-RAR (S.D. Fla. May. 10, 2022)
Case details for

In re Mednax Servs., Customer Data Sec. Breach Litig.

Case Details

Full title:In re MEDNAX SERVICES, INC., CUSTOMER DATA SECURITY BREACH LITIGATION

Court:United States District Court, Southern District of Florida

Date published: May 10, 2022

Citations

No. 21-MD-02994-RAR (S.D. Fla. May. 10, 2022)

Citing Cases

Savidge v. Pharm-Save, Inc.

That “other injury” may be the emotional distress caused by the threat of identity theft. See In re Mednax…

Holmes v. The Vill.s Tri-Cnty. Med. Ctr.

Standing is thus “a ‘threshold question in every federal case, determining the power of the court to…