Opinion
121682
01-05-2024
MICHAEL ORTHMAN, on his own behalf and on behalf of his minor children L.O. and K.O. and on behalf of all similarly situated persons, Plaintiffs/Appellants, v. PREMIERE PEDIATRICS, PLLC, Defendant/Appellee,
William B. Federman, Tanner R. Hilton, FEDERMAN & SHERWOOD, Oklahoma City, Oklahoma, for Plaintiffs/Appellants, Curtis J. Dewberry, DEWBERRY & HUBBARD, PLC, Oklahoma City, Oklahoma, for Defendant/Appellee.
Mandate Issued: 02/01/2024
APPEAL FROM THE DISTRICT COURT OF CLEVELAND COUNTY, OKLAHOMA HONORABLE MICHAEL D. TUPPER, TRIAL JUDGE
William B. Federman, Tanner R. Hilton, FEDERMAN & SHERWOOD, Oklahoma City, Oklahoma, for Plaintiffs/Appellants,
Curtis J. Dewberry, DEWBERRY & HUBBARD, PLC, Oklahoma City, Oklahoma, for Defendant/Appellee.
THOMAS E. PRINCE, PRESIDING JUDGE
¶1 The Plaintiffs' claims stem from an alleged cyberattack by unknown persons on a third-party healthcare technology company, Connexin Software, Inc., which allegedly manages the electronic health records and patient data analytics of the Defendant, Premiere Pediatrics, PLLC. The trial court dismissed the Petition, with prejudice, for both a lack of standing and for failure to state a claim upon which relief may be granted based primarily on the trial court's view that the Plaintiffs had not plead "concrete injuries-in-fact." We reverse in part and affirm in part. More specifically, we find that, as a matter of law, it was error for the trial court to dismiss the Petition based on an alleged lack of standing. We also find that, in light of the foundational principle of "notice pleading" that is firmly rooted in Oklahoma jurisprudence, it was error for the trial court to dismiss the claims for negligence, breach of implied contract, and breach of fiduciary duty based on the finding that, with respect to said claims, Plaintiffs failed to state a claim upon which relief may be granted. We affirm the trial court's dismissal of the remaining claims under 12 O.S. § 2012B(6). We additionally find that it was error for the trial court to not give the Plaintiffs an opportunity to amend the Petition, including, but not limited to, their claim for mitigation damages, which are in the nature of the expenses they expect to incur to guard against future or anticipated damages. As plead by the Plaintiffs, their mitigation damages consist of the cost of mitigating against the allegedly heightened and imminent risk of fraud and identity theft they now allegedly face. We find that, as a matter of law, such mitigation damages are not recoverable in the absence of actual past harms incurred by the Plaintiffs and, if so, only in the event the future effect of the injury or loss is shown "with reasonable certainty," not mere conjecture or probability. Thus, the trial court's Order of September 15, 2023, is affirmed, in part, and reversed, in part, and the matter is remanded for further proceedings consistent with this Opinion.
The Plaintiffs filed a "Class Action Petition" on April 12, 2023, signaling that they intend to seek class certification pursuant to 12 O.S. § 2023. The "Class Action Petition" is referred to herein as the "Petition."
BACKGROUND
¶2 This case is pursued by Michael Orthman, individually, and on behalf of his two minor children, L.O. and K.O. (collectively referred to as "Plaintiffs" or "Orthman"), and as a proposed class action on behalf of all similarly situated persons. The Petition was filed on April 12, 2023, in the District Court of Cleveland County. As alleged in the Petition, there occurred a "massive and preventable cyberattack..." on the electronic data stored in the computer network of the technology company that managed and maintained the patient data of Premiere Pediatrics, PLLC. Premiere responded to the Petition with a Special Appearance and Motion to Dismiss on or about May 9, 2023. A timely response and reply were filed by the Parties. The hearing, initially set for July 25, 2023, was continued to September 5, 2023. The trial court subsequently entered its Order of September 15, 2023, granting the Motion on the basis of a lack of standing, under 12 O.S. § 2012 (B)(1), and a failure to state a claim for relief, under 12 O.S. § 2012 (B)(6). This timely appeal followed.
¶3 Orthman alleges that Orthman's "Personal and Medical Information was maintained in a condition vulnerable to a cyberattack by a third-party healthcare technology company, Connexin Software, Inc...., which provides software solutions to assist medical facilities in managing electronic health records and patient data analytics." Orthman further claims that "[a]rmed with the Private Information accessed in the Data Breach, the data thieves can commit a variety of crimes including, inter alia¸ opening new financial accounts in Plaintiffs' and Class Members' names, taking out loans in Class Members' names, using Class Members' names to obtain medical services...". Orthman asserts that "[a]s a result of the Data Breach, Plaintiffs and Class Members have been exposed to heightened and imminent risk of fraud and identity theft... [and] Plaintiffs and Class Members may also incur out of pocket costs for, e.g., purchasing credit monitoring services... or other protective measures to deter and detect identity theft."
¶4 It is alleged that Premiere is a pediatric primary care facility providing a variety of services, including well-child exams. It is alleged that on August 26, 2022, Connexin Software, the medical records service provider, employed and negligently supervised by Defendant, detected a data anomaly on its internal network, and on September 13, 2022, confirmed that an unauthorized party was able to access confidential patient data stored on its network. The Plaintiffs further contend that, despite knowing of the Data Breach for more than three (3) months, Premiere did not have Connexin begin notifying Plaintiffs and Class Members until on or around December 2022.
¶5. Regarding damages, Orthman alleged that "Plaintiffs and Class Members now face an increased risk of fraud and identity theft and must deal with that threat forever. Plaintiffs believe their Personal and Medical Information was stolen in the Data Breach and is still in the hands of the hackers....". Similar allegations were made multiple times in the Petition. On the other hand, Orthman made several generalized claims in various parts of the Petition to the effect that Plaintiffs have "suffered... actual harms..." and "concrete injury," without providing any detail or by specifically identifying any actual improper use of his personal information or PHI by a hacker, such as to secure a loan or to steal any money. One expansive description of the alleged damages that appears to be inclusive of the various injuries that Orthman claims is set out in ¶ 78 (page 25), in part, as follows: "Plaintiffs and the Class have suffered, and continue to suffer, actual harm for which they are entitled to compensation, including... [a]ctual identity theft, including fraudulent credit inquiries and cards being opened in their names;... imminent and certainly impending injury... [l]oss of privacy... [a]scertainable losses in the form of time taken to respond to identity theft... [a]scertainable losses in the form of out-of-pocket expenses... [t]he loss of use of and access to their credit... [and] [d]amage to their credit...".
The Petition repeats some paragraph numbers on pages 36-54, with a second use of paragraph numbers 22 -- 111.
See Petition, ¶ 37 (page 11), ¶ 71 (page 22), ¶ 77 (page 24), ¶ 82 (page 27), ¶ 87 (page 28), ¶ 98 (page 32), ¶ 103 (page 33), ¶ 27 (page 37), ¶'s 58 & 59 (page 43), ¶ 96 (page 51), and ¶ 228 (page 68).
See Petition, ¶ 78 (page 25), ¶ 108 (page 34), ¶ 95 (page 51), ¶ 117 (page 55), ¶ 130 (page 57), ¶ 147 (page 60), ¶ 222 (page 63), and ¶ 228 (page 68).
¶6 Orthman attempts to allege nine claims for relief:
A. Negligence;
B. Negligence per se;
C. Invasion of Privacy;
D. Breach of Implied Contract;
E. Unjust Enrichment;
F. Breach of Fiduciary Duty;
G. Breach of Covenant of Good Faith and Fair Dealing;
H. Breach of Confidentiality; and,
I. Declaratory Judgment.
¶7 The trial court's Order of September 15, 2023, sustained the Motion to Dismiss and specifically found, in part, that "Plaintiffs' alleged mitigation efforts in responding to the Data Security Incident are insufficient to establish standing. (citations omitted)." The trial court also determined, with respect to each of the nine claims for relief, that Orthman had failed to state a claim for relief. In sustaining the Motion to Dismiss, the trial court dismissed Plaintiffs' Petition with prejudice, pursuant to 12 O.S. § 2012 (B)(1) and § 2012(B)(6).
¶8 The Exhibit "C" to the Petition in Error in this matter sets out fifteen separate issues. We have, however, reformulated the issues raised by Orthman to ten issues: i.e., (a) whether the trial court erred in determining that Orthman does not have standing to pursue a negligence claim because of a failure to allege damages with specificity; (b) whether the trial court erred in dismissing the claim for negligence per s e; (c) whether the trial court erred in dismissing the claim for invasion of privacy; (d) whether the trial court erred in dismissing the claim for breach of implied contract; (e) whether the trial court erred in dismissing the claim for unjust enrichment; (f) whether the trial court erred in dismissing the claim for breach of fiduciary duty; (g) whether the trial court erred in dismissing the claim for breach of the implied covenant of good faith and fair dealing; (h) whether the trial court erred in dismissing the claim for breach of confidentiality; (i) whether the trial court erred in dismissing the claim for declaratory judgment and injunctive relief; and (j) whether the trial court erred in not providing Orthman an opportunity to amend with respect to the various alleged claims.
Issue one generally argues that the trial court erred in granting judgment to Defendant, an argument that the Court treats as subsumed by the other arguments. Issues two through five essentially raise the same point and have been treated by the Court as raising just one overall point (i.e., whether the trial court erred in determining that Orthman does not have standing to pursue a negligence claim because of a failure to allege damages with specificity).
STANDARD OF REVIEW
¶9 When a motion to dismiss is granted, the standard of review is de novo. Christ's Legacy Church v. Trinity Group Architects, 2018 OK CIV APP 31, ¶ 12, 417 P.3d 1223, 1227--1228 (citation omitted). De novo review involves a plenary, independent, and non-deferential reexamination of the legal rulings made by the trial court. Kluver v. Weatherford Hosp. Authority, 1993 OK 85, ¶ 14, 859 P.2d 1081, 1084 (citation omitted). "When evaluating a motion to dismiss, the court examines only the controlling law, not the facts. Thus, the court must take as true all of the challenged pleading's allegations together with all reasonable inferences that can be drawn from them." Wilson v. State ex rel. State Election Bd., 2012 OK 2, ¶ 4, 270 P.3d 155, 157 (internal citations omitted). Statutory interpretation is an issue of law subject to de novo review. Melson v. Wachovia Bank, 2010 OK CIV APP 135, ¶ 6, 245 P.3d 77, 79. Lastly, "[o]ur review of the question of standing is de novo and, consequently, is plenary, independent, and non-deferential." W. P. Bistro Tulsa, LLC v. Henry Real Est., LLC, 2022 OK CIV APP 24, ¶¶ 10-11, 514 P.3d 1091, 1095.
ANALYSIS
Dismissal Based on a Lack of Standing
¶10 The trial court erred, as a matter of law, with respect to the finding that Orthman lacks standing to pursue the various claims made in this case. The trial court made the following specific findings on the issue of standing:
The Petition fails to plead concrete injuries-in-fact to confer standing under Oklahoma law.... Plaintiffs' alleged mitigation efforts in responding to the Data Security Incident are insufficient to establish standing.... The Plaintiff's allegations on alleged loss in value of the PPI and PHI are too speculative and do not constitute an injury-in-fact. Similarly, Plaintiffs have not established a substantial or certainly impending risk of future harm necessary to establish standing. The Plaintiffs' claims of impending harm are speculative and insufficient to confer standing.
¶11 Premiere's challenge to Orthman's standing rests, at this time, solely on the allegations set out in Orthman's Petition concerning the alleged damages. This is proper because standing, as a jurisdictional defense, may be raised in a motion to dismiss (or at any time during the course of a case). HSBC, USA, Nat'l Ass'n as Tr. for Registered Holder of Ace Sec. Corp. Home Equity Loan Tr., Series 2006-NC3, Assets Backed Pass-Through Certificates v. Tuggle, 2019 OK CIV APP 37, ¶ 12, 444 P.3d 501, 504; Osage Nation v. Bd. of Commissioners of Osage Cnty., 2017 OK 34, ¶ 64, 394 P.3d 1224, 1245. Moreover, although the facts surrounding a standing defense are sometimes intertwined with the merits of a controversy, standing may be raised based solely on the allegations in a pleading alone (as has been done in this case) or by looking outside the pleadings and raised by use of the summary judgment process. See State ex rel. Bd. of Regents of Univ. of Oklahoma v. Lucas, 2013 OK 14, ¶ 10, 297 P.3d 378, 384.
¶12 Because Premiere's current challenge to Orthman's standing is based solely on the allegations in the Petition, the Court is obligated to employ the typical standards for resolution of a motion to dismiss. See Total Access, Inc. v. Caddo Elec. Co-op., 2000 OK CIV APP 60, ¶ 2, 9 P.3d 95, 96 ("[a] motion to dismiss is the proper method for testing a party's standing."); Oil Valley Petroleum, LLC v. Moore, 2023 OK 90, ¶ 74, 536 P.3d 556, 575, as corrected (Oct. 3, 2023) ('"[t]he general philosophy of the Pleading Code is that pleadings should give fair notice of the claim. (citation omitted). Trial court procedure distinguishes facts for various types of judicial treatment based upon the method a party uses for judicial cognizance of the particular fact, e.g., in a pleading, in a list of disputed or non-disputed facts in a motion for summary judgment, and testimony."); Frazier v. Bryan Mem'l Hosp. Auth., 1989 OK 73, ¶ 13, 775 P.2d 281, 287 ("[a] pleading must not be dismissed for failure to state a legally cognizable claim unless the allegations indicate beyond any doubt that the litigant can prove no set of facts which would entitle him to relief"). Moreover, in evaluating a motion to dismiss, the Court "must take as true all of the challenged pleading's allegations together with all reasonable inferences that can be drawn from them." Wilson v. State ex rel. State Election Bd., 2012 OK 2, ¶ 4, 270 P.3d 155, 157 (internal citations omitted).
¶13. Under Oklahoma law, "[s]tanding determines whether the person is the proper party to request adjudication of a certain issue and does not decide the issue itself. The key element is whether the party whose standing is challenged has sufficient interest or stake in the outcome." Matter of Est. of Doan, 1986 OK 15, ¶ 7, 727 P.2d 574, 576. See Indep. Sch. Dist. No. 9 of Tulsa Cnty. v. Glass, 1982 OK 2, ¶ 8, 639 P.2d 1233, 1237 ("[s]tanding has traditionally been defined as whether a party has a sufficient interest in an otherwise justiciable controversy to obtain judicial resolution of the controversy. If reliance is not placed on any specific statute authorizing invocation of the judicial process, the question of standing depends upon whether the party has alleged a personal stake in the outcome of the controversy."); Fent v. Contingency Rev. Bd., 2007 OK 27, ¶ 6, 163 P.3d 512, 519 ("[t]he three threshold criteria of standing are (1) a legally protected interest which must have been injured in fact i.e., suffered an injury which is actual, concrete and not conjectural in nature, (2) a causal nexus between the injury and the complained-of conduct, and (3) a likelihood, as opposed to mere speculation, that the injury is capable of being redressed by a favorable court decision.").
¶14 Orthman has alleged, in part, that he has suffered actual harm and concrete injury. The Petition certainly does not provide any detail or specificity concerning any actual improper use of the Plaintiffs' personal information or PHI by a hacker. As detailed above, the bulk of the damage claims in the Petition deal with the potential that Orthman faces "an increased risk of fraud and identity theft and must deal with that threat forever." Notwithstanding the allegations regarding anticipated risks and the potential for future damages, the general allegations in the Petition to the effect that the Plaintiffs already have suffered harm and have based their claims on past or previously sustained injuries constitute minimally sufficient allegations to establish standing. See 12 O.S. § 2008A ("[a] pleading which sets forth a claim for relief... shall contain: 1. A short and plain statement of the claim showing that the pleader is entitled to relief..."; Kpiele-Poda v. Patterson-UTI Energy, Inc., 2023 OK 11, ¶ 10, 525 P.3d 28, 32 ("'[t]he general philosophy in [Oklahoma's Pleading Code, 12 O.S. 2011, § 2001 et seq.] is that pleadings should give fair notice of the claim and be subject to liberal amendment, should be liberally construed so as to do substantial justice, and that decisions should be made on the merits rather than on technical niceties.'" (citation omitted)).
¶15 The trial court cited a recent decision in a data breach case from the Western District of Oklahoma to support its finding that "Plaintiffs' alleged mitigation efforts in responding to the Data Security Incident are insufficient to establish standing." See Legg v. Leaders Life Ins. Co., 574 F.Supp.3d 985, 990 (W.D. Okla. 2021) ("[n]otably, all of the circuit court cases 'conferring standing after a data breach based on an increased risk of theft or misuse included at least some allegations of actual misuse.' (citation omitted). Conversely, where no allegations of misuse are present, circuit courts have generally declined to find standing."). The decision in Legg also was cited in another data breach case from the Northern District of Oklahoma, again finding a lack of standing where the plaintiff had failed to allege any actual misuse of the data. See Deevers Stoichev v. Wing Fin. Servs., LLC, No. 22-CV-0550-CVE-JFJ, 2023 WL 6133181, at *6 (N.D. Okla. Sept. 19, 2023) ("[w]hile some circuits have found that misuse by a third-party, while sufficient, is not necessary on its own to establish imminence, the majority of courts, including district courts in this circuit, have concluded that plaintiffs must allege actual misuse to demonstrate they face an imminent risk of fraud."). While adding important insight (and representing persuasive authority) as to how an Oklahoma court should resolve the merits of a data breach controversy, the federal decisions offer no guidance when the parties are relying solely on the facts that may be gleaned from the well-plead allegations in a petition because, to date, the Oklahoma Supreme Court has not adopted the federal pleading standards that allow the dismissal of a claim "because it fails to state a 'plausible' claim." Edelen v. Bd. of Comm'rs of Bryan Cnty., 2011 OK CIV APP 116, ¶ 3, 266 P.3d 660, 668 (where the Court discussed the differences between the Oklahoma and federal pleading rules and reversed the dismissal of the petition by holding, in part, that "'relief is possible' based on these allegations".). Compare Bell Atl. Corp. v. Twombly, 550 U.S. 544, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007); Robbins v. Oklahoma, 519 F.3d 1242, 1247 (10th Cir. 2008) (noting that Twombly rejected the "'no set of facts'" language...[,] announcing a new (or clarified) standard: to withstand a motion to dismiss, a complaint must contain enough allegations of fact "'to state a claim to relief that is plausible on its face.'" (citation omitted)).
¶16 The issue of standing certainly can be reasserted by Premiere (as a jurisdictional defense) at any time in the case. See In re Beck, 2023 OK CIV APP 47, ¶ 9, reh'g denied (Apr. 28, 2023) ("[s]tanding is a jurisdictional question and may be correctly raised at any level of the judicial process or by the Court on its own motion."). Thus, we find that it was error for the trial court to dismiss the Petition based on an alleged lack of standing based solely on the alleged deficiencies in the well-plead allegations in the Petition.
Dismissal Based on the Failure to State a Claim for Relief
¶ 17 The trial court also dismissed each of Orthman's nine claims for relief under 12 O.S. § 2012B(6), for failure to state a claim for relief. As outlined below, we reverse and remand the trial court's decision, as a matter of law, with respect to the § 2012B(6) challenge to the negligence claim, the breach of implied contract claim, and the breach of fiduciary duty claim, and affirm the trial court's decision on the § 2012B(6) challenge to each of the other claims for relief.
1. Negligence
¶ 18 The trial court's Order of September 15, 2023, found, in part, that "Plaintiffs have failed to state a claim for negligence because Plaintiffs have not plead any actual facts to demonstrate that they have suffered actual damages." As with the issue of standing, the general allegations in the Petition to the effect that the Plaintiffs already have suffered harm and have based their claims on past or previously sustained injuries constitute minimally sufficient allegations to withstand a § 2012B(6) challenge. See Murrow v. Penney, 2023 OK 91, ¶ 16, 535 P.3d 1275, 1280 ("[t]he purpose of a motion to dismiss is to test the law that governs the claim in litigation, not the underlying facts. A pleading must not be dismissed for failure to state a legally cognizable claim unless the allegations indicate beyond any doubt that the litigant can prove no set of facts which would entitle the plaintiff to relief."). Thus, for the limited purpose of addressing the § 2012B(6) challenge to the negligence claim, we find that the trial court erred, as a matter of law, in finding that the "Plaintiffs have not plead any actual facts to demonstrate they have suffered actual injuries."
¶19 While we accept as true the general allegations in the Petition to the effect that Orthman has suffered damages for the identity theft (sufficient to establish standing and to state a negligence claim for relief), Orthman's allegations of future economic losses are inadequate as a matter of law. Orthman alleges that he" may incur out of pocket costs," and that he and his children "face an increased risk of fraud and identity theft." See Petition, ¶ 10 (page 4) & ¶ 32 (page 10) (emphasis added). Orthman further contends that he and his children suffered "ascertainable losses" resulting from his efforts to mitigate potential fraudulent activity following the data breach. See Petition, ¶ 109 (page 34). As plead by the Plaintiffs, mitigation damages will be incurred, consisting, in part, of the future cost of mitigating against the allegedly heightened and imminent risk of fraud and identity theft they now allegedly face. See 12 O.S. § 2009 ; West v. Bd. of Cnty. Comm'rs of Pawnee Cnty., 2011 OK 104, 273 P.3d 31, 38, n. 19 ("[e]conomic or special damages are defined as those which can either be assigned an exact dollar figure or calculated with reasonable mathematical certainty."); Florafax Int'l, Inc. v. GTE Mkt. Res., Inc., 1997 OK 7, ¶ 27, 933 P.2d 282, 292 (recognizing that alleged future losses constitute "special damages").
Title 12 O.S. § 2009G, provides as follows: "G. SPECIAL DAMAGE. When items of special damage are claimed, their nature shall be specifically stated. In actions where exemplary or punitive damages are sought, the petition shall not state a dollar amount for damages sought to be recovered but shall state whether the amount of damages sought to be recovered is in excess of or not in excess of the amount required for diversity jurisdiction pursuant to Section 1332 of Title 28 of the United States Code."
¶20 Although Oklahoma state courts have not directly addressed the issue of future injuries spawning from a data breach, Oklahoma case law is well settled with regard to the requisite standard of proof for future damages in negligence cases. A plaintiff must show the future effect of the injury or loss "with reasonable certainty," not mere conjecture or probability. Peppers Gasoline Co. v. Weber, 1940 OK 12, 186 Okla. 471, 98 P.2d 1087, 1091; Crown Drug Co. v. McBride, 1956 OK 292, ¶ 15, 303 P.2d 970, 977; White v. McDonald, 1968 OK 168, ¶ 18, 447 P.2d 746, 752--53.
¶21 Where Oklahoma case law remains unresolved on the issue of alleged future injuries in data breach cases, the Western District of Oklahoma's decision in Legg provides compelling direction. The plaintiff in Legg v. Leaders Life Insurance Company asserted strikingly similar claims for future injuries following a data breach, describing his injuries as "an imminent, immediate, and continuing risk of harm from identity theft." Legg, 574 F.Supp.3d 985 at 988. The Court rejected his claim, holding that "the risk of future harm alone cannot support standing for a damages claim," and that a Plaintiff must "plausibly plead that the risk of future harm as a result of the data breach is imminent," by demonstrating the harm is "certainly impending." Id. at 993. The Court further found that a future risk of injury which relies purely on "speculation about the decisions of independent actors" is insufficient to establish a concrete injury. Id. at 994. Orthman's Petition alleges that the future losses are "imminent and certainly impending," but fails to provide any supporting facts that the threat of economic injury is, in fact, imminent or certainly impending. Like the Legg plaintiff, Orthman's claims for future losses are based purely on speculation and rely on the ephemeral notion that Plaintiffs might someday suffer harm at the hands of hackers. A trial court cannot provide relief to an injury that has not yet occurred without concrete, factual support that the injury will occur. Although we find Orthman's general allegation that he has already suffered identity theft to be sufficient at the pleading stage to demonstrate present damages for his negligence claim, it is insufficient to state a claim for future injuries and we, therefore, affirm the trial court's finding that Orthman's alleged mitigation efforts and claim for future damages do not establish an injury-in-fact.
¶22 Orthman additionally claims he and his children have suffered "ascertainable losses in the form of out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the data breach." See Petition, ¶ 109 (page 34). At the pleading stage of the case, we do not expect for Orthman to provide factual support for all his alleged claims. On the other hand, without a cognizable claim for future economic losses (as addressed above), Orthman is unable to legally justify his mitigation efforts as recoverable damages. For the purpose of determining damages in a negligence action, a party's mitigation of expenses is only relevant where the matter being mitigated was recoverable in the first place. See Krieger v. Marshall, 1956 OK 11, ¶ 23, 292 P.2d 379, 384 (where the Court compared two cases involving the measure of damages for injury to growing crops and each respective plaintiffs' mitigation efforts, finding the proper measure of damages to include mitigation efforts where a plaintiff's injuries had already manifested). Just as a plaintiff cannot "'manufacture standing' simply by 'incur[ing] [sic] certain costs as a reasonable reaction to a risk of harm,'" a plaintiff cannot justify mitigation efforts as a "concrete injury" where there is no imminent threat of harm. Legg, 574 F.Supp.3d 985 at 994. Because Orthman has yet to show a future economic loss is "reasonably certain," his alleged mitigation efforts are insufficient to establish a concrete injury-in-fact.
¶23 The trial court also found that "[t]he Plaintiffs' allegations on alleged loss in value of their PPI and PHI are too speculative and do not constitute an injury-in-fact." We agree with the trial court concerning this finding.
2. Negligence per se
¶ 24 The trial court dismissed Orthman's negligence per se claim on the basis that neither the Federal Trade Commission Act ("FTC Act") nor the Health Insurance Portability and Accountability Act ("HIPAA"), permit private causes of action. "Negligence per se is a term used when a duty of care is based upon a violation of specifically prescribed conduct required by a statute. 'When courts adopt the statutory standard for a cause of action for negligence...the violation of [the] statute constitutes negligence per se if the other elements of negligence are present.'" Smith v. Barker, 2017 OK CIV APP 69, ¶ 27, 419 P.3d 327, 333 (citation omitted). In order to establish negligence per se a party must show that the injury was caused by the statute's violation, the injury was the type intended to be prevented by the statute, and the injured party was a member of the class meant to be protected by the statute. Id., at ¶ 28. However, the standard of duty set forth in the statute must be fixed, defined by law, and be the same in all circumstances, otherwise a claim for negligence per se is not appropriate. Id., at ¶ 29. Where a determination as to whether conduct rises to the standards of conduct enjoined by the statute depends on the circumstances proved and requires evaluation of the evidence, then the issue is one of negligence, not negligence per se. Id.
¶25 The Oklahoma Supreme Court has held that the FTC Act does not provide a private cause of action. Patterson v. Beall, 2000 OK 92, ¶ 28, 19 P.3d 839. The 10th Circuit has recognized that HIPAA does not provide a private cause of action. Wilkerson v. Shinseki, 606 F.3d 1256, 1267 (10th Cir. 2010). Orthman claims, relying upon In re MCG Health Data Security Issue Litigation, No. 2:22-CV-849-RSM-DWC, 2023 WL 3057428 *4 (W.D. Wash. March 27, 2023), that "jurisdictions have held 'the violation of a statute or the breach of a statutory duty' may be considered by the trier of fact as evidence of negligence..." Orthman's reliance on In re MCG is misplaced. The MCG Court specifically rejected the claim for negligence based on a duty allegedly owed under HIPAA because the MCG Court recognized that HIPAA has been universally held not to authorize a private right of action. In addition, the MCG Court stated that the FTC Act fails the first two prongs of the Restatement (Second) of Torts test, i.e., the purpose of the statute is (1) to protect a class of persons including the plaintiffs, and (2) the particular interest in which the plaintiff alleges has been invaded. The MCG Court noted that the paramount aim of the FTC Act is the protection of the public from evils likely to result from the destruction of competition or the restriction of it in a substantial degree. The Court rejected the negligence claim for those reasons and, in addition, it rejected the claim for negligence per se because the State of Washington does not recognize negligence per se as an independent cause of action. The MCG Court stated that "[a]lthough the violation of a statute or the breach of a statutory duty 'may be considered by the trier of fact as evidence of negligence,'...Plaintiffs may not assert a separate cause of action for negligence per se in Washington." We find that, under Oklahoma law, there are no private causes of action under HIPAA and the FTC Act. Accordingly, we find that the claim for negligence per se was properly dismissed by the trial court.
3. Invasion of Privacy
¶ 26 The trial court determined that Orthman could not sustain a claim for invasion of privacy because the Petition was devoid of facts that would show Premiere intentionally intruded upon Plaintiffs' seclusion. In order to prevail on a claim for invasion of privacy by publication of private facts, Plaintiffs must demonstrate that the information disseminated by the data breach was (1) highly offensive to a reasonable person, (2) contained private facts about the Plaintiffs' lives, (3) was a public disclosure of private facts, and (4) was not of legitimate concern to others. Hadnot v. Shaw, 1992 OK 21, n. 30, 826 P.2d 978, 985. Intrusion upon seclusion has been defined by the Restatement (Second) of Torts as "[o]ne who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another, or his private affairs or concerns....if the intrusion would be highly offensive to a reasonable person." Gilmore v. Enogex, Inc., 1994 OK 76, n. 27, 878 P.2d 360, 366.
¶27 Orthman argues that invasion of privacy from disclosure of private information can be a concrete injury and the release of Plaintiffs' personal information by way of a data breach is an invasion of privacy. The authority relied upon by Orthman involved an internet advertising company seizing internet browser history information for disclosure to others. See Mount v. PulsePoint, Inc., 684 Fed.Appx. 32 (2 nd Cir. 2017). The distinguishing factor between this situation and the situation in Mount is that Premiere did not intentionally take the Plaintiffs' information and publish it to others. The information was stolen by a hacker. We, therefore, find that Plaintiffs cannot sustain a claim for invasion of privacy because, as plead in the Petition, the information was admittedly stolen from Connexin. The Order of the trial court dismissing the invasion of privacy claim is affirmed.
4. Breach of Implied Contract
¶ 28 Plaintiffs' breach of implied contract claim was dismissed by the trial court because the Petition included no factual allegations supporting the existence of any enforceable implied contract between Plaintiffs and Premiere. All contracts are either express or implied. 15 O.S. § 131. "An implied contract is one, the existence and terms of which are manifested by conduct." 15 O.S. § 133. "Implied contracts exist where the intention of the parties is not expressed, but the agreement creating the obligation is implied or presumed from their acts, where there are circumstances that show a mutual intent to contract." Jones v. University of Central Oklahoma, 1995 OK 138, ¶ 7, 910 P.2d 987, 989. Implied contracts, like all contracts, are founded upon the mutual agreement or consent of the parties. Id., and 15 O.S. § 2.
¶29 We note that at least a couple of courts have found that an implied contract may exist under circumstances involving data breaches. At this stage of the proceedings, there is a question of fact as to whether Premiere's choice to utilize Connexin was adequate to protect Plaintiffs' personal information. We, therefore, find that the trial court committed error when it dismissed the claim for breach of an implied contract.
See for examples Castillo v. Seagate Tech., LLC, No. 16-cv-01958, 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016) and In re Target Corp. Data Sec. Breach Litig., 66 F.Supp.3d 1154, 1176-1177 (D. Minn. 2014).
5. Unjust Enrichment
¶ 30 The trial court rejected Plaintiffs' claim for unjust enrichment because Plaintiffs paid for medical services -- not data privacy services -- and Premiere did not receive any direct benefit from Plaintiffs toward data privacy services. In Oklahoma, a claim for unjust enrichment is equitable in nature. N.C. Corff Partnership, Ltd. v. OXY USA, Inc., 1996 OK CIV APP 92, ¶ 25, 929 P.2d 288, 295. Unjust enrichment is "a condition which results from the failure of a party to make restitution in circumstances where not to do so is inequitable." Dept. of Securities ex rel. Faught v. Blair, 2010 OK 16, ¶ 22, 231 P.3d 645, 658-659. Although the elements of an unjust enrichment claim differ from state to state, Oklahoma defines unjust enrichment as "(1) the unjust (2) retention of (3) a benefit received (4) at the expense of another." Id.
¶31 Plaintiffs argue that many courts have concluded that the failure to secure a party's data can give rise to an unjust enrichment claim when a defendant accepts the benefits accompanying a plaintiff's data. However, other courts have held the opposite. In In re Arthur J. Gallagher Data Breach Litigation, 631 F.Supp.3d 573 (N.D.Ill. 2022), a claim for unjust enrichment was rejected. The Gallagher Court stated that the plaintiffs must "plausibly allege that Defendants unjustly retained a benefit, resulting in a detriment to Plaintiffs." Id., at 591. The Court found that, if anything, third-party hackers are the ones who benefitted from the data breach. Id., at 592. The Gallagher Court noted that the Plaintiffs insisted that Defendants retained the 'monetary benefit' of valuable PHI and PPI but then stated: "[c]ourts have, however, routinely rejected the 'proposition that an individual's personal identifying information has an independent monetary value'". Id. On that basis, the Gallagher Court dismissed the unjust enrichment claim. Id. In Irwin v. Jimmy John's Franchise, LLC, 175 F.Supp.3d 1064 (C.D.Ill. 2016), the Court addressed a claim for unjust enrichment after a data breach potentially exposed customers' personal and financial information to unauthorized third parties. Id., at 1068. The plaintiff, Irwin, argued that her payment for purchases at Jimmy John's was supposed to be used, in part, to provide data security. Since there was no reasonable data security, she argued that she overpaid for purchases using her debit and credit cards. Id., at 1071. The Jimmy John's Court disagreed. Irwin did not pay any more with her debit or credit cards than customers who paid with cash. Id., at 1072. The Court stated that: "Irwin paid for food products. She did not pay for a side order of data security and protection; it was merely incident to her food purchase, as is the ability to sit at a table to eat her food, or to use a Jimmy John's restroom." Id. The Jimmy John's Court found that there was no unjust enrichment. Id. A similar argument for unjust enrichment was rejected in In re Target Corp. Data Sec. Breach Litigation, 66 F.Supp.3d 1154 (D. Minn. 2014). There, the Court found that the "overcharge" theory of unjust enrichment lacked merit because cash customers paid the same amount as customers who paid with a credit card. Id., at 1178. However, the Target Court did allow a potential claim for unjust enrichment to proceed on the theory that individuals would not have shopped at Target had they known about the data breach. Id.
¶32 We are persuaded by the rationale set forth in Gallagher and Jimmy John's. Premiere's customers paid for medical services, not data protection. We also conclude that Premiere has not unjustly retained any benefit of value. We, therefore, find that it was proper for the trial court to dismiss the Plaintiffs' claim for unjust enrichment.
6. Breach of Fiduciary Duty
¶ 33 The trial court dismissed the Plaintiff's claim for Breach of Fiduciary Duty, finding the Plaintiffs failed to plead any facts showing they suffered actual damages which can be traced to the Data Security Incident. The trial court specifically held that "Plaintiffs have failed to plead any facts showing they suffered any actual damages, and failed to show that any purported harm can be traced to the Data Security Incident." As with the issues of standing and negligence, the general allegations in the Petition to the effect that the Plaintiffs have already suffered harm and have based their claims on past or previously sustained injuries constitute minimally sufficient allegations to withstand a § 2012B(6) challenge.
¶34 To recover on a claim of breach of fiduciary duty, a plaintiff must prove "(1) the existence of a fiduciary relationship; (2) a breach of a fiduciary duty; and (3) the breach of a fiduciary duty was the direct cause of damages." S.W. Orthopaedic Specialists, P.L.L.C. v. Allison, 2018 OK CIV APP 69, ¶ 20, 439 P.3d 430, 436 (citing Graves v. Johnson, 2015 OK CIV APP 81, ¶ 15, 359 P.3d 1151). Plaintiffs contend Premiere became a fiduciary to Plaintiffs by their "undertaking and guardianship" of Plaintiffs' current and former PPI/PHI, and that Premiere breached its duty both by failing to take proper measures to protect Plaintiffs' PPI/PHI and failing to timely notify Plaintiffs of the data breach. It is fundamental that a physician has a fiduciary duty to not disclose a patient's medical information. See Bryson v. Tillinghast, 1988 OK 6, ¶ 11, 749 P.2d 110, 113 ("Bryson assumes, and we do not refute the assumption, that an implied guarantee of confidentiality exists when a doctor and his patient enter into a contract for medical services."). Although the Oklahoma Supreme Court has not decided this issue, we find that, if a physician negligently discloses a patient's PPI/PHI through electronic or other means, the patient may maintain an action for damages in tort against the physician. See e.g., Brandt v. Med. Def. Assocs., 856 S.W.2d 667, 669 & 671 (Mo. 1993) (a case concerning certain ex parte disclosures made by a physician without consent of the patient in the context of a medical malpractice action, in which the Court stated, in part, that "the civil action for damages in tort is the sanction that puts teeth into the physician's duty of confidentiality."). Thus, we reverse the trial court's dismissal of the breach of fiduciary duty claim.
7. Breach of Covenant of Good Faith and Fair Dealing
¶ 35 The trial court dismissed Plaintiffs' claim for Breach of Covenant of Good Faith and Fair Dealing after finding Plaintiffs failed to plead any facts supporting an alleged implied contract and any subsequent breach. We disagree with the trial court's rationale for dismissal, as we previously found the trial court erred in its dismissal of Plaintiffs' claim for breach of implied contract because a question of fact remains as to whether Premiere's choice to utilize Connexin was adequate to protect Plaintiffs' personal information. We, however, affirm the Court's ultimate finding that Plaintiffs failed to state a cause of action for Breach of the Implied Covenant of Good Faith and Fair Dealing. See Dixon v. Bhuiyan, 2000 OK 56, & 9, 10 P.3d 888, 891 ("[i]f the trial court reaches the correct result but for the wrong reason, its judgment is not subject to reversal. Rather, the Court is not bound by the trial court's reasoning and may affirm the judgment below on a different legal rationale.").
¶36 Plaintiffs contend Premiere breached the implied covenant of good faith and fair dealing when Premiere failed to protect Plaintiffs from the Data Breach, utilized a healthcare technology company "incapable of adequately securing" Personal and Medical Information, and failed to establish and implement appropriate oversight procedures for Connexin's activities. To support a claim for a breach of the covenant of good faith and fair dealing, a plaintiff must first establish the existence of a valid contract, but the mere existence of a contract alone is not sufficient to assert a cause of action for breach of the implied covenant. Hall v. Farmers Ins. Exch., 1985 OK 40, ¶ 14, 713 P.2d 1027, 1029 ("each contract carries an implicit and mutual covenant by the parties to act toward each other in good faith."). A claimant asserting a cause of action for breach of the implied covenant must allege "a failure or refusal to discharge contractual responsibilities, prompted not by an honest mistake, bad judgment or negligence; but, rather by a conscious and deliberate act, which unfairly frustrates the agreed common purpose and disappoints the reasonable expectations of the other party." Tiara Condo. Ass' n, Inc. v. Marsh & McLennan Cos., Inc., 607 F.3d 742, 747 (11th Cir.2010) (emphasis added). In the instant circumstances, Plaintiffs have not identified any conscious or deliberate act carried out by Premiere which frustrates the purpose of the alleged implied contract.
¶37 Furthermore, the Oklahoma Supreme Court has only implemented a "nondelegable duty of good faith and fair dealing" to insurance contracts by recognizing the "special relationship" between the insurer and its insured, giving rise to an independent action in tort. Wathor v. Mut. Assur. Adm'rs, Inc., 2004 OK 2, ¶ 6, 87 P.3d 559, 562, as corrected (Jan. 22, 2004); Timmons v. Royal Globe Ins. Co, 1982 OK 97, ¶31, 653 P.2d 907, 916. Without case law establishing an equivalent "special relationship" between patients and medical professionals in the context of electronic medical records, we cannot find Premiere breached an implied covenant of good faith and fair dealing. We find Orthman failed to establish a cause of action for Breach of the Covenant of Good Faith and Fair Dealing and, accordingly, affirm the trial court's dismissal.
8. Breach of Confidentiality
¶ 38 The trial court dismissed Plaintiffs' claim for breach of confidentiality on the basis that Premiere did not knowingly disclose Plaintiffs' private information. We agree.
¶39 As articulated by the trial court, a claim for breach of confidentiality requires a plaintiff to allege that a defendant knowingly disclosed nonpublic information that the defendant learned through the course of a confidential or special relationship. Ewing v. Ewing, 1912 OK 566, 126 P. 811, 815. Plaintiffs contend the instant circumstances constitute a breach of confidentiality because Premiere voluntarily received Plaintiffs' personal and medical information in confidence with the understanding that such information would not be shared with any unauthorized parties, and this confidential information was ultimately accessed by third-party hackers. Plaintiffs, however, do not allege that Premiere knowingly shared its patients' confidential information. Even if Plaintiffs allege Premiere was somehow aware that Connexin would someday suffer a major data breach, Premiere's choice to utilize Connexin's software does not constitute a "knowing" disclosure of confidential information. Accordingly, we affirm the trial court's dismissal of Plaintiffs' breach of confidentiality claim.
9. Declaratory Judgment
¶ 40 The trial court found that, because Plaintiffs alleged speculative, future harm, any corresponding claim for declarative and injunctive relief would be similarly speculative. On that basis, the trial court found Plaintiffs lacked standing to pursue declaratory or injunctive relief. Although we do not agree with all portions of the trial court's rationale for dismissal, we affirm the Court's ultimate finding that Plaintiffs lacked standing to pursue declaratory or injunctive relief. See Dixon v. Bhuiyan, 2000 OK 56, ¶ 9, 10 P.3d 888, 891 ("[i]f the trial court reaches the correct result but for the wrong reason, its judgment is not subject to reversal. Rather the Court is not bound by the trial court's reasoning and may affirm the judgment below on a different legal rationale.").
¶41 Plaintiffs requested the trial court enter a judgment pursuant to 12 O.S. § 1651 declaring the following:
a. Defendant owes Plaintiffs and Class members a legal duty to secure their Personal and Medical Information;
b. Defendant continues to breach this legal duty by failing to (i) employ reasonable measures to secure consumers' Personal and Medical Information, (ii) utilize a healthcare technology company adequately securing Plaintiffs' and Class Members' Personal and Medical Information, and (iii) establish and implement appropriate oversight procedures for the activities of its business associate, Connexin Software; and
c. Defendant's ongoing breach of its legal duties continue to cause Class Members harm.
Notably, § 1651 explicitly precludes issuance of a declaratory judgment for liability for "damages on account of alleged tortious injuries." Bristow First Assembly of God v. BP p.l.c., 210 F.Supp.3d 1284, 1290 (N.D. Okla. 2016) (citing 12 O.S. § 1651). Because Plaintiffs' negligence claim requires a determination of tort liability, Plaintiffs' request for a judgment declaring Premiere liable for negligence is improper and incongruent with § 1651. Accordingly, we affirm the trial court's dismissal of Plaintiffs' request for declaratory judgment.
¶42 Plaintiffs additionally sought injunctive relief requesting Premiere to be ordered to "employ adequate security protocols consistent with law, industry, and government regulatory standards to protect its patients' PPI and PHI." More specifically, Plaintiffs make requests including, but not limited to, directing Premiere to "engage in third party auditors, consistent with industry standards, to test Connexin's systems for weaknesses and upgrade any weaknesses found," "audit, test, and train Connexin's data security personnel regarding any new or modified procedures and how to respond to a data breach," as well as "regularly test Connexin's systems for security vulnerabilities, consistent with industry standards."
¶43 As is well established by the Oklahoma Supreme Court, an injunction is an "extraordinary remedy" that should not be lightly granted. Jackson v. Williams, 1985 OK 103, ¶ 9, 714 P.2d at 1020; Amoco Production Co. v. Lindley, 1980 OK 6, 609 P.2d 733, 745. A plaintiff must establish entitlement to injunctive relief in the trial court by clear and convincing evidence and the nature of the complained of injury must not be nominal, theoretical, or speculative. Jackson, 1985 OK 103 at ¶ 9; Sunray Oil Co. v. Cortez Oil Co., 1941 OK 771, 12 P.2d 792, 796. There must be a reasonable probability that the injury sought to be prevented will be done if no injunction is issued --a mere fear or apprehension of injury will not be sufficient. Sharp v. 251st St. Landfill, Inc., 1996 OK 109, ¶ 5, 925 P.2d 546, 549 (emphasis added). Further, "the granting or refusing of injunction rests to some extent within the sound discretion of the trial court, and its judgment... will not be disturbed unless it can be said the court abused its discretion, or that the judgment rendered is clearly against the weight of the evidence." Amoco Production Co. v. Lindley, 1980 OK 6, 609 P.2d 733, 745. (citing Johnson v. Ward, 541 P.2d 182, 188) (emphasis added).
¶44 Based on the Plaintiffs' specific requests to oversee Connexin's systems for "security vulnerabilities" and/or train Connexin's personnel on data security procedures, Plaintiffs' pursuit of injunctive relief against Premiere is misplaced. While the specific business relationship between Premiere and Connexin has not yet been articulated by either party, it has been established that Connexin is a third-party data management software company which, as an independent company, presumably maintains sole command over its operations, employee training, and security measures. Consequently, it seems that Connexin -- not Premiere -- would be the only party capable of executing the requested injunctive relief. Even if the trial court granted Plaintiffs' claim for injunctive relief against Premiere, it is not "reasonably probable" that the injury will be mitigated or resolved by any feasible actions by Premiere. While Plaintiffs have sufficiently plead the existence of present financial injury in the form of general "identity theft," none of Plaintiffs' requested injunctive relief concerning Plaintiffs' present financial injury is within the scope of Premiere's capacity to remedy.
¶45 As established in preceding sections of this Opinion, Plaintiffs' claims for future injuries are too speculative to constitute a recoverable "injury-in-fact," and the speculative nature of Plaintiffs' future injuries similarly preclude the requested injunctive relief. Sunray Oil Co. v. Cortez Oil Co., 1941 OK 77, 188 Okla. 690, 112 P.2d 792, 796, quoting Simons v. Fahnestock, 1938 OK 264, 182 Okla. 460, 78 P.2d 388 (syllabus by the Court) ("[i]t is not sufficient ground for injunction that the injurious acts may possibly be committed or that injury may possibly result from the acts sought to be prevented; but there must be at least a reasonable probability that the injury will be done if no injunction is granted, and not a mere fear or apprehension of same."). As a result, Plaintiffs have no standing to seek injunctive relief to remedy the currently unarticulated future losses. We ultimately find the trial court did not err as a matter of law in dismissing Plaintiffs' request for injunctive relief against Premiere and, accordingly, affirm the trial court's dismissal of that claim.
Failure to Allow an Amendment to the Petition
¶ 46 The trial court's Order of September 15, 2023, also was procedurally flawed because Orthman was not given an opportunity to amend, as required by 12 O.S. § 2012G. Thus, because the trial court did not find that amendment would be futile, it was error for the trial court to not give Orthman an opportunity to amend. See Wright v. Parks, 1997 OK CIV APP 15, ¶ 7, 939 P.2d 20, 22 ("the court should allow amendment, rather than dismissal, unless it appears to a certainty that the plaintiff cannot state a claim.").
Title 12 O.S. § 2012G, provides as follows: "G. FINAL DISMISSAL ON FAILURE TO AMEND. On granting a motion to dismiss a claim for relief, the court shall grant leave to amend if the defect can be remedied and shall specify the time within which an amended pleading shall be filed. If the amended pleading is not filed within the time allowed, final judgment of dismissal with prejudice shall be entered on motion except in cases of excusable neglect. In such cases amendment shall be made by the party in default within a time specified by the court for filing an amended pleading. Within the time allowed by the court for filing an amended pleading, a plaintiff may voluntarily dismiss the action without prejudice." (emphasis added).
CONCLUSION
¶ 47 For the reasons and upon the grounds stated in this Opinion, the trial court's Order of September 15, 2023, is affirmed, in part, and reversed, in part, and the matter is remanded for further proceedings consistent with this Opinion.
MITCHELL, C.J., and BELL, J., concur.