C. A. PC-2022-6145 (R.I. Super. Nov. 29, 2023)

From Casetext: Smarter Legal Research

Morelli v. R.I. Pub. Transit Auth.

Superior Court of Rhode Island, Providence

Nov 29, 2023

C. A. PC-2022-6145 (R.I. Super. Nov. 29, 2023)

Opinion

C. A. PC-2022-6145

11-29-2023

ALEXANDRA MORELLI, DAVID NOVSAM, AUDREY SNOW, BETTY J. POTENZA, NORMAN R. PLANTE, EILEEN BOTELHO, GARY RUO, DAVID A. ROSA, ROBIN KULIK, CARONAH CASSELL-JOHNSON, SHEILA M. GALAMAGA, CAITLYN LAMARRE, and DIANE M. CAPPALLI, individually and on behalf of all others similarly situated, Plaintiffs, v. RHODE ISLAND PUBLIC TRANSIT AUTHORITY and UNITEDHEALTHCARE OF NEW ENGLAND, INC., Defendants.

For Plaintiffs: Peter N. Wasylyk, Esq. For Defendants: Brian J. Lamoureux, Esq.; William J. Lynch, Esq.

STERN, J.

For Plaintiffs: Peter N. Wasylyk, Esq.

For Defendants: Brian J. Lamoureux, Esq.; William J. Lynch, Esq.

DECISION

STERN, J.

Before the Court are (1) Defendant UnitedHealthcare of New England, Inc.'s (UHC) Motion to Dismiss Plaintiffs Alexandra Morelli (Morelli), David Novsam (Novsam), Audrey Snow (Snow), Betty J. Potenza (Potenza), Norman R. Plante (Plante), Eileen Botelho (Botelho), Gary Ruo (Ruo), David A. Rosa (Rosa), Robin Kulik (Kulik), Caronah Cassell-Johnson (Cassell-Johnson), Sheila M. Galamaga (Galamaga), Caitlyn Lamarre (Lamarre), and Diane M. Cappalli's (Cappalli) (collectively, Plaintiffs) Amended Complaint; and (2) Defendant Rhode Island Public Transit Authority's (RIPTA) Motion to Dismiss Counts 1 and 3 of Plaintiffs' Amended Complaint. Jurisdiction is pursuant to Rule 12 of the Superior Court Rules of Civil Procedure.

Facts and Travel

By way of background, Morelli is a Rhode Island resident employed by the University of Rhode Island. (Am. Compl. ¶ 15.) Novsam is a Rhode Island resident employed by RIPTA. Id. Snow is a Rhode Island resident employed by the State of Rhode Island (the State). Id. Potenza is a Rhode Island resident employed by the State. Id. Plante is a Rhode Island resident employed by the Rhode Island Department of Corrections (the DOC). Id. ¶ 16. Botelho is a Massachusetts resident employed by the Rhode Island Department of Elementary and Secondary Education (RIDE). Id. Ruo is a Rhode Island resident and a retiree from the DOC. Id. Rosa is a Rhode Island resident employed by Rhode Island College. Id. Kulik is a Rhode Island resident and a retiree from the DOC. Id. Cassell-Johnson is a Rhode Island resident employed by the State. Id. ¶ 17. Galamaga is a Rhode Island Resident employed by RIDE. Id. Lamarre is a Rhode Island resident employed by the Rhode Island Department of Human Services. Id. Cappalli is a Florida resident and a retiree from RIPTA. Id. RIPTA is a quasi-governmental entity located in Providence, Rhode Island. Id. ¶ 18. UHC is a Rhode Island corporation having its principal place of business in Warwick, Rhode Island. Id. ¶ 19.

The State provides health insurance to its employees through a self-insured health insurance plan (the State Plan). Id. ¶ 21. RIPTA provides health insurance to its employees through its own self-insured health insurance plan (the RIPTA Plan). Id. ¶ 23. For some period, UHC administered both the State Plan and the RIPTA Plan. Id. ¶¶ 5, 22, 24. On or about August 5, 2021, RIPTA identified a breach (the Data Breach) of its system between August 3, 2021 and August 5, 2021, in which RIPTA's computer systems were accessed by unauthorized persons. Id. ¶ 29. The Data Breach resulted in the downloading of about 44,000 files containing personal healthcare information (PHI) and personally identifiable information (PII) of about 17,000 RIPTA and State employees and retirees. Id. ¶ 38. The PHI and PII contained "plan member names, Social Security numbers, addresses, dates of birth, Medicare information numbers and qualification information, health plan member identification numbers, healthcare claim amounts, and dates of service for which claims were filed." Id. ¶ 40. The files were supplied to RIPTA by UHC and were allegedly not adequately encrypted or secured against unauthorized access by third parties. Id. ¶ 33.

RIPTA conducted an internal investigation and, on October 28, 2021, determined that the Data Breach resulted in the unauthorized access of current and former RIPTA and State Plan members and their families' PHI and PII. Id. ¶ 37. RIPTA notified 17,378 Rhode Island residents of the Data Breach in a letter dated December 21, 2021. See generally Am. Compl. Ex. A. The letter further offered credit monitoring services through Equifax to affected persons. Id. RIPTA also posted a notice about the Data Breach online, stating that the breach was limited to personal information of health plan beneficiaries. (Am. Compl. ¶ 48.) At a State Senate oversight hearing, RIPTA announced that, in addition to the Rhode Islanders victimized by the breach, roughly 5,000 out-of-state residents' information were accessed in the Data Breach. Id. ¶ 50.

Plaintiffs allege that they received correspondence from RIPTA in December 2021 or January 2022, which notified them that their PHI and PII were compromised as a result of the Data Breach. See id. ¶¶ 74, 89, 119, 135, 156, 173, 190, 204, 221, 237, 254, 269. Plaintiffs make the following allegations as to harms they suffered thereafter:

1. Morelli alleges that after the Data Breach, she was the target of fraudulent transactions and suspicious activity on several credit cards, as well as six withdrawals from her Citizens Bank savings account totaling $29,999. Id. ¶ 78. She was forced to close

credit and debit accounts and put a stop on all withdrawals from her savings account, which disrupted her ability to timely pay bills through automatic withdrawals. Id. ¶ 79;

2. Novsam alleges that he received an alert in October 2022 that his personal information was found on the "Dark Web," and has since received more than thirty text message alerts stating that his PII was found on the Dark Web. Id. ¶¶ 93-94. Additionally, he alleges that his wife has had credit card accounts opened in her name. Id. ¶ 95;

3. Snow alleges that, because of the Data Breach, an unknown person attempted to steal her identity by filing for a change of address, switching her address with one of Snow's doctors, and opening a credit card in her name. Id. ¶ 106. Snow maintains that this fraudulent activity occurred because her confidential information was posted and sold on the Dark Web. Id.;

4. Potenza alleges that nine unauthorized withdrawals were made from her Citizens Bank checking account between October 14, 2022 and October 20, 2022, totaling $11,658.43. Id. ¶ 121;

5. Plante alleges that, in September 2022, he received a hard inquiry on his credit report for a credit card from Premier Bank of Vegas. Id. ¶ 146. He avers that he did not apply for the card and contacted the bank to stop its issuance. Id. ¶ 147. He maintains that he submitted paperwork to remove the hard inquiry but is still waiting for his credit score to be restored. Id. ¶ 148-49;

6. Botelho alleges that, on or about July 19, 2022 or July 20, 2022, an unauthorized withdrawal in the amount of $18,000 was made from her Citizens Bank checking account to pay a Chase credit card. Id. ¶ 158. Botelho avers that she did not make such a payment and does not own a Chase credit card. Id. She also alleges that, in the fall

of 2022, she experienced suspicious activity on her credit cards and was forced to cancel the cards and receive new ones. Id. ¶ 159;

7. Ruo alleges that, in January 2022, Equifax notified him that his Social Security number was found on a fraudulent internet trading website. Id. ¶ 175. Ruo avers that, because of Equifax's notice, he purchased an identity theft protection plan in the amount of $180. Id. ¶ 176;

8. Rosa alleges that, after learning of the Data Breach, he purchased an identity theft monitoring service for $160. Id. ¶ 202. He further alleges that the monitoring service was renewed in January 2023 for an additional $160. Id.;

9. Kulik alleges that Credit Karma and McAfee informed Kulik that her PII was found on the Dark Web but does not allege any specific financial harms. See id. ¶ 206;

10. Cassell-Johnson alleges that, after the Data Breach, she was unable to electronically file her federal and state tax returns because a third party fraudulently filed them in her name. Id. ¶ 230. No other specific financial harms are alleged. See id. ¶¶ 220-35;

11. Galamaga alleges that, after the Data Breach, false accounts were made in Galamaga's name through Stash. Id. ¶ 239. Several wire transfers were allegedly attempted to steal funds from her checking account. Id. She further avers that her Social Security number and date of birth were compromised. Id. As a result, Galamaga was forced to close her bank account and open a different account at a new bank. Id. ¶ 240. She was also forced to discard five hundred purchased checks connected to her now-compromised bank account. Id.;

12. Lamarre alleges that cybercriminals attempted to wire transfer funds out of her bank account but were unsuccessful. Id. ¶ 256. However, Lamarre was forced to close her bank account and open a new one. Id. As a result, her automatic bill payments were terminated, and she incurred monetary penalties on returned payments. Id.; and

13. Cappalli does not allege financial harms from the Data Breach. See id. ¶¶ 269-272.

Stash is an investment, retirement, and banking service for beginner investors.

On October 25, 2022, Morelli and Cappalli filed a Complaint. See Docket, PC-2022-06145. On February 13, 2023, an Amended Complaint was filed adding the other Plaintiffs and sounding in, inter alia, (1) violations of the Identity Theft Protection Act, G.L. 1956 chapter 49.3 of title 11; (2) violations of the Confidentiality of Health Care Communications and Information Act, chapter 37.3 of title 5; (3) negligence; (4) breach of contract; (5) breach of implied contract; and (6) violations of the Deceptive Trade Practices Act, chapter 13.1 of title 6. See Am. Compl. On March 31, 2023, Defendants each filed Motions to Dismiss the Amended Complaint. See Docket, PC-2022-06145. Plaintiffs objected on May 30, 2023. See id.

Standard of Review

A motion to dismiss under Rule 12(b)(6) of the Superior Court Rules of Civil Procedure "has a narrow and specific purpose: 'to test the sufficiency of the complaint.'" Mokwenyei v. Rhode Island Hospital, 198 A.3d 17, 21 (R.I. 2018) (quoting Multi-State Restoration, Inc. v. DWS Properties, LLC, 61 A.3d 414, 416 (R.I. 2013)). A trial justice "'must look no further than the complaint, assume that all allegations in the complaint are true, and resolve any doubts in a plaintiff's favor.'" Multi-State Restoration, Inc., 61 A.3d at 416 (quoting Laurence v. Sollitto, 788 A.2d 455, 456 (R.I. 2002)) (internal citations omitted). The Court will grant a motion to dismiss "if it 'appears beyond a reasonable doubt that a plaintiff would not be entitled to relief under any conceivable set of facts.'" Laurence, 788 A.2d at 456 (quoting Rhode Island Affiliate, ACLU, Inc. v. Bernasconi, 557 A.2d 1232, 1232 (R.I. 1989)).

III

Analysis

Rhode Island Law Applies to the Instant Motions

As a preliminary matter, UHC argues that the common law claims of two Plaintiffs are governed by different states' laws. See UHC's Mem. in Support of UHC's Motion to Dismiss (UHC's Mem.) 11-13. With respect to Plaintiffs' tort claims, UHC avers that each Plaintiff is subject to the laws of the state in which the alleged injury occurred. Id. at 11. UHC points only to two Plaintiffs-Cappalli and Botelho-whose claims would be subject to another state's laws because they do not reside in Rhode Island, and their injuries ostensibly occurred in their states of residence. Id. at 11-12. Thus, UHC concludes that (1) Rhode Island law governs Morelli, Novsam, Snow, Potenza, Plante, Ruo, Rosa, Kulik, Cassell-Johnson, Galamaga, and Lamarre's tort claims; (2) Florida law governs Cappalli's tort claims; and (3) Massachusetts law governs Botelho's tort claims. Id. at 12. As to Plaintiffs' breach of contract claims, UHC states that our Supreme Court either applies (1) the law of the state where the contract was executed; or (2) the same interest-weighing approach as with tort claims. Id. at 13 (citing Webster Bank, National Association v. Rosenbaum, 268 A.3d 556, 560 (R.I. 2022)).

Plaintiffs argue that Rhode Island law should apply to all Plaintiffs in this matter. See Pls.' Mem. in Opp'n to UHC's Mot. to Dismiss 15-17. Plaintiffs assert that the Court must engage only in a choice of law analysis if there is a true conflict. Id. at 15. They argue that UHC only has shown a conflict between Rhode Island law and Massachusetts law, but not Florida law. Id. Additionally, Plaintiffs aver that the conduct leading to the alleged injury occurred in Rhode Island and that the parties' relationship was centered in Rhode Island. Id. at 16. Additionally, Plaintiffs argue that Rhode Island law should apply globally to ensure predictable results and support the interest of judicial economy. Id. at 16-17.

Massachusetts follows the economic loss rule in tort cases, whereas Rhode Island does not. (Pls.' Mem. in Opp'n to UHC's Mot. to Dismiss 15.)

Before engaging in a choice of law analysis, the Court first must determine whether a "true conflict" exists between the laws of two states. To Hamogelo Toy Paidiou v. Estate of Papadopouli, No. NP-2017-0205, 2019 WL 5685846, at *6 (R.I. Super. Oct. 25, 2019) (citing National Refrigeration, Inc. v. Standen Contracting Co., Inc., 942 A.2d 968, 973-74 (R.I. 2008)). The Court "need not engage in a choice-of-law analysis when no conflict-of-law issue is presented . . ." National Refrigeration, Inc., 942 A.2d at 973-74.

In the event of a true conflict, our Supreme Court "has adopted the 'interest-weighing' approach in deciding choice of law questions." Najarian v. National Amusements, Inc., 768 A.2d 1253, 1255 (R.I. 2001). Under the "interest-weighing" approach, the Court must "look at the particular case facts and determine therefrom the rights and liabilities of the parties 'in accordance with the law of the state that bears the most significant relationship to the event and the parties.'" Cribb v. Augustyn, 696 A.2d 285, 288 (R.I. 1997) (quoting Pardey v. Boulevard Billiard Club, 518 A.2d 1349, 1351 (R.I. 1986)). "Factors which must be weighed in determining which law applies are '(1) predictability of result; (2) maintenance of interstate and international order; (3) simplification of the judicial task; (4) advancement of the forum's governmental interests; and (5) application of the better rule of law.'" Najarian, 768 A.2d at 1255 (quoting Pardey, 518 A.2d at 1351) (internal citation omitted). With respect to tort cases, the Court must consider (a) the place where the injury occurred; (b) the place where the conduct causing the injury occurred; (c) the domicil, residence, nationality, place of incorporation and place of business of the parties; and (d) the place where the relationship, if any, between the parties is centered. Brown v. Church of Holy Name of Jesus, 105 R.I. 322, 326, 252 A.2d 176, 179 (1969). Our Supreme Court has held that, out of the above-mentioned factors, "the most important factor is the location where the injury occurred." Taylor v. Massachusetts Flora Realty, Inc., 840 A.2d 1126, 1128 (R.I. 2004).

The Court finds that a choice-of-law analysis is premature at this juncture. As the Court previously determined in Gemma v. Sweeney, No. PC-2018-3635, 2019 WL 5396136 (R.I. Super. Oct. 15, 2019), "a choice-of-law determination is not appropriate until the presiding court receives an adequate amount of factual briefing." Gemma, 2019 WL 5396136, at *5 (citing Burdick v. Air & Liquid Systems Corp., No. PC 11-3431, 2012 WL 5461184, at *5 (R.I. Super Nov. 2, 2012)). Only after a fuller evidentiary record can the Court engage in a choice-of-law analysis. Id. Here, UHC merely presumes, without evidentiary support, that the out-of-state Plaintiffs' injuries occurred in jurisdictions outside Rhode Island. See UHC's Mem. 11-12. The Court finds that the factual record must be more fully developed. Thus, Rhode Island law will be uniformly applied to Plaintiffs' claims until the Court is presented with further evidence supporting the application of another state's substantive law.

Plaintiffs Have Standing to Bring a Claim Against RIPTA

The Court now turns to RIPTA's argument that Plaintiffs lack standing to assert their claims. Specifically, RIPTA submits that Plaintiffs lack standing to bring Count III for negligence. See RIPTA's Mem. in Support of RIPTA's Mot. to Dismiss (RIPTA's Mem.) 7-15. "Standing is a threshold inquiry into whether the party seeking relief is entitled to bring suit." Narragansett Indian Tribe v. State, 81 A.3d 1106, 1110 (R.I. 2014). "In addressing the question of standing, 'the court must focus on the party who is advancing the claim rather than on the issue the party seeks to have adjudicated.'" Benson v. McKee, 273 A.3d 121, 129 (R.I. 2022) (quoting Key v. Brown University, 163 A.3d 1162, 1168 (R.I. 2017)). "The sine qua non of standing is that a plaintiff must have a personal stake in the outcome." Mruk v. Mortgage Electronic Registration Systems, Inc., 82 A.3d 527, 535 (R.I. 2013). A plaintiff must allege an injury-in fact, which must be "concrete and particularized, . . . not conjectural or hypothetical." Key v. Brown University, 163 A.3d 1162, 1169 (R.I. 2017); see also Benson, 273 A.3d at 129.

RIPTA states that Plaintiffs can be divided into two categories: "(1) those who allege an increased risk of future identity theft; and (2) those who allege an actual or attempted misuse of personal information that was not involved in-and that Plaintiffs fail to connect to-this incident." Id. at 3 (emphasis in original). RIPTA submits that Rosa, Cassell-Johnson, and Cappalli fall into the first category, while Morelli, Potenza, Botelho, Galamaga, Lamarre, Novsam, Kulik, Snow, Plante, and Ruo fall into the second category. See id. at 7, 12.

Plaintiffs respond by arguing that standing is analyzed differently when a data breach is central to the litigation and that "a long and growing line of data breach cases . . . have concluded (1) that allegations of increased risk of future harm constitute injury-in-fact for standing purposes. . . ." (Pls.' Mem. in Opp'n to RIPTA's Mot. to Dismiss 5.) They submit that a "concrete harm" need not be tangible and that disclosure of private information suffices to confer standing. Id. at 8-9 (collecting cases). Because Plaintiffs have alleged disclosure of their PHI and PII, they have shown a concrete harm. Id. at 9. Plaintiffs also submit that "[c]ourts across the country have held that 'the "invasion of [a plaintiff's] privacy interest'" resulting from a data breach is considered concrete harm, analogous to the common law tort of public disclosure of private facts, establishing standing." Id. at 8 (citing Wynne v. Audi of America, Case No. 21-cv-08518-DMR, 2022 WL 2916341, at *4 (N.D. Cal. July 25, 2022)). As such, Plaintiffs "assert they have suffered privacy harm through the loss of their PHI and PII." Id. at 9.

Plaintiffs also maintain that an increased risk of future identity theft arising from a data breach is a compensable injury for standing purposes. Id. at 10-12 (collecting cases). They principally point to In re Zappos.com, Inc. Customer Data Security Breach Litigation, 888 F.3d 1020 (9th Cir. 2018), in which the United States Court of Appeals for the Ninth Circuit held that the plaintiffs had shown standing where their credit card information was compromised due to a data breach, even though there was no evidence that the information was misused. Id. at 11 (citing Zappos, 888 F.3d at 1028-29). Plaintiffs further point to the United States Supreme Court's holdings that "an allegation of future injury may suffice if the threatened injury is 'certainly impending' or if there is a 'substantial risk that the harm will occur.'" Id. (quoting Zappos, 888 F.3d at 1026; see also Susan B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014).

RIPTA replies that Plaintiffs make "sweeping generalizations and one-size-fits-all arguments to support their contention that Plaintiffs have standing to bring their claims against RIPTA." (RIPTA's Reply 5.) RIPTA responds that all of Plaintiffs' allegations fail because either: (1) increased risk of potential identity theft is a future, speculative injury; and (2) financial fraud was not at issue in the RIPTA data breach. Id. at 8. RIPTA continues that the case law cited by Plaintiffs is factually distinguishable because it involved different types of breaches and data elements. Id. Here, Plaintiffs aver that their "double extortion" attack was to exchange money for data, not identity theft. Id. at 9 (citing In re Practicefirst Data Breach Litigation, 1:21-CV-00790 (JLS/MTR), 2022 WL 354544, at *5 (W.D.N.Y. Feb. 2, 2022). Secondly, RIPTA asserts that Plaintiffs' allegations for privacy harm are non-specific and too broad to establish standing. Id. Lastly, Plaintiffs' cannot connect their alleged injuries to the data breach at issue, according to RIPTA. Id. at 11.

Here, Plaintiffs allege that their PHI and PII were compromised and placed on the Dark Web for sale. Id. at 13. They maintain that the Court can presume that this information is to be used for illegitimate purposes, such as identity theft or fraudulent financial activity. See id. at 13-14. Thus, Plaintiffs argue that, even if there is no harm presently, it is "certainly impending," which is sufficient for standing. Id. at 14 (citations omitted). Finally, Plaintiffs argue that their alleged harms bear a "'close relationship' to a harm traditionally recognized as providing a basis for a lawsuit in American courts." Id. at 14 (quoting TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2200 (2021)). Plaintiffs point to Clemens v. ExecuPharm Inc., 48 F.4th 146, 157 (3rd Cir. 2022), in which the United States Court of Appeals for the Third Circuit held that allegations of private information being stolen and published on the Dark Web was sufficiently analogous to harms recognized at common law. Id. at 14-15.

Plaintiffs-and Defendants in their Reply memoranda-also devote significant time arguing that they have adequately pled causation between the alleged misconduct and their injuries. See id. at 16-19. However, Rhode Island relies solely on the injury-in-fact prong for standing questions. E.g., Benson, 273 A.3d at 129. Therefore, the Court need only find "an injury in fact resulting from the challenged action." Harrop v. Rhode Island Division of Lotteries, No. PC-2019-5273, 2019 WL 6768536, at *7 (R.I. Super. Dec. 5, 2019). This Court held in Harrop that an injury in fact "can encompass any injury that results as a direct or indirect consequence of the challenged action and is not commensurate with traditional notions of causal connection, such as but-for or proximate cause." Id. In Rhode Island Ophthalmological Society v. Cannon, our Supreme Court adopted the injury-in-fact standard, economic or otherwise. 113 R.I. 16, 22, 317 A.2d 124, 128 (1974). The Court has defined injury in fact as "an invasion of a legally protected interest which is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical." See, e.g., Key, 163 A.3d at 1169. The focal point is not on the claim, but on the claimant, and the court must decide whether the claimant is a proper party in the adjudication. Narragansett Indian Tribe, 81 A.3d at 1110.

This Court addressed Rhode Island's standing requirements in Harrop v. The Rhode Island Division of Lotteries, No. PC-2019-5273, 2019 WL 6768536, at *6-7 (R.I. Super. Dec. 5, 2019).

Rosa, Cassell-Johnson, and Cappalli

Regarding Rosa, Cassell-Johnson, and Cappalli, RIPTA argues that they have not alleged an actual injury sufficient to confer standing. (RIPTA's Mem. 8.) Instead, Rosa, Cassell-Johnson, and Cappalli allege that they "will be harmed" or are at "risk of future fraud and identity theft." Id. (citing Am. Compl. ¶¶ 198, 232, 271). Additionally, RIPTA submits that Rosa's independent procurement of identity theft monitoring services cannot constitute standing because (1) RIPTA offered identity protection services free of charge; and (2) Rosa cannot manufacture standing by inflicting a financial burden on himself, even if it is a precautionary measure to mitigate the risk of future harm. Id. (citing Clapper v. Amnesty International USA, 568 U.S. 398, 402 (2013); Torres v. Wendy's Co., 195 F.Supp.3d 1278, 1284 (M.D. Fla. 2016)). To the extent that Rosa, Cassell-Johnson, and Cappalli allege that they may suffer injuries in the future, RIPTA maintains that such allegations are too speculative for standing purposes. Id. at 9-12 (collecting cases).

Cappalli alleges that her confidential information was exposed to the Dark Web because of the alleged breach. (Am. Compl. ¶ 270.) Because of the exposure, Cappalli asserts that she is at imminent risk of future harm from fraudulent activity. Id. ¶ 271-72. Cassell-Johnson alleges that, because of the data breach, she could not file her taxes because a third party already had fraudulently filed tax returns in her name, causing her harm. Id. ¶ 230. She also argues that she is still at risk of future, imminent harm because her and other Plaintiffs' information already has been misused. Id. ¶ 232-33. Rosa likewise asserts that, because other Plaintiffs have had their similar PHI and PII misused, Rosa is an imminent threat to future harm of misuse of his confidential information on the Dark Web. Id. ¶ 200-201. Further, due to the data breach, Rosa purchased an identity monitoring service. Id. ¶ 202.

Whether a party has standing in data breach contexts for risk of future, imminent harm under Rhode Island's law is a matter of first impression. As such, the Court is compelled to discuss applicable authority in other jurisdictions. See Ho-Rath v. Corning Incorporated, 275 A.3d 100, 106 (R.I. 2022). Both parties cite a plethora of case law to support their respective positions for the three named Plaintiffs under this heading. In the interest of brevity, the Court will summarize the overarching points relating to the case as presented by each side.

In Katz v. Pershing, LLC, the Court determined that the invasion of a common-law right is sufficient to create standing. 672 F.3d 64, 72 (1st Cir. 2012). However, as Defendant notes and the First Circuit concluded, Plaintiff did not have standing to bring common-law contractual claims because Plaintiff was unable to show the existence of an express or implied contract between the parties. Id. at 72-75.

The First Circuit very recently decided a data breach case in which the pertinent motion to dismiss hinged on the existence of injury in fact. See Webb v. Injured Workers Pharmacy, LLC, 72 F.4th 365 (1st Cir. 2023). There, in January 2021, defendant suffered a data breach where hackers gained access to the PII of over 75,000 patients, including names and Social Security numbers. Id. at 370. Defendant did not notify the affected parties until February 2022. Id. Two named plaintiffs were discussed in the decision. See generally Webb. Plaintiff I received notice of the breach, immediately feared for her personal security, and spent considerable time and money to protect her information. Id. Notably, a fraudulent tax return also was filed in plaintiff I's name because of her stolen information. Id. On the other hand, plaintiff II asserted that, because of the data breach, she "fears for her personal financial security," and "[expends] considerable time and effort monitoring her accounts to protect herself from . . . identity theft." Id. (internal quotations omitted). The plaintiffs filed a class action, asserting state law claims for negligence, breach of implied contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty. Id. at 370-71. First, the Court determined that the misuse of plaintiff's PII to file a fraudulent tax return created a plausible, concrete injury in fact. Id. at 372-73. The Court focused on the "actual misuse of [plaintiff I's] stolen PII to file a fraudulent tax return" in finding that plaintiff I suffered her concrete injury, relying on Katz. Id. at 373.

The Webb Court wrestled with plaintiff II because the complaint did not allege an actual misuse of her information. Id. at 374. However, the Court concluded that plaintiff II suffered concrete harm sufficient for standing because she alleged a plausible concrete injury based on the risk of future misuse of her PII. Id. The Court articulated that "'a material risk of future harm can satisfy the concrete-harm requirement.'" Id. at 375 (quoting TransUnion LLC, 141 S.Ct. at 2210). Considerations the First Circuit-as well as sister circuits have analyzed-measured were "'(1) whether the plaintiffs' data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.'" Id. (quoting McMorris v. Carlos Lopez & Associates, LLC, 995 F.3d 295, 303 (2d Cir. 2021)). The Court found that the data was likely to be misused, the fact that some of the information already had been misused makes it more likely to be misused, and the compromised data was particularly sensitive. Id. at 375-76. Therefore, the Court held, "the totality of the complaint plausibly alleges an imminent and substantial risk of future misuse of the plaintiffs' PII." Id. at 376.

Given Webb's recent publication, the parties requested, and the Court allowed, each to submit supplemental memorandum addressing Webb on August 21, 2023. (Docket.) Plaintiffs offered several points. See generally Pls.' Suppl. Mem. First, Plaintiffs assert that "several of the Plaintiffs" have alleged actual misuse of their data stemming from the data breach. Id. at 2. Plaintiffs declare that actual misuse of data allegations are sufficient for Plaintiffs to pursue damages. Id. at 3. Next, Plaintiffs aver that, because Webb held that the risk of future harm was sufficient to confer standing on the class members, Plaintiffs have standing to assert their similar claims. Id. at 4.

Further, Plaintiffs state that Webb allowed one plaintiff to rely on the fraudulent use of the other's stolen information to support her claim of risk of future harm. Id. at 5. Hence, according to Plaintiffs, because some Plaintiffs suffered fraudulent use of their information, the others who had not could rely on the risk of this harm happening to them. Id. Moreover, Plaintiffs argue that the Court should view the sensitive data breached here as the Webb Court did and find that misuse of this data amounts to an "imminent risk of future harm." Id. at 5-6.

Additionally, Plaintiffs argue that the federal pleading standard, which they describe as a "significantly" higher burden, "did not deter the Webb Court[,]" and it should not dissuade this Court. Id. at 7. Likewise, Plaintiffs maintain that their privacy amounts to a "legally protected interest" under both state and federal law. (Pls.' Suppl. Mem. 10-11 (citing In re Johnson & Johnson Talcum Powder Products Marketing, Sales Practices & Liability Litigation, 903 F.3d 278, 284 (3d Cir. 2018); Rhode Island Ophthalmological Society, 113 R.I. at 22, 317 A.2d at 128. Plaintiffs further contend that discussion about Plaintiffs connecting their breached data with actual misuse is unnecessary at this stage of the litigation given that it is a Motion to Dismiss. (Pls.' Suppl. Mem. 12.) This "data connection issue[]" is improper when conducting the standing analysis. Id.

In addition, Plaintiffs aver they have sufficiently alleged both actual harm and the risk of future harm. Id. at 13. Plaintiffs dismiss RIPTA's argument that the data breach resulted from a ransomware attack, as this is not alleged in the Complaint. Id. Plaintiffs also maintain that their injuries are not "speculative" because many have been alerted that their information may be on the Dark Web or have reported actual fraudulent transactions. Id. at 15. This has put each Plaintiff at "imminent risk of having their identities or money stolen." Id. Plaintiffs individually allege their actual injury and their imminent injury from the risk of future harm. Id. at 16.

In its supplemental memorandum addressing Webb, RIPTA makes three arguments. (RIPTA's Suppl. Mem. 3-7.) First, RIPTA avers that Webb is distinguishable because it involved a data breach targeting personal information while the present matter centered on a ransomware attack. Id. at 3. RIPTA implores the Court to focus on the hackers' request for ransom as evidence that they sought money and not Plaintiffs' identities. Id. Because Plaintiffs' PII was not targeted by this attack, the Court should decline to adopt Webb, an action in which identity theft was the motive of the data breach, according to RIPTA. Id. at 4.

Second, RIPTA maintains that only one Plaintiff claims that a fraudulent tax return was filed in her name. Id. Said Plaintiff, Cassell-Johnson, "makes no allegation as to her efforts to protect her personal information[]" or that the return includes her Social Security number or date of birth, according to RIPTA. Id. at 4-5. Further, RIPTA posits that Plaintiffs who have suffered financial fraud have failed to connect that fraud to the breach. Id. at 5. RIPTA also labels Plaintiffs' claims of hackers combining Plaintiffs' PII with other information before committing the financial fraud as "pure speculation." Id. RIPTA proffers that Plaintiffs have failed to present lost wages or other "'profitable use' of the time they spent addressing the RIPTA incident." Id. at 6.

Third, RIPTA contends that Webb supports dismissal of Plaintiffs' requested injunctive relief because "[t]his relief would not redress Plaintiffs' alleged injuries-or risk of future injury- related to personal information that they allege is now in the hands of criminals." Id. at 7. According to RIPTA, this precludes standing for Plaintiffs to pursue an injunctive remedy. Id.

UHC also submitted a supplemental memorandum addressing Webb and the instant motion. See generally UHC's Suppl. Mem. UHC submits that "Webb does not address the issues raised by UHC's Motion." Id. at 2. Instead, "UHC demonstrated in its Motion that Plaintiffs had not stated a single claim under Rule 12(b)(6) against UHC for multiple independent reasons." Id. UHC also argues that "Webb is factually distinguishable because the claims in that case were brought against the defendant whose computer systems were breached." Id. (citing Webb, 72 F.4^that 370.) Because Plaintiffs are attempting to sue a party whose computer systems were not the subject of a data breach, UHC proclaims that Webb has no impact on Plaintiffs' claims that "have no support in Rhode Island Law." (UHC's Suppl. Mem. 2.)

Based on the foregoing, the Court determines that Cappalli, Cassell-Johnson, and Rosa all have alleged a concrete injury in fact sufficient to satisfy standing on their negligence claims. First, Cassell-Johnson has alleged that she could not file a tax return because a fraudulent one was already filed, much like the plaintiff I in Webb. See Am. Compl. ¶¶ 229-30; see Webb, 72 F.4th at 373. In applying that same standard for injury-in-fact here, the Court also determines that Cassell-Johnson has alleged an actual injury-in-fact that establishes standing. Furthermore, Cappalli and Rosa have met the necessary requirements for standing in this data breach action. Looking at the factors articulated in Webb, Cappalli and Rosa both allege that other stolen data already has been misused, and the information is personal and highly sensitive (the PHI and PII that was downloaded included: "plan member names, Social Security numbers, addresses, dates of birth, Medicare identification numbers and qualification information, health plan member identification numbers, healthcare claim amounts and dates of service for which claims were filed." (Am. Compl. ¶ 40.). Id. at 376. Based on these allegations, the Court is satisfied that Rosa and Cappalli also have alleged a concrete and particularized injury-in-fact sufficient to establish standing on their negligence claims.

2 Morelli, Potenza, Botelho, Galamaga, Lamarre, Novsam, Kulik, Snow, Plante, and Ruo

RIPTA asserts that the immediately above-named Plaintiffs allege the same conclusory allegations as Plaintiffs Rosa, Cappalli, and Cassell-Johnson. (RIPTA's Mem. 12.) Beyond those claims, RIPTA argues, these Plaintiffs cannot show that the fraudulent activity was a consequence of the data breach. Id.

With respect to Plaintiffs Morelli, Potenza, Botelho, and Galamaga, RIPTA avers that the connection between the fraudulent activity and the data breach is unwarranted and inadequate to establish standing. Id. at 13. In addition, RIPTA submits that Plaintiffs Novsam, Kulick, Snow, Plante, and Ruo do not identify specific pieces of personal information that were involved in the data breach. Id. Specifically, RIPTA maintains that the allegation that some of Plaintiffs Novsam's, Kulick's, and Ruo's RIPTA information was found on the Dark Web cannot be attributed to the data breach. Id. at 14 (citing Blood v. Labette County Medical Center, Case No. 5:22-cv-04036-HLT-KGG, 2022 WL 1174559, at *4 (D. Kan. Oct. 20, 2022)). RIPTA concludes that, "[b]ecause the First Amended Complaint fails to allege any connection between Plaintiffs' purported actual injuries and the particular data at issue in this security incident, they lack standing to pursue their claims against RIPTA." Id. at 14 (internal citations omitted).

It is clear to the Court that the named Plaintiffs above also satisfy standing in the action. The Court already determined that other Plaintiffs have alleged harm from the breach because their confidential data was stolen and misused; furthermore, these Plaintiffs allege to have suffered from privacy harm through the loss of their PHI and PII. See Am. Compl. ¶¶ 74-187. Specifically, these Plaintiffs were allegedly victims of fraudulent activity, including misuse of their information. As such, the Court determines that these named Plaintiffs also satisfy standing for data breach cases, as the First Circuit recently spelled out. See Webb, 72 F.4th at 373.

Plaintiffs' Negligence Claim against RIPTA

Sufficiency of Alleged Injuries

RIPTA next argues that Plaintiffs' negligence claim also ought to be dismissed for failure to allege an actual injury or damages. (RIPTA's Mem. 19.) In further detail, RIPTA first asserts that Plaintiffs Rosa, Cassell-Johnson, and Cappalli cannot allege an actual injury or loss related to the data breach in question. Id. at 20. RIPTA submits that they can "merely allege a fear that they may suffer a potential future injury." Id. Furthermore, RIPTA also argues that, while fraudulent activity may have occurred, Plaintiffs Morelli, Potenza, Botelho, Galamaga, and Lamarre have failed to allege "out-of-pocket costs associated with this alleged fraud." Id. In the same vein, RIPTA also avers that Plaintiffs Novsam, Kulick, Snow, Plante, and Ruo do not allege financial losses. Id. at 21. Specifically, RIPTA states that Plaintiff Ruo's expenditure to purchase credit monitoring services does not constitute a reasonable and necessary financial loss because RIPTA offered the same services for free. Id. (citing Griffey v. Magellan Health Inc., 562 F.Supp.3d 34, 47 (D. Ariz. 2021)).

On the other hand, Plaintiff only argues that,

"RIPTA argues Plaintiffs' negligence claims fails for the same reason-that Plaintiffs have failed to plead a cognizable injury related to the data breach. Plaintiffs hereby incorporate this section in response to Defendant's argument at pages 19-24 and maintain that their allegations of injury are sufficient to state a claim for negligence." (Pls.' Mem. in Opp'n to RIPTA's Mot. to Dismiss 16 n.3.)

RIPTA replies to Plaintiff's footnote, asserting that the injury element for negligence is not identical to the injury-in-fact element for standing. (RIPTA's Reply 12.) As such, RIPTA concludes that Plaintiffs have failed to allege causation and actual damages that are sufficient to sustain their negligence claim. Id. at 13.

In setting forth a negligence claim, the plaintiff "must establish a legally cognizable duty owed by a defendant to a plaintiff, a breach of that duty, proximate causation between the conduct and the resulting injury, and the actual loss or damage." Holley v. Argonaut Holdings, Inc., 968 A.2d 271, 274 (R.I. 2009). It is also well-settled law that "'issues of negligence are ordinarily not susceptible of summary adjudication, but should be resolved by trial in the ordinary manner.'" Id. (quoting Gliottone v. Ethier, 870 A.2d 1022, 1028 (R.I. 2005)). As such, "[o]nly when a party property overcomes the duty hurdle in a negligence action is he or she entitled to a factual determination on each of the remaining elements: breach, causation, and damages." Ouch v. Khea, 963 A.2d 630, 633 (R.I. 2009).

However, the context of an alleged injury in the context of negligence in data breach cases is an area of first impression in Rhode Island. The question the Court must answer is whether the various Plaintiffs have alleged an actual injury sufficient for negligence. Again, the Court is compelled to discuss applicable authority in other jurisdictions. See Ho-Rath, 275 A.3d at 106. In Shafran v. Harley-Davison, Inc., the Southern District of New York determined that the time and expense of credit monitoring to combat an increased risk of future identity theft is not an injury that the law can remedy. No. 07 Civ. 01365, 2008 WL 763177, at *3 (Mar. 20, 2008). In that case, a laptop containing personal information of the plaintiff and 60,000 of the program's members was missing from the defendants' facilities. Id. at *1. Defendants conducted an investigation and found no personal information was misused. Id. However, the plaintiff filed suit, alleging that he would be required to pay for future credit monitoring services and would need to take "time consuming steps" related to credit monitoring. Id. The Court found that credit monitoring alone is insufficient to establish an injury for their claim for negligence. Id. at *3.

In In re Sony Gaming Networks and Customer Data Security Breach Litigation, the Southern District of California faced a similar issue, assessing whether the plaintiffs suffered a cognizable injury to recover damages. 903 F.Supp.2d 942, 962 (S.D. Cal. 2012). There, the Court determined that, although the plaintiffs satisfied Article III standing, their claims based on increased risk of future harm were insufficient to sustain a negligence claim. Id. at 963. Without "specific factual statements that Plaintiffs' Personal Information [had] been misused, in the form of an open bank account, or un-reimbursed charges, the mere 'danger of future harm, unaccompanied by present damage, will not support a negligence action.'" Id. (internal quotation omitted).

The Court is persuaded by the case law outlined above. It follows that, in Rhode Island, an increased risk of future harm, without any present harm, does not suffice for a plaintiff to recover damages. Thus, a plaintiff who pleads only an increased risk of future harm is unable to establish the element of damages. However, misuse of a person's personal information, such as attempts to open a bank account or other fraudulent activity, would be sufficient to show an injury recoverable under a negligence claim.

Further, the Court declines to follow in Shafran because it is more persuaded by the First Circuit's decision in Anderson v. Hannaford Brothers Co., 659 F.3d 151, 162-63 (1st Cir. 2011). The Court assessed whether mitigation damages, such as credit monitoring services, were reasonable enough, as a nonphysical injury, to be sufficient for a cognizable injury. Id. at 162. Citing to Maine law and the Restatement (Second) Torts § 919, the Court quoted that, "[o]ne whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened." Anderson, 659 F.2d at 162 (citing Restatement (Second) Torts § 919(1)). Additionally, the First Circuit found that Maine law "'encourages plaintiffs to take reasonable steps to minimize losses caused by a defendant's negligence.'" Id. (quoting In re Hannaford Brothers. Co. Customer Data Security Breach Litigation, 4 A.3d 492, 496 (2010)). In limiting recovery on reasonable foreseeability grounds, the Court concluded that costs associated with identity theft insurance or replacement fees involved actual financial losses that were recoverable, so long as they were reasonable. Id. at 167.

The Court allows the rules set forth in Anderson, finding that mitigation damages would qualify as actual financial harm from data breach misuse. See id. Therefore, the Court will turn to the named Plaintiffs cited in the First Amended Complaint and evaluate their claims for damages to determine the sufficiency of cognizable injury for Plaintiffs' negligence claim. The Court determines that the following Plaintiffs have stated a cognizable injury in the First Amended Complaint that is sufficient for the negligence claim against RIPTA: Plaintiffs Morelli, Novsam, Snow, Potenza, Plante, Botelho, Cassell-Johnson, Galamaga, and Lamarre have all pled sufficient, cognizable injuries to assert their negligence claim against RIPTA. All Plaintiffs, in different ways, have alleged present misuse of their personal, stolen information that qualifies as cognizable injuries, including unauthorized withdrawals (Am. Compl. ¶¶ 78, 121, 158) and attempts to open bank accounts or credit cards (Am. Compl. ¶¶ 95, 111). These are sufficient injuries that are reasonable, foreseeable, and satisfy the injury element for damages at the pleading stage.

However, Plaintiffs Ruo, Rosa, Kulik, and Cappalli have not alleged injuries sufficient to show a cognizable injury. Their alleged injuries concern either a risk of harm in the future or paying for credit monitoring services that were already offered by RIPTA. (Am. Compl. ¶ 74 (alleging that RIPTA offered Equifax credit monitoring in its notice to Plaintiffs regarding the data breach)). Our Supreme Court has found that the possibility of future harm occurring as a result of a defendant's negligence is not enough to support a negligence claim. Perrotti v. Gonicberg, 877 A.2d 631, 637 (R.I. 2005). Therefore, the Court determines that Plaintiffs Ruo, Rosa, Kulik and Cappalli have not alleged sufficient injuries to bring their negligence claim against RIPTA. The Court CONDITIONALLY GRANTS Defendant RIPTA's Motion to Dismiss with respect to Count III specifically against Plaintiffs Ruo, Rosa, Kulik, and Cappalli, with the opportunity to replead their allegations within twenty (20) days.

Causation

Lastly, RIPTA asserts that Plaintiffs cannot connect their alleged injuries to the data breach at issue. (RIPTA's Reply 11.) RIPTA asserts that Plaintiffs' "generic allegations that describe how the dark web works in general are insufficient to allege 'a substantial likelihood' that the data breach at issue in this case caused their specific purported injuries." Id.

Plaintiffs counter, asserting that they have established a "logical connection between the Data Breach and the harm suffered by Plaintiffs." (Pls.' Mem. in Opp'n to RIPTA's Mot. to Dismiss 16.) Specifically, Plaintiffs argue they have pled theft, fraud, lost time, out-of-pocket costs associated with risk mitigation, loss of money due to bank deductions, damage to their credit, and the risk of third parties improperly accessing their PHI and PII. See id. at 16-17.

The Court will not consider Plaintiffs Ruo, Rosa, Kulik and Cappalli in this analysis, as the Court has just determined that those Plaintiffs did not meet the threshold cognizable injury to bring their negligence claims. See supra, § III.C.1. As to other named Plaintiffs in the action, the Court determines Defendant RIPTA has not met its burden to show beyond a reasonable doubt that there is no causal connection between Plaintiffs' alleged injuries and the data breach at issue. See generally Am. Compl. It is well-settled Rhode Island law that a motion to dismiss will only be granted if it is clear beyond a reasonable doubt that the plaintiff would not be entitled to relief. Goddard v. APG Security-RI, LLC, 134 A.3d 173, 175 (R.I. 2016). Taking all the allegations in the Complaint as true, Plaintiffs have pled that they were harmed because of the data breach that occurred here. See Am. Compl. ¶¶ 74-171. The Court finds that Plaintiffs have adequately pled sufficient allegations of causation between their injuries and the data breach. Plaintiffs have pled that, as a direct and proximate cause of their data being breached in this attack, they have suffered from fraudulent activity, as outlined above.

In addition, the Court also takes note of the procedural posture. It is well settled that issues of negligence are typically not susceptible even at the summary judgment stage of litigation but should be resolved by trial. Gliottone, 870 A.2d at 1028. The Court does not make factual determinations on breach, causation, or damages until the party has established duty. Ouch, 963 A.2d at 633. In Gliottone and Ouch, the Supreme Court confronted motions for summary judgment and still articulated that the remaining negligence elements are typically issues of fact. Here, the present controversy is at the motion-to-dismiss stage, a much higher bar for prevailing than summary judgment. Therefore, the Court finds that it lacks the ability to decide as a matter of law that Plaintiffs are precluded from relief. This is because Defendant RIPTA has failed to show beyond a reasonable doubt that a causal link between Plaintiffs' injuries and the data breach did not exist.

Count I Fails Because No Private Right of Action Exists Under Rhode Island's Identity Theft Protection Act

With respect to Count I of the Amended Complaint, Defendants argue that the Identity Theft Protection Act, G.L. 1956 chapter 49.3 of title 11, does not afford a private right of action. See UHC's Mem. 5; RIPTA's Mem. 15-19. Defendants point to § 11-49.3-5(c), which vests the Attorney General with exclusive enforcement authority. (UHC's Mem. 5; RIPTA's Mem. 17.) RIPTA additionally argues that the Identity Theft Protection Act only prescribes civil penalties, not damages or injunctive relief. (RIPTA's Mem. 17.) RIPTA concludes that, because the statute does not provide for damages or injunctive relief, the pursuit of such remedies is not permitted. See id.

Plaintiffs contend that the Identity Theft Protection Act does not prohibit private individuals from bringing a claim thereunder. (Pls.' Mem. in Opp'n to RIPTA's Mot. to Dismiss 20-21; Pls.' Mem. in Opp'n to UHC's Mot. to Dismiss 7.) They cite to Cort v. Ash, 422 U.S. 66, 78 (1975), as support for the proposition that courts can consider whether an ambiguous statute provides for private causes of action based on "(1) whether the plaintiff is one of a class for whose benefit the statute was enacted (2) whether there is an indication of legislative intent to create or deny such a remedy and (3) whether such a remedy would be consistent with the underlying legislative purpose." (Pls.' Mem. in Opp'n to RIPTA's Mot. to Dismiss 21.)

Prescribing remedies by statute "'is a legislative responsibility [and] not a judicial task.'" Stebbins v. Wells, 818 A.2d 711, 716 (R.I. 2003) (quoting Cummings v. Shorey, 761 A.2d 680, 685 (R.I. 2000)). Where the General Assembly fails to include a private right of action within a statute, "'no private cause of action for damages [under the statute] was intended.'" Id. (quoting Cummings, 761 A.2d at 685). Here, § 11-49.3-5(c) clearly and unambiguously only gives the Attorney General the power to bring a cause of action. Section 11-49.3-5(c). This observation alone supports the notion that the Rhode Island's Identity Theft Protection Act does not provide a private right of action for Plaintiffs. Stebbins, 818 A.2d at 716.

This Court considered a similar issue in Oliveira v. Rhode Island Lottery, No. PC-2021-03645, 2022 WL 8345018 (R.I. Super. Oct. 5, 2022). In Oliveira, the plaintiff brought claims under, inter alia, G.L. 1956 chapter 61.2 of title 42. Oliveira, 2022 WL 8345018, at *9. This Court found that the statute at issue gave sole enforcement power to the State and its regulatory agencies, and thus the Legislature did not make a private right of action available. Id. The Court comes to the same conclusion here because the Legislature plainly omitted a private right of action in the Identity Theft Protection Act. See Stebbins, 818 A.2d at 716. Thus, RIPTA and UHC's Motions to Dismiss as to Count I of the Amended Complaint must be GRANTED.

Count II Does Not Fail Because UHC Has Not Met Its Burden to Show that RIPTA is a Third-Party Health Insurer under the Confidentiality of Health Care Communications and Information Act

UHC argues that Count II alleging violations of the Confidentiality of Health Care Communications and Information Act should be dismissed because UHC was permitted to release the confidential information at issue to RIPTA. (UHC's Mem. 6.) G.L. 1956 § 5-37.3-4(b)(6) provides that no consent is needed to release or transfer confidential healthcare information "[t]o third-party health insurers, including to utilization review agents as provided by § 23-17.12-9(c)(4), third-party administrators licensed pursuant to chapter 20.7 of title 27, and other entities that provide operational support to adjudicate health insurance claims or administer health benefits[.]" Section 5-37.3-4(b)(6). UHC argues that RIPTA is a health insurer under the statute, and therefore UHC was expressly authorized to perform the transfer. (UHC's Mem. 6.)

Moreover, UHC contests the notion that RIPTA is a separate and distinct entity administering a separate health insurance plan from the State Plan. Id.; see Am. Compl. ¶ 306. Instead, UHC avers that the State Plan and RIPTA Plan are one and the same, and that the RIPTA Plan is merely a subgroup of the State Plan. (UHC's Mem. 6-7; UHC's Mem. Ex. 2, at 8.) UHC further points to paragraph 352 of the Amended Complaint, where Plaintiffs allege that "UHC provided services to the State and RIPTA under a single Administrative Services Agreement." (UHC's Mem. 7 (citing Am. Compl. ¶ 352)). For those reasons, UHC concludes that Plaintiffs have not stated a claim for violation of the Confidentiality of Health Care Communications and Information Act. Id.

UHC argues that, even if Plaintiffs sufficiently alleged a violation of the statute, Plaintiffs have failed to plead a legally cognizable harm. Id. at 8. UHC avers that a plaintiff bringing an action under the Confidentiality of Health Care Communications and Information Act may recover for actual and exemplary damages. Id. (citing Washburn v. Rite Aid Corp., 695 A.2d 495, 499 (R.I. 1997)). However, none of the non-RIPTA Plaintiffs have alleged actual harms related to the release of confidential healthcare information to RIPTA. Id.

UHC acknowledges that Plaintiff Snow "alleges that an unknown person attempted to 'chang[e] her address with one of her doctors.'" (UHC's Mem. 8) (quoting Am. Compl. ¶ 106). However, UHC avers that the only data files that were transmitted to RIPTA "'included healthcare plan member identification numbers, claim amounts, and dates of service for claims filed,' not physician names." Id. at 8-9 (quoting Am. Compl. ¶ 6). Thus, UHC argues that Plaintiff Snow's allegations are not connected to UHC's release of confidential healthcare information to RIPTA. See id.

Plaintiffs argue that the Confidentiality of Health Care Communications and Information Act mandates written consent prior to the release or transfer of confidential healthcare information. (Pls.' Mem. in Opp'n to UHC's Mot. to Dismiss 9.) The statute does not make an exception for "inter-agency or intra-agency transfers, even if the transferee is a 'subgroup' of a larger employer." Id. at 10. Additionally, Plaintiffs contend that the State Plan and RIPTA Plan are distinct; Plaintiffs point to UHC's exhibit, which states that "RIPTA participants are not included in the census or claims experience provided." (UHC's Mem. Ex. 2, at 9 (emphasis in original)). Based on that language, Plaintiffs argue that they have sufficiently alleged that the State Plan and RIPTA Plan are separate entities and that the unauthorized transfer of confidential information from one to the other was impermissible. (Pls.' Mem. in Opp'n to UHC's Mot. to Dismiss 10.)

Plaintiffs further submit that allowing UHC to transfer confidential healthcare information to another entity-either a separate entity or a subgroup-would be contrary to the purpose of the Confidentiality of Health Care Communications and Information Act. Id. at 11. At a minimum, Plaintiffs contend that they are entitled to discovery regarding how the State Plan and RIPTA Plan coexist and to "have an opportunity to challenge [UHC]'s interpretation of the [Confidentiality of Health Care Communications and Information] Act." Id. Plaintiffs also argue that they have pled sufficient harms to satisfy their burden. Id.

The Court finds that UHC has not met its burden to show beyond a reasonable doubt that Plaintiffs are not entitled to relief under Count II. There are legal issues at play in this matter that preclude dismissal at this juncture. Firstly, although § 5-37.3-4(b)(6) permits disclosure of confidential healthcare information to, inter alia, third-party health insurers without consent, it is unclear whether RIPTA qualifies as an insurer under the statute. After reviewing UHC's Administrative Services Agreement, the Court finds the agreement is between UHC and the State; RIPTA is not named as an insurer. See UHC's Mem. Ex. 1, at 1. Additionally, RIPTA is not expressly referenced as an insurer in the RFP for UHC's services. See UHC's Mem. Ex. 2, at 8-9. Given this, it appears the State would qualify as a third-party health insurer, but not RIPTA. Secondly, assuming arguendo that RIPTA was a third-party health insurer, UHC released confidential healthcare information of both State Plan and RIPTA Plan enrollees. See Am. Compl. ¶ 33. It is unclear at this time whether UHC could transfer State Plan enrollees' confidential healthcare information to RIPTA without the enrollees' consent. Assuming that RIPTA was not a third-party health insurer, Plaintiffs have alleged a cognizable harm under the statute. Thus, the Court finds that further discovery is necessary, and that UHC's Motion to Dismiss as to Count II of the Amended Complaint must be DENIED.

Count VII Fails Because UHC is a Regulated Entity

Next, UHC argues that Count VII alleging violations under the Deceptive Trade Practices Act must fail for three reasons. Id. at 9 (citing § 6-13.1). First, Plaintiffs do not allege that they are "consumers" or that they purchased goods or services from UHC. Id. Instead, Plaintiffs allege that "'the State of Rhode Island had a contract with and used UHC' to administer the State health insurance plan in which they enrolled." Id. (quoting Am. Compl. ¶ 22). UHC additionally avers that there is no "vendor-consumer relationship" between Plaintiffs and UHC. Id. Because Plaintiffs must show that they are consumers or that UHC made representations to them, their failure to do so means that Count VII must be dismissed. Id.; see Laccinole v. Appriss, Inc., 453 F.Supp.3d 499, 506 (D.R.I. Apr. 13, 2020).

Second, even if Plaintiffs successfully alleged that they were consumers or that UHC made representations to them, Plaintiffs have failed to show that UHC's alleged representations were "'material to [their] choices or conduct.'" (UHC's Mem. 9-10 (quoting Laccinole v. Gulf Coast Collection Bureau, Inc., C. A. No. 22-223-JJM-LDA, 2023 WL 157719, at *4 (D.R.I. Jan. 11, 2023))). Plaintiffs have not alleged that they relied on, or were even aware of, representations by UHC relating to data security protocols when they elected to participate in their employer-sponsored healthcare plans. Id. at 10. Thus, UHC argues that Plaintiffs' claim under the Deceptive Trade Practices Act must fail as a matter of law. Id.

Third, UHC argues that the Deceptive Trade Practices Act exempts entities that are subject to state or federal regulation. Id. (citing Kelley v. Cowesett Hills Associates, 768 A.2d 425, 432 (R.I. 2001)). UHC avers that it is subject to monitoring by the United States Department of Health and Human Services and points to paragraph 56 of the Amended Complaint, which expressly alleges that UHC is subject to the mandates of HIPAA. Id. (citing Am. Compl. ¶ 56). Thus, UHC argues that Count VII must fail because UHC is exempted from the statute at issue. Id.

In opposition, Plaintiffs argue that they need not plead "magic words" to satisfy the definition of "consumer" under the Deceptive Trade Practices Act. (Pls.' Mem. in Opp'n to UHC's Mot. to Dismiss 12.) Rather, the Plaintiffs "'need only allege facts showing [they] fit[] within the act's definition of consumer.'" Id. (quoting Kuper v. Stewart Title Guaranty Co., No. 01-00-00777-CV, 2002 WL 31429754, at *4 (Tex. Ct. App. Oct. 31, 2002)). They contend that a plaintiff must show that "'(1) it sought or acquired . . . goods or services by purchase or lease[,] and (2) the goods or services form the basis of the complaint.'" Id. (quoting Hardge v. Bank One Trust Co., N.A., No. 3:06-CV-1985-M, 2007 WL 1228034, at *2 (N.D. Tex. Apr. 26, 2007)). Additionally, Plaintiffs should be considered consumers by their relationship with the transaction, not by a contractual relationship with UHC. See id. (citing Doyle v. Chrysler Group LLC, No. SACV 13-00620 JVS (ANx), 2014 WL 1910628, at *7 (C.D. Cal. Jan. 29, 2014)). Plaintiffs aver that they qualify as "consumers" because they "acquired services from [UHC] in the form of claims processing and administration of Plaintiffs' health insurance benefits." Id. at 13. Although Plaintiffs did not sign a contract with UHC, they interacted with UHC on healthcare coverage issues. Id. Plaintiffs argue that this relationship is sufficient to evidence that they are "consumers" under the Deceptive Trade Practices Act Id.

Plaintiffs further argue that UHC has not met its burden to show an exemption under the Deceptive Trade Practices Act. Id. at 13-14. They aver that UHC must prove that it is subject to monitoring and that it obtained "permission or register[ed] with the proper regulatory agency." Id. at 14 (citing State v. Piedmont Funding Corp., 119 R.I. 695, 699, 382 A.2d 819, 822 (1978)). Plaintiffs contend that UHC has not identified a regulatory agency or officer that monitors its performance or compliance with rules and regulations. Id. Moreover, they argue that the mere existence of laws governing UHC's practices "is not enough to prove that a governmental agency monitors UHC's industry." Id. Because UHC has not met their burden, Plaintiffs ask that UHC's Motion to Dismiss as to Count VII of the Amended Complaint be denied. Id. at 14-15.

The Court finds that UHC is an exempted entity. Section 6-13.1-4 provides that the Deceptive Trade Practices Act shall not apply "to actions or transactions permitted under laws administered by the department of business regulation or other regulatory body or officer acting under statutory authority of this state . . . ." Section 6-13.1-4. UHC is subject to Rhode Island's Third-Party Health Insurance Administrators Act, G.L. 1956 chapter 20.7 of title 27, because it meets the definition of a third-party health insurance administrator. See § 27-20.7-2(1). In addition, UHC is a certified health insurance administrator in Rhode Island and is subject to the purview of the Rhode Island Department of Business Regulation. Rhode Island's Health Insurance Commissioner is vested with statutory authority to regulate, suspend, or revoke a third party health administrator's certificate of authority if, inter alia, the administrator violates "any lawful rule or order of the commissioner or any provision of the insurance laws of this state." See § 27-20.7-15(b)(1). The Court is satisfied that UHC's conduct is governed by a Rhode Island regulatory authority and that UHC's Motion to Dismiss as to Count VII of the Amended Complaint must be GRANTED. See § 6-13.1-4.

An administrator "means a person who directly or indirectly solicits or effects coverage of, underwrites, collects charges or premiums from, or adjusts or settles claims on residents of this state, or residents of another state from offices in this state, in connection with life or health insurance coverage or annuities . . ." Section 27-20.7-2(1).

The certification can be found online at the DBR's website by using the following link: https://dbr.ri.gov/sites/g/files/xkgbur696/files/documents/divisions/insurance/financial_info/2019 /UnitedHealthcare_of_New_England_03_31_2019.pdf.

Count IV Fails Because Plaintiffs Failed to Show That UHC Owed a Duty of Care

UHC next asserts that Plaintiffs' Count IV for negligence must fail for multiple reasons. See UHC's Mem. 13-20. First, UHC argues that Plaintiffs do not sufficiently allege a duty of care owed to them. Id. at 14-17. The allegation that UHC owed a duty arising from "'federal and state law, their contracts with the State, and RIPTA, and industry standards[,]'" in UHC's view is insufficient. Id. at 14 (quoting Am. Compl. ¶ 330).

In response, Plaintiffs point to our Supreme Court's discussion of the several factors "that courts should use to determine whether a common law duty exists[,]" including (1) foreseeability of harm; (2) the degree of certainty that the plaintiff suffered an injury; (3) the closeness of the connection between the defendant's conduct and the injury suffered; (4) the policy of preventing future harm; and (5) the extent of the burden to the defendant and the consequences to the community for imposing a duty to exercise care with resulting liability for breach. (Pls.' Mem. in Opp'n to UHC's Mot. to Dismiss 18-19 (citing Banks v. Bowen's Landing Corp., 522 A.2d 1222, 1225 (R.I. 1987))). However, the Court finds that the Banks factors do not apply to Plaintiffs' assertions in their Amended Complaint, alleging a legal duty existed as a matter of statute, industry custom, or contract. See Am. Compl. ¶ 330.

UHC Does Not Owe Plaintiffs a Duty of Care under HIPAA

UHC avers that the federal law Plaintiffs rely on to establish a duty of care is the Health Insurance Portability and Accountability Act (HIPAA). Id. However, UHC argues that Rhode Island has not recognized a common law duty of care to comply with HIPAA and that sole enforcement power is vested in the United States Department of Health and Human Services. Id. at 14-15. UHC further points out that other jurisdictions have disallowed negligence claims against HIPAA on the ground that the statute does not confer a private right of action. See id. (collecting cases). The Court agrees that Plaintiffs do not have a private right of action under HIPAA.

A private right of action under federal law "must be created by Congress." Bonano v. East Caribbean Airline Corp., 365 F.3d 81, 84 (1st Cir. 2004) (citing Alexander v. Sandoval, 532 U.S. 275, 286 (2001)). To determine the existence of a private right of action, the Court must answer two inquiries: (1) whether Congress intended to create a private right of action; and (2) whether Congress intended to create a corresponding remedy. Id. (citing Gonzaga University v. Doe, 536 U.S. 273, 283 (2002)). If the Court finds that Congress did not grant a private right of action, it need go no further. Id. (citing Gonzaga University, 536 U.S. at 283-84). The source of a private right of action "must be found in the text of the statute." Id. (citing Sandoval, 535 U.S. at 291).

After reviewing the text of HIPAA, the Court finds no language affirmatively granting a private right of action for violations thereof. See generally Pub. L. 104-191, 101 Stat. 1936. Enforcement of HIPAA is left exclusively to the United States Department of Health and Human Services and other federal executive agencies. Id. The Court further is convinced by the fact that Plaintiffs cannot point to a single provision indicating that Congress intended to grant a private right of action for HIPAA violations. See Pls.' Mem. in Opp'n to UHC's Mot. to Dismiss 17-25. Instead, they point to common law factors to establish their claim, incognizant of the fact that the language of the statute is controlling here. Because Plaintiffs have failed to show that Congress intended to grant Plaintiffs a private right of action for HIPAA violations, the Court must conclude that Congress did not intend for one to exist. See Bonano, 365 F.3d at 84. Because HIPAA does not confer a private right of action, the Court does not see how UHC owes a duty of care to Plaintiffs thereunder. Even if UHC does have a duty to comply with HIPAA, Plaintiffs may not bring a private claim for alleged violations because enforcement power is left to governmental agencies. For these reasons, the Court finds that Plaintiffs' claim for negligence arising from an alleged failure to comply with HIPAA must be dismissed.

UHC Does Not Owe Plaintiffs a Duty of Care under the Identity Theft Protection Act

For similar reasons, the Court must also find that Plaintiffs' claim for negligence arising from an alleged failure to comply with the Identity Theft Protection Act is also meritless. As discussed above, the Identity Theft Protection Act does not confer a private right of action. See supra, Part III.A. Plaintiffs may not engage in artful pleading to circumvent the fact that their supporting statutory authority gives no avenue for private relief. Accordingly, Plaintiffs' claim for negligence arising under the Identity Theft Protection Act must be dismissed.

Industry Standards Alone Do Not Establish a Duty of Care

UHC further argues that Plaintiffs may not bring a negligence claim on alleged violation of unidentified "industry standards." First, UHC avers that the Amended Complaint does not specify the industry standards that were allegedly violated, which does not give UHC fair notice. (UHC's Mem. 16.) Additionally, UHC points to case law outside the jurisdiction to support the notion that industry standards alone do not give rise to a duty of care. Id. (collecting cases). Plaintiffs contend that UHC's failure to comply with "widespread industry standards relating to data security" and failure to "exercise reasonable care in safeguarding and protecting Plaintiffs' personal and financial information" amounts to a viable negligence claim. See Pls.' Mem. in Opp'n to UHC's Mot. to Dismiss 18 n.6.

The Court initially finds that Plaintiffs' allegations that UHC violated industry standards does not fall afoul of Rule 8. It is long-standing policy in Rhode Island not to dispose of cases "on arcane or technical grounds." Haley v. Town of Lincoln, 611 A.2d 845, 848 (R.I. 1992). Our Supreme Court has held that a pleading must merely "provide the opposing party with 'fair and adequate notice of the type of claim being asserted.'" Gardner v. Baird, 871 A.2d 949, 953 (R.I. 2005) (quoting Haley, 611 A.2d at 848). Here, the Court finds that Plaintiffs have put UHC adequately on notice that they take issue with industry customs that UHC allegedly violated.

However, the Court also finds that Plaintiffs may not maintain a negligence action based on alleged industry custom violations alone. Industry customs and practices define the standard of care, but they do not go toward the existence of a duty of care. See Restatement (Second) Torts § 295A (1965). Thus, Plaintiffs' arguments put the cart before the horse; they must first show that UHC owes a duty of care, then introduce evidence of industry customs to establish the standard of care. See id. Because Plaintiffs' assertions of industry customs fail to show that UHC owes a duty of care, their legal theory must be dismissed out of hand.

UHC's Contracts with the State and RIPTA Do Not Themselves Establish a Duty of Care

UHC argues that Plaintiffs' final theory to establish a duty of care-its contracts with the State and with RIPTA-fails as a matter of law. See UHC's Mem. 17. UHC posits that, even if contracts between UHC, the State, and RIPTA give rise to a contractual duty to safeguard confidential information, that duty would be owed to the State or RIPTA, not to Plaintiffs. Id. In support, UHC refers to Laprocina v. Lourie, 250 A.3d 1281 (R.I. 2021). In that case, the plaintiff was severely injured after he was struck by a car while walking across the street. Laprocina, 250 A.3d at 1283. The plaintiff sued, inter alia, the Narragansett Electric Company on the basis that it "allowed a 'rolling blackout' to occur or failed to repair, replace, and maintain the streetlights in the area, which created a dangerous condition to pedestrians." Id. at 1283-84. The plaintiff argued that Narragansett Electric Company owed a duty of care pursuant to a Public Utilities Commission tariff and city ordinances. Id. at 1286. However, our Supreme Court determined that Narragansett Electric Company did not owe a duty to the plaintiff because, inter alia, (1) the city had exclusive ownership and control over its public streets; (2) there was no special relationship giving rise to a duty of care; and (3) the harm was not foreseeable. See id. at 1289-90.

Plaintiffs contend that "[a] contractual obligation may be evidence of a legal duty[,]" and that a special relationship between parties to a contract can give rise to a tort claim. See Pls.' Mem. in Opp'n to UHC's Mot. to Dismiss 18 n.5 (citing Erlich v. Menezes, 981 P.2d 978, 983 (Cal. 1999)). Plaintiffs aver that Defendants were the sole point of contact between Plaintiffs and their health insurance; consequently, Plaintiffs sufficiently depended on Defendants for the Court to find the existence of a legal duty. Id. The Court disagrees.

The Court finds no precedent in Rhode Island standing for the proposition that an alleged breach of contract simultaneously can give rise to a claim in tort. Moreover, the Court finds that the holding in Erlich undercuts Plaintiffs' argument. The Supreme Court of California affirmed that "'[a] contractual obligation may create a legal duty and the breach of that duty may support an action in tort[,]'" but with the caveat that "conduct amounting to a breach of contract becomes tortious only when it also violates a duty independent of the contract arising from principles of tort law." Erlich, 981 P.2d at 983 (citations omitted) (emphasis added). Based on their cited authority, Plaintiffs may not rely solely on a purported contract to establish a legal duty; they must submit an independent basis evidencing a duty of care. See id. Plaintiffs have failed to do so. See supra, Part III.G.1-3. Thus, Plaintiffs' claims for negligence remain wanting for a legal duty.

Plaintiffs have sufficiently alleged a duty of care under their legal theories proposed in the Amended Complaint. The Court does not foreclose the possibility that Plaintiffs' negligence claim against UHC may survive if it asserts a legal duty under common law principles. See generally Banks, 522 A.2d at 1222. However, the Court finds that the Amended Complaint asserts a legal duty arising from statute, industry practices, and UHC's contractual relationships with the State and RIPTA alone. See Am. Compl. ¶ 330. Under Rhode Island's motion to dismiss standard, the Court's review is limited to the pleadings. See Multi-State Restoration, Inc., 61 A.3d at 416. Thus, UHC's Motion to Dismiss as to Count IV of the Amended Complaint is CONDITIONALLY GRANTED , and Plaintiff shall have twenty (20) days to replead.

Because the Court conditionally grants UHC's Motion to Dismiss as to Count IV of the Amended Complaint based on Plaintiffs' failure to assert a legal duty, the Court need not reach causation.

Counts V, VI, and IX Do Not Fail Because UHC Has Not Met Its Burden

UHC further argues that Plaintiffs' claims sounding in breach of contract, breach of implied contract, and third-party beneficiary claims must fail as a matter of law. See UHC's Mem. 21-26. For reasons stated herein, the Court finds that UHC has not met its burden to show beyond a reasonable doubt that Plaintiffs' claims cannot survive under any conceivable set of facts. See Laurence, 788 A.2d at 456.

UHC Has Not Met Its Burden to Show the Absence of an Express Contract

With respect to Count V sounding in breach of an express contract, UHC avers that Plaintiffs fail to allege that they entered into a written contract with UHC. (UHC's Mem. 21.) UHC also attacks Plaintiffs' reliance on "written privacy notices" because Plaintiffs do not allege that they ever saw those notices, nor do Plaintiffs allege language in the notices showing that UHC promised to keep information confidential or otherwise limit its disclosure. Id. Because Plaintiffs do not allege that they read or relied upon the terms of purported written privacy notices, UHC argues that mutual assent-an essential element to any breach of contract claim-cannot be satisfied. Id. at 21-22 (collecting cases). Additionally, UHC argues that Plaintiffs fail to establish a causal connection between UHC's misconduct and Plaintiffs' damages. Id. at 22.

Plaintiffs argue that UHC's written privacy policies evidence a promise that UHC would "protect Plaintiffs' personal information and keep it confidential." (Pls.' Mem. in Opp'n to UHC's Mot. to Dismiss 30.) Plaintiffs also aver that they and UHC had a meeting of the minds when Plaintiffs enrolled in their respective health insurance plans and submitted private information to UHC. Id. They conclude by stating that UHC was under a contractual duty to comply with its own privacy policies to ensure that Plaintiffs' information was protected. Id.

To prevail on a breach of contract claim, a plaintiff "must prove both the existence and breach of a contract, and that the defendant's breach thereof caused the plaintiff's damages." Fogarty v. Palumbo, 163 A.3d 526, 541 (R.I. 2017) (citing Petrarca v. Fidelity and Casualty Insurance Co., 884 A.2d 406, 410 (R.I. 2005)). UHC points to, inter alia, Capps v. Bullion Exchange, LLC, Case No. 18-CV-00162-GKF-FHM, 2019 WL 4918682 (N.D. Okla. July 9, 2019), in which the United States District Court for the Northern District of Oklahoma observed that, on the issue of whether a privacy policy constitutes an express contract, courts "generally conclude that privacy statements do not constitute contracts." Capps, 2019 WL 4918682, at *2 (collecting cases). However, the Court notes that the Capps Court was faced with a motion for summary judgment, not a motion to dismiss. See id. at *1.

Here, the Court must determine whether UHC has shown beyond a reasonable doubt that Plaintiffs are not entitled to relief. See Laurence, 788 A.2d at 456. The Court cannot say that UHC has met its burden at this juncture. Without reviewing the privacy notices, the Court cannot determine its binding effect, if any, on the parties. Thus, the Court finds that more discovery is needed to determine the existence of an express contract arising from the written privacy notices, and that the issue may be revisited at the summary judgment stage. As a result, UHC's Motion to Dismiss as to Count V of the Amended Complaint is DENIED.

UHC Has Not Met Its Burden to Show the Absence of an Implied Contract

With respect to Count VI sounding in breach of an implied contract, UHC argues that Plaintiffs fail to allege any facts supporting the notion that UHC contractually agreed to keep Plaintiffs' information secure. (UHC's Mem. 23.) UHC also argues that Plaintiffs' mere enrollment in a UHC-administered health plan is a legal conclusion that does not deserve weight. See id. (collecting cases). Moreover, UHC argues that there is a lack of causation between UHC's alleged misconduct and Plaintiffs' alleged damages. Id. at 23-24.

Plaintiffs respond by stating that they were required to provide sensitive information when they enrolled in UHC-administered plans. See Pls.' Mem. in Opp'n to UHC's Mot. to Dismiss 30-31. Plaintiffs aver that there was a tacit, mutual understanding that UHC would protect that information from unauthorized disclosure. Id. at 31. Thus, UHC was obligated to take some measures to limit access to the information. Id.

Our Supreme Court has held that "[a]n implied-in-fact contract 'is a form of express contract wherein the elements of the contract are found in and determined from the relations of, and the communications between the parties, rather than from a single clearly expressed written document.'" Cote v. Aiello, 148 A.3d 537, 545 (R.I. 2016) (quoting Marshall Contractors, Inc. v. Brown University, 692 A.2d 665, 669 (R.I. 1997)). An implied contract must satisfy the elements of an express contract. See Bailey v. West, 105 R.I. 61, 64, 249 A.2d 414, 416 (1969). Thus, the difference between an express contract and an implied contract is "simply the manner by which the parties express their mutual assent." Marshall Contractors, Inc., 692 A.2d at 669.

At this early stage, the Court cannot find that UHC has met its burden to show beyond a reasonable doubt that the parties did not enter into an implied contract. As our Supreme Court stated, an implied contract is found through the communications and conduct of the parties. Cote, 148 A.3d at 545. The Court does not have sufficient information regarding the parties' conduct to determine whether an implied contract was formed between UHC and Plaintiffs. Thus, more discovery is needed, and the issue may be revisited at summary judgment. As a result, UHC's Motion to Dismiss as to Count VI of the Amended Complaint is DENIED.

UHC Has Not Met Its Burden to Show That Plaintiffs Are Not Third-Party Beneficiaries

Finally, UHC argues that Plaintiffs' Count IX sounding in a third-party beneficiary claim for breach of contract fails as a matter of law because Plaintiffs "have not pointed to any contractual language clearly expressing that the parties to the Administrative Services Agreement intended to benefit them." (UHC's Mem. 24-25.) UHC also avers that Plaintiffs have not alleged other facts suggesting that they were the intended beneficiaries of the Administrative Services Agreement. Id. at 25. Moreover, UHC states that the express language of the Administrative Services Agreement bars Plaintiffs' third-party beneficiary claims. Id. UHC points to the Business Associate Addendum to the Administrative Services Agreement, which states that ""[n]othing express or implied in this Addendum is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors or assigns of the parties, any rights, remedies, obligations, or liabilities whatsoever." (UHC's Mem. Ex. 1, at 66, ¶ 6.) UHC argues that this language clearly and unambiguously shows that Plaintiffs have no third-party beneficiary rights. Id. at 25-26.

Plaintiffs argue that the purpose of the Administrative Services Agreement was to benefit the plan members. (Pls.' Mem. in Opp'n to UHC's Mot. to Dismiss 32.) UHC was required to manage and administer Plaintiffs' health insurance claims and benefits. Id. at 32-33. Plaintiffs also assert that UHC "promised to safeguard the members' health information and personal information under the terms of the agreement." Id. at 33.

The Court finds that UHC has not met its burden to show that Plaintiffs are precluded from bringing third-party beneficiary claims. Our Supreme Court looks to Restatement (Second) Contracts § 302, which provides:

"'[A] beneficiary of a promise is an intended beneficiary if recognition of a right to performance in the beneficiary is appropriate to effectuate the intention of the parties and either (a) the performance of the promise will satisfy an obligation of the promisee to pay money to the beneficiary; or (b) the circumstances indicate that the promisee intends to give the beneficiary the benefit of the promised performance.'" Hexagon Holdings, Inc. v. Carlisle Syntec Inc., 199 A.3d 1034, 1039-40 (R.I. 2019) (quoting Restatement (Second) Contracts § 302 (1981)).

The Court finds that UHC has not shown beyond a reasonable doubt that Plaintiffs and other plan members are not the intended recipients of UHC's promised performance under the Administrative Services Agreement. UHC was obligated to administer the State and RIPTA's health insurance plans, which ostensibly benefits the enrollees of those plans. Without more, the Court cannot determine that Plaintiffs were-or were not-intended beneficiaries of the Administrative Services Agreement. Thus, the Court finds that the issue is best left for further discovery and may be resolved at summary judgment. As a result, UHC's Motion to Dismiss as to Count IX of the Amended Complaint is DENIED.

IV Conclusion

Based on the foregoing, the Court rules as follows:

1. That the Court shall apply Rhode Island law until the Court is presented with further evidence supporting the application of another state's substantive law, see Part III.A supra;

2. That Plaintiffs have standing to assert claims against RIPTA, see supra, Part III.B;

3. That RIPTA's Motion to Dismiss is DENIED IN PART and CONDITIONALLY GRANTED IN PART with respect to Count III of the Amended Complaint; Plaintiffs Ruo, Rosa, Kulik and Capalli shall have twenty (20) days to replead, see supra, Part III.C;

4. That UHC and RIPTA's Motions to Dismiss are GRANTED with respect to Count I of the Amended Complaint, see supra, Part III.D;

5. That UHC's Motion to Dismiss is DENIED with respect to Count II of the Amended Complaint, see supra, Part III.E;

6. That UHC's Motion to Dismiss is GRANTED with respect to Count VII of the Amended Complaint, see supra, Part III.F;

7. That UHC's Motion to Dismiss is CONDITIONALLY GRANTED with respect to Count IV of the Amended Complaint; Plaintiff shall have twenty (20) days to replead, see supra, Part III.G; and

8. That UHC's Motion to Dismiss is DENIED with respect to Counts V, VI, and IX of the Amended Complaint, see supra, Part III.H;

Counsel shall prepare and submit the appropriate order for entry. The parties shall additionally meet and confer to reach an agreement on a Pre-Certification Scheduling Order within twenty-one (21) days of this Decision. The Court thereafter will hold a scheduling conference on a date to be set by the Court.

Morelli v. R.I. Pub. Transit Auth.

Opinion

Morelli v. R.I. Pub. Transit Auth.

Morelli v. R.I. Pub. Transit Auth.

Case Details

Citations

Morelli v. R.I. Pub. Transit Auth.

Opinion

Morelli v. R.I. Pub. Transit Auth.

Morelli v. R.I. Pub. Transit Auth.

Case Details

CitationsCopy Citation

Citations