Purvis v. Aveanna Healthcare, LLC

Full title: Teairra PURVIS, individually and on behalf of her minor child, J.A., and…

Court: United States District Court, N.D. Georgia, Atlanta Division.

Date published: Sep 27, 2021

563 F. Supp. 3d 1360 (N.D. Ga. 2021)

Opinion

CIVIL ACTION NO. 1:20-CV-02277-LMM

2021-09-27

Teairra PURVIS, individually and on behalf of her minor child, J.A., and Aramah Johnson, and on behalf of all others similarly situated, Plaintiffs, v. AVEANNA HEALTHCARE, LLC, Defendant.

David K. Lietz, Pro Hac Vice, Gary Edward Mason, Pro Hac Vice, Mason Lietz & Klinger LLP, Washington, DC, Gary M. Klinger, Pro Hac Vice, Mason Lietz & Klinger LLP, Chicago, IL, Shireen Hormozdi, Hormozdi Law Firm, LLC, Norcross, GA, for Plaintiffs. Douglas H. Meal, Pro Hac Vice, Seth Harrington, Pro Hac Vice, Orrick, Herrington & Sutcliffe LLP, Boston, MA, James Chong Liu, Pro Hac Vice, Orrick, Herrington & Sutcliffe LLP, Sacramento, CA, Rebecca Harlow, Pro Hac Vice, Orrick Herrington & Sutcliffe, San Francisco, CA, Austin Jared Hemmer, Robert B. Remar, Rogers & Hardin, LLP, Cameron Blaine Roberts, Caplan Cobb LLP, Atlanta, GA, for Defendant.

Leigh Martin May, United States District Judge

David K. Lietz, Pro Hac Vice, Gary Edward Mason, Pro Hac Vice, Mason Lietz & Klinger LLP, Washington, DC, Gary M. Klinger, Pro Hac Vice, Mason Lietz & Klinger LLP, Chicago, IL, Shireen Hormozdi, Hormozdi Law Firm, LLC, Norcross, GA, for Plaintiffs.

Douglas H. Meal, Pro Hac Vice, Seth Harrington, Pro Hac Vice, Orrick, Herrington & Sutcliffe LLP, Boston, MA, James Chong Liu, Pro Hac Vice, Orrick, Herrington & Sutcliffe LLP, Sacramento, CA, Rebecca Harlow, Pro Hac Vice, Orrick Herrington & Sutcliffe, San Francisco, CA, Austin Jared Hemmer, Robert B. Remar, Rogers & Hardin, LLP, Cameron Blaine Roberts, Caplan Cobb LLP, Atlanta, GA, for Defendant.

ORDER

Leigh Martin May, United States District Judge This case comes before the Court on Defendant Aveanna Healthcare, LLC's ("Aveanna") Motion to Dismiss [41]. After due consideration, the Court enters the following Order.

I. BACKGROUND

This putative class action arises out of a July 2019 cyberattack and data breach (the "Data Breach") involving Defendant Aveanna. Dkt. No. [32] ¶ 6. Defendant is a healthcare entity that is alleged to be the nation's largest pediatric home-care provider, offering treatment and related healthcare services to patients and their families in numerous states. See id. ¶¶ 21–24. Plaintiffs in this case include Aveanna patients and their legal guardians or parents (Plaintiffs Purvis and J.A.) and a former employee of Aveanna (Plaintiff Johnson). Id. ¶¶ 40–41, 46.

Plaintiffs allege that their sensitive personal information—including personally identifiable information ("PII") and protected health information ("PHI")—was compromised and unlawfully accessed through the Data Breach. Id. ¶ 6. Moreover, Plaintiffs allege that, as a result of the Data Breach, their identities are now at risk of being compromised and that they face a heightened risk of fraud and identity theft (and, in some cases, have in fact already experienced identity theft and fraud as a result of the Data Breach). Id. ¶¶ 10–12. Though acknowledging that the Data Breach was carried out unlawfully by third-party individuals through phishing techniques, Plaintiffs assert that Defendant was reckless and negligent in maintaining Plaintiffs’ sensitive private information. See id. ¶¶ 6–8, 50–52. Plaintiffs maintain that Defendant was aware of the risk of such a breach and failed to take the necessary precautions to protect Plaintiffs’ information. See id. ¶¶ 8, 85.

Plaintiffs assert the following claims for relief: (1) negligence; (2) intrusion into private affairs or invasion of privacy; (3) breach of express contract; (4) breach of implied contract; (5) negligence per se; (6) breach of fiduciary duty; (7) breach of confidence; and (8) a second claim for breach of express contract.¹ Id. ¶¶ 159–275. Defendant has moved to dismiss Plaintiffs’ Second Amended Complaint in its entirety. Dkt. No. [41].

1 With the exception of Counts Three and Eight, the claims are asserted on behalf of all Plaintiffs and Class Members. Count Three's breach of express contract claim is asserted on behalf of all Plaintiffs and Class Members except the Employee Subclass. As a corollary, Count Eight's breach of express contract claim is asserted on behalf of Plaintiff Johnson (a former Aveanna employee) and the Employee Subclass.

II. LEGAL STANDARD

Federal Rule of Civil Procedure 8(a)(2) requires that a pleading contain a "short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2). While this pleading standard does not require "detailed factual allegations," the Supreme Court has held that "labels and conclusions" or "a formulaic recitation of the elements of a cause of action will not do." Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ).

To withstand a Rule 12(b)(6) motion to dismiss, "a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’ " Id. (quoting Twombly, 550 U.S. at 570, 127 S.Ct. 1955 ). A complaint is plausible on its face when the plaintiff pleads factual content necessary for the court to draw the reasonable inference that the defendant is liable for the conduct alleged. Id. (citing Twombly, 550 U.S. at 556, 127 S.Ct. 1955 ).

At the motion to dismiss stage, "all well-pleaded facts are accepted as true, and the reasonable inferences therefrom are construed in the light most favorable to the plaintiff." FindWhat Inv'r Grp. v. FindWhat.com, 658 F.3d 1282, 1296 (11th Cir. 2011) (quoting Garfield v. NDC Health Corp., 466 F.3d 1255, 1261 (11th Cir. 2006) ). However, this principle does not apply to legal conclusions set forth in the complaint. Iqbal, 556 U.S. at 678, 129 S.Ct. 1937.

III. DISCUSSION

Defendant has moved to dismiss each of Plaintiffs’ claims. The Court addresses each claim separately.

A. Negligence

In Count One, Plaintiffs assert a claim for negligence. Dkt. No. [32] ¶¶ 159–171. Defendant moves to dismiss Plaintiffs’ negligence claim for a variety of reasons. The Court begins with Defendant's first argument, which is that Defendant did not owe Plaintiffs a duty of care. Dkt. No. [41-1] at 13–17.

1. Duty

Under Georgia law, a negligence claim has four elements: "the existence of a duty on the part of the defendant, a breach of that duty, causation of the alleged injury, and damages resulting from the alleged breach of the duty." Rasnick v. Krishna Hosp., Inc., 289 Ga. 565, 713 S.E.2d 835, 837 (2011) (citation omitted). "The threshold issue in any cause of action for negligence is whether, and to what extent, the defendant owes the plaintiff a duty of care." Smith v. United States, 873 F.3d 1348, 1352 (11th Cir. 2017) (quoting City of Rome v. Jordan, 263 Ga. 26, 426 S.E.2d 861, 862 (1993) ).

Here, Plaintiffs allege that Defendant "had a duty of care to use reasonable means to secure and safeguard its computer property ... to prevent disclosure of [Plaintiffs’] Private Information, and to safeguard the Private Information from the theft." Dkt. No. [32] ¶ 161. Defendant argues that the Georgia Supreme Court—in its recent decision in Department of Labor v. McConnell, 305 Ga. 812, 828 S.E.2d 352 (2019) —has held that no such duty to safeguard personal information exists under Georgia law. Dkt. No. [32] at 13–15. Defendant maintains that because no duty to safeguard personal information exists in the wake of McConnell, this alleged duty cannot support Plaintiffs’ negligence claim. Id.

The Court is not persuaded by Defendant's argument that McConnell forecloses the existence of a duty to protect personal information under Georgia law. A brief overview of McConnell and subsequent Georgia Supreme Court decisions is helpful in illustrating why the Court reaches this conclusion.

In McConnell, a plaintiff filed a class action lawsuit against the Georgia Department of Labor after one of the Department's employees inadvertently sent an email that included a spreadsheet containing the private information of individuals who had applied for unemployment benefits and other services from the Department. 828 S.E.2d at 356. The plaintiff's private information was disclosed through this mistake, and the plaintiff asserted a claim for negligence against the Department, in addition to various other claims. Id.

Ultimately, the Georgia Supreme Court affirmed the Georgia Court of Appeals's decision to dismiss the plaintiff's negligence claim, concluding that this claim failed because the plaintiff "has not shown that the Department owed him or the other proposed class members a duty to protect their private information." Id. at 358. Though Defendant argues that this holding confirms that there is no duty under Georgia law to safeguard personal information, the Georgia Supreme Court's holding in McConnell was narrower than Defendant suggests. Specifically, in finding that the plaintiff had failed to show that the Department of Labor owed him and others a duty to protect their personal information, the Georgia Supreme Court merely rejected that such a duty arose from the sources the plaintiff had relied upon to support his claim, namely: (1) the purported duty "to all the world not to subject [others] to an unreasonable risk of harm" that was articulated in Bradley Center v. Wessner, 250 Ga. 199, 296 S.E.2d 693 (1982) ; and (2) O.C.G.A. §§ 10-1-910 and 10-1-393.8. Id. Indeed, McConnell expressly leaves open the possibility that a duty to safeguard personal information could still arise under different circumstances and based on different arguments: "We also do not consider whether a duty might arise on these or other facts from any other statutory or common law source, as no such argument has been made here." Id. at 358 n.5.

If there remained any doubt whether McConnell entirely foreclosed the existence of a duty to safeguard personal information under Georgia law, the Georgia Supreme Court's post- McConnell decision, Collins v. Athens Orthopedic Clinic, P.A., 307 Ga. 555, 837 S.E.2d 310 (2019), illustrates that McConnell does not stand for that proposition. In Collins, the plaintiffs asserted a claim for negligence (in addition to other claims) against a medical clinic after their information was compromised through a criminal data breach. Collins, 837 S.E.2d at 311–12. The plaintiffs’ negligence claim was initially dismissed for failure to allege a cognizable injury, but the Georgia Supreme Court, having determined that the plaintiffs had in fact alleged a cognizable injury, reversed that decision and remanded the case. Id. at 312, 316–18.

In discussing the plaintiffs’ negligence claim, the Collins court, citing McConnell, noted that "the easier showing of injury [in a criminal data breach case] may well be offset by a more difficult showing of breach of duty." Id. at 315–16. However, the Georgia Supreme Court did not find that the plaintiffs’ claim failed for lack of a cognizable duty, nor did it cite McConnell for the broad proposition that a duty to safeguard personal information simply does not exist under Georgia law. Instead, the court included an extended parenthetical explaining the specific holding of McConnell—namely that there was no duty under Bradley Center, nor under O.C.G.A. § 10-1-393.8 or O.C.G.A. § 10-1-910. Id. at 316. Ultimately, the Collins court chose not to address the duty question at all, explaining that it would instead "leave [that issue] for another day" because the plaintiffs’ negligence claim had been erroneously dismissed on a different basis. Id. Of course, if McConnell had already answered the question as to whether such a duty could arise under Georgia law, this discussion in Collins (and indeed the court's holding) would make little sense. And so, while Collins does not—as Plaintiffs suggest—implicitly presume that a healthcare provider has a duty to safeguard personal information, it certainly illustrates (1) that this issue was not decisively answered by McConnell and (2) that whether a particular defendant may owe a duty to safeguard personal information under some circumstances remains an open question that has not been fully resolved by the Georgia Supreme Court. See id. at 315–16 & n.7.

Still, the holding in McConnell has implications for some of the arguments raised in Plaintiffs’ briefing. For example, Plaintiffs cite three data breach decisions from this District and maintain that these decisions—all of which found that a duty of care existed under Georgia law—remain good law: (1) In re: The Home Depot, Inc. Customer Data Sec. Litig., No. 14-MD-2583, 2016 WL 2897520 (N.D. Ga. May 18, 2016) ; (2) In re Arby's Rest. Grp. Inc. Litig., No. 17-CV-0514, 2018 WL 2128441 (N.D. Ga. Mar. 5, 2018) ; and (3) In re Equifax, Inc. Customer Data Sec. Breach Litig., 362 F. Supp. 3d 1295 (N.D. Ga. 2019). However, all three of these cases were decided before McConnell, and, more importantly, all three relied significantly on Bradley Center—and specifically the statement that, under Georgia law, one owes a general duty "to all the world not to subject [others] to an unreasonable risk of harm"—to find that a duty existed under Georgia law in the data breach context. As has already been discussed, the Georgia Supreme Court expressly overruled that statement of law from Bradley Center, thereby also undermining the decisions predicated on that statement. McConnell, 828 S.E.2d at 358 ; see also Murray v. ILG Techs., LLC (Murray II ), 798 F. App'x 486, 492 (11th Cir. 2020) (expressing doubt about the viability of Arby's because it was "decided prior to the Georgia Supreme Court's decision in McConnell ").

Nevertheless, Plaintiffs have raised another argument in support of their contention that Defendant owed them a duty of care: Plaintiffs argue that Defendant owed them a duty based on a foreseeability theory—that is, that Defendant owed Plaintiffs a duty because the risk of a data breach (and resulting harm to Plaintiffs) was reasonably foreseeable to Defendant. Dkt. No. [44] at 13–14. 19–20. In response, Defendant summarily dismisses this contention, arguing that, after McConnell, the foreseeability of the injury alleged in this case is insufficient to create a duty on Defendant's behalf. Dkt. No. [46] at 9.

The Court agrees with Plaintiffs that Defendant owed them a duty based on Defendant's alleged knowledge of the foreseeable risk of a data breach and the resulting exposure of Plaintiffs’ information. Moreover, the Court is not persuaded by Defendant's suggestion that, after McConnell, the alleged foreseeability of a particular injury is insufficient to create a duty to protect against that exact injury.² First, as other courts analyzing Georgia law have observed, "[t]he concept of ‘foreseeability’ in Georgia law seems to play a role both in defining a legal duty and in determining whether proximate cause exists." Corbitt v. Walgreen Co., No. 7:14-CV-17 (MTT), 2015 WL 1726011, at *3 n.4 (M.D. Ga. Apr. 15, 2015) (citations omitted). Indeed, Georgia courts have stated that "[n]egligence is predicated on what should be anticipated, rather than on what happened, because one is not bound to anticipate or foresee and provide against what is unlikely, remote, slightly probable, or slightly possible." Amos v. City of Butler, 242 Ga.App. 505, 529 S.E.2d 420, 422 (2000) (citation omitted). "Thus, the legal duty to exercise ordinary care arises from the foreseeable, unreasonable risk of harm from such conduct." Id.; see also Emory Univ. v. Lee, 97 Ga.App. 680, 104 S.E.2d 234, 243 (1958) ("The correct rule is that in order for a party to be held liable for negligence, it is not necessary that he should have been able to anticipate the particular consequences which ensued. It is sufficient if, in ordinary prudence, he might have forseen [sic] that some injury would result from his act or omission, and that consequences of a generally injurious nature might result." (citation omitted)).

2 As illustrated by Defendant's argument on this issue, the Georgia Supreme Court did not discuss foreseeability in the McConnell.

Here, Plaintiffs allege that the threat of cyberattacks and data breaches was widely and publicly known, especially to healthcare providers such as Defendant. See, e.g., Dkt. No. [32] ¶¶ 83–85, 108–110. Plaintiffs also assert that the kind of phishing attack allegedly used in the Data Breach is extremely common, and that such attacks can be reasonably guarded against with a variety of preventative measures. Id. ¶¶ 86–87, 108–110. Moreover, Plaintiffs specifically allege that, as a healthcare provider, Defendant knew or should have known that it faced a particularly high risk of a data breach but that Defendant nevertheless failed to properly guard against this foreseeable risk by implementing reasonable security measures, which ultimately led to Plaintiffs’ injuries as a result of the Data Breach. See, e.g., Dkt. No. [32] ¶¶ 127, 168–169.

The Court finds that a duty of care can be established based on these allegations under long-recognized negligence principles articulated in Georgia law. For example, in Atlantic Coast Line Railroad Co. v. Godard, 211 Ga. 373, 86 S.E.2d 311 (1955), a railroad employee was required to work through the night in a one-room building in an isolated part of the defendants’ railyard, frequently opening the door to deliver messages to other workers. Godard, 86 S.E.2d at 315. It was alleged that the defendants (including the employer) "had reason to know the yards were frequented by dangerous characters," yet they "failed to exercise reasonable care to light the building and its surroundings or to guard or patrol it in any way." Id. One night, the employee-plaintiff was attacked and severely injured when she opened the door to the one-room building while performing her job. Id. The Georgia Supreme Court found that the defendants owed her a duty of care based on the foreseeability of this harm occurring:

The petition in this case, which alleged that the defendants well knew that dangerous, reckless, and lawless characters and persons who were strangers frequented the premises described during the nighttime[ ] ... was sufficient to charge the defendants with the duty to anticipate the criminal act alleged, and to exercise ordinary care to protect its employees therefrom.

Id. As has already been discussed, Plaintiffs in this case similarly allege that Defendant had reason to know—especially as a healthcare provider—that it could be the target of precisely the kind of criminal data breach it ultimately experienced. Under these circumstances, and given the alleged foreseeability of this exact kind of harm (and the resulting exposure of Plaintiffs’ personal information), the Court finds that Defendant owed Plaintiffs a duty to anticipate this harm and exercise reasonable care to guard against it.

Other courts have reached the same result when presented with similar issues. See, e.g., In re Brinker Data Incident Litig., No. 3:18-cv-686-J-32MCR, 2020 WL 691848, at *7–8 (M.D. Fla. Jan. 27, 2020) ; Dittman v. UPMC, 649 Pa. 496, 196 A.3d 1036, 1044–48 (2018).³ For example, in Brinker, the defendant allegedly failed to implement adequate and reasonable security measures to prevent a criminal data breach that resulted in the plaintiffs’ payment information—including their names, card expiration dates, account numbers, and CVV and debit pin data—being compromised. Brinker, 2020 WL 691848, at *1–2. Because the plaintiffs sought to impose a duty based on the facts alleged in the case—and in light of the fact that the defendant was allegedly aware of the risk of a data breach—the district court, applying Florida law, noted that it had to "evaluate and apply ‘the concept of foreseeability of the harm to the circumstances alleged[.]’ " Id. at *7 (quoting United States v. Stevens, 994 So. 2d 1062 (Fla. 2008) ).

3 In Dittman, a group of employees sued the University of Pittsburg Medical Center ("UPMC") after their personal and financial information was accessed and stolen in a criminal data breach. Dittman, 196 A.3d at 1038–39. With regard to their negligence claim, the employees alleged that UPMC owed them a duty to use reasonable care to protect the information in its possession, and that UPMC breached this duty by failing to implement reasonable security measures to safeguard their information. Id. at 1039. Relying on traditional negligence principles, the Pennsylvania Supreme Court concluded that, "in collecting and storing Employees’ data on its computer systems, UPMC owed Employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm"—namely, the risk of a data breach—"arising out of that act." Id. at 1046–47. Additionally, the court held that because the ensuing data breach was "within the scope of the risk" created by the defendant's failure to adopt reasonable security measures, "the criminal acts of third parties in executing the data breach do not alleviate [the defendant] of its duty to protect Employees’ personal and financial information from that breach." Id. at 1047–48.

In determining whether a duty arose on the defendant's behalf, the Brinker court relied heavily on the Florida Supreme Court's decision in Stevens, wherein the Florida Supreme Court "reiterated that the foreseeable zone of risk test is appropriate to determine whether a duty exists." Id. Indeed, as discussed in Brinker, the Florida Supreme Court had itself relied significantly on traditional negligence principles articulated in § 302B of the Restatement (Second) of Torts to find that a duty may be owed despite the occurrence of intervening third-party criminal activity. Id. (discussing Stevens ). In line with this reasoning, the court in Brinker concluded that the defendant owed the plaintiffs a duty because the defendant was allegedly aware of the risk that it could be targeted by the kind of criminal data breach it eventually suffered. Id. at *7–8.

Given that the issue of duty in this kind of data breach case remains an open and unanswered question under Georgia law, the Court finds Brinker and Dittman to be persuasive authority in concluding that Defendant owed Plaintiffs a duty in this case. It also follows as a matter of common sense that, when patients and employees are required to turn over PII and PHI as a condition of medical care and employment, the entity receiving that information has some baseline obligation to adopt reasonable precautions to guard against known or reasonably foreseeable threats to the security of that information.

Defendant has also argued that, even if it owed a duty to Plaintiffs, it is nevertheless absolved from liability because the Data Breach was a third-party criminal act and there is no duty under Georgia law to protect others from such acts. Dkt. No. [41-1] at 15. However, under Georgia law, "[t]he general rule that the intervening criminal act of a third person will insulate a defendant from liability for an original act of negligence does not apply when it is alleged that the defendant had reason to anticipate the criminal act." Godard, 86 S.E.2d at 315 ; see also Davis v. Blockbuster, Inc., 258 Ga.App. 677, 575 S.E.2d 1, 3 (2002) ("Given the intervening criminal act of the third party, the question is whether that criminal act was a reasonably foreseeable consequence of [the defendant's] conduct."). As discussed above, Plaintiffs have alleged that Defendant had reason to know that it was at high risk of experiencing a criminal data breach yet failed to take reasonable steps to guard against this risk; accordingly, Defendant's potential liability is not cut off by the occurrence of this exact criminal act.⁴

4 Plaintiffs have also argued that Defendant owed them a duty based on certain healthcare industry standards and because there existed a special relationship between the parties. Because the Court has determined that Defendant owed Plaintiff a duty for another reason (and that Defendant was not absolved of this duty given that the Data Breach was an allegedly foreseeable criminal act), the Court need not reach these arguments at this time.

2. Standard of Care and Breach

Next, Defendant argues that Plaintiffs have failed to adequately allege or establish a standard of care applicable to Defendant, and that they have likewise failed to establish that Defendant breached any such standard. Dkt. No. [41-1] at 17–20. However, Plaintiffs specifically allege that Defendant failed to comply with numerous industry standards for healthcare providers, thereby breaching its obligations to Plaintiffs and Class Members. Dkt. No. [32] ¶¶ 95–100, 105(a)–(p). Fundamentally, Defendant appears to simply disagree that the numerous standards and practices cited in Plaintiffs’ Second Amended Complaint apply to Defendant, but it is unclear how the Court could reach a similar conclusion given that the Court must accept Plaintiffs’ allegations as true and draw all reasonable inferences in their favor. Accordingly, Defendant has failed to demonstrate that Plaintiffs’ allegations are insufficient at this stage, so Plaintiffs’ negligence claim will not be dismissed on this basis.

3. Injury

Defendant also argues that Plaintiffs have not pled a sufficiently cognizable injury to support their negligence claim under Georgia law because (1) Plaintiffs Purvis and J.A. have not alleged that their personal information has been actually misused or that they have suffered out-of-pocket expenses from the Data Breach; and (2) Plaintiff Johnson, though alleging actual identity theft as a result of the Data Breach, has not incurred any out-of-pocket expenses as a result. Dkt. No. [41-1] at 20–23. However, it is difficult to square Defendant's arguments with the Georgia Supreme Court's recent decision in Collins, wherein the court held that the plaintiffs had alleged a legally cognizable injury where—much like Plaintiffs in this case—their private information was compromised when a medical clinic experienced a data breach carried out by criminals. Collins, 837 S.E.2d at 311–12, 315–19. And whereas the court in Collins reached this conclusion even in the apparent absence of allegations that any of the plaintiffs in that case had suffered actual identity theft (and instead faced a sufficiently imminent and substantial risk of such identity theft because their information had been stolen by criminals and allegedly made available on the dark web), Plaintiff Johnson has here alleged that she in fact suffered identity theft as a result of the criminal Data Breach. Dkt. No. [32] ¶¶ 64–78. Apparently recognizing the problem this presents for its overall argument, Defendant maintains that Plaintiff Johnson has not alleged sufficient facts connecting her identity theft to the Data Breach, and that Plaintiffs have otherwise not alleged sufficient facts to show they are at an imminent and substantial risk of future identity theft. Dkt. No. [41-1] at 21–22.

The Court disagrees with both contentions. First, Plaintiff Johnson has indeed pled sufficient facts to plausibly connect her alleged identity theft to the Data Breach. She alleges that her PII was compromised in the Data Breach and that her information was thereafter used to open bank accounts that she was not associated with in any way. Dkt. No. [32] ¶¶ 64–78. She also alleges that she is unaware of any other incident of her PII being compromised, and that she has never before experienced identity theft. Id. ¶ 77.

Second, in light of the fact that both parties readily admit that the Data Breach in this case was carried out by criminals, and in light of the additional fact that at least one Plaintiff has alleged that she suffered actual identity theft stemming from this criminal Data Breach, the Court also finds that the other Plaintiffs have sufficiently alleged that they too face an imminent and substantial risk of future identity theft. See Collins, 837 S.E.2d at 315–16 ("[S]howing injury as a result of the exposure of data is easier in a case like this, where the data exposure occurs as a result of an act by a criminal whose likely motivation is to sell the data to others."). Therefore, Defendant's arguments on this point are unavailing.

4. Economic Loss Rule

Defendant also argues that Plaintiffs’ negligence claim is barred by Georgia's economic loss rule. Dkt. No. [41-1] at 23–24. Under Georgia law, the economic loss rule "generally provides that a contracting party who suffers purely economic losses must seek his remedy in contract and not in tort." Gen. Elec. Co. v. Lowe's Home Ctrs., Inc., 279 Ga. 77, 608 S.E.2d 636, 637 (2005). Accordingly, "a plaintiff can recover in tort only those economic losses resulting from injury to his person or damage to his property; a plaintiff cannot recover economic losses associated with injury to the person or damage to the property of another." Id. However, due to what is commonly referred to as the "independent duty exception," the economic loss rule "does not bar recovery of purely economic losses in tort actions where the defendant breaches a duty imposed by law or arising from a special relationship." Murray v. ILG Techs., LLC (Murray I ), 378 F. Supp. 3d 1227, 1244 (S.D. Ga. 2019) (citations omitted), aff'd, 798 F. App'x 486 (11th Cir. 2020).

Though acknowledging that courts in other data breach cases have found the independent duty exception applicable where it was determined that the defendant owed plaintiffs an independent common law duty, Defendant nevertheless argues that these decisions were erroneous—and that Plaintiffs’ negligence claim in this case is therefore barred by the economic loss rule—for two reasons. Dkt. No. [41-1] at 24 n.9. First, Defendant recycles its argument that there is no common law duty under Georgia law to protect personal information. Id. However, the Court has already determined that a common law duty does exist under the alleged circumstances of this case, so this argument fails for the reasons discussed above. Second, Defendant argues that "as a logical matter," the duty that triggers the independent duty exception cannot be the same duty allegedly giving rise to the negligence claim. Id. However, the Court finds no support for why the independent duty exception must be limited in this way. Hanover Ins. Co. v. Hermosa Constr. Group, LLC, 57 F. Supp. 3d 1389, 1396 (N.D. Ga. 2014) ("[The independent duty exception] has been applied in cases where the plaintiff identified a statutory or common law duty that would have existed absent the underlying contract." (citations omitted)); cf. E & M Constr. Co. v. Bob, 115 Ga.App. 127, 153 S.E.2d 641, 642–43 (1967). As discussed above, Defendant owed Plaintiffs an independent common law duty to exercise reasonable care in protecting their PII and PHI from the foreseeable threat of exposure through a criminal data breach. Accordingly, the economic loss rule does not bar Plaintiffs’ negligence claim.

B. Negligence Per Se

Plaintiffs also assert a claim for negligence per se based on alleged violations of duties imposed by Section 5 of the FTC Act ( 15 U.S.C. § 45 ) and HIPAA ( 42 U.S.C. § 1320d et seq. ). Dkt. No. [32] ¶¶ 215–227. "In Georgia, negligence per se arises when a defendant violates a statute or ordinance, satisfying, as a matter of law, the first two elements of a negligence claim." Amick v. BM & KM, Inc., 275 F. Supp. 2d 1378, 1381 (N.D. Ga. 2003) (citing Hubbard v. Dep't of Transp., 256 Ga.App. 342, 568 S.E.2d 559 (2002) ). Indeed, O.C.G.A. § 51-1-6 provides the following:

When the law requires a person to perform an act for the benefit of another or to refrain from doing an act which may injure another, although no cause of action is given in express terms, the injured party may recover for the breach of such legal duty if he suffers damage thereby.

For negligence per se claims, plaintiffs must also demonstrate, and the court must consider, (1) whether "the person injured by the violation is within the class of persons the statute was intended to protect[,]" and (2) whether "the harm complained of was the harm the statute was intended to guard against." Goldstein, Garber & Salama, LLC v. J.B., 300 Ga. 840, 797 S.E.2d 87, 93 (2017).⁵

5 Defendant's initial suggestion that the alleged violation of a statute only establishes the standard of care and breach elements of a negligence claim—as opposed to the duty element—is an incorrect statement of law. See, e.g., Nash v. Reed, 349 Ga.App. 381, 825 S.E.2d 853, 858 (2019) ("Under Georgia law, a statute may establish a duty, and violating that statute may result in a breach of the duty, constituting negligence per se.").

Defendant has moved to dismiss this claim, arguing that neither Section 5 of the FTC Act nor HIPAA support Plaintiffs’ negligence per se claim. Dkt. No. [41-1] at 25–30. The Court begins with Defendant's arguments concerning Section 5.

First, Defendant argues that, under the Georgia Supreme Court's decision in Wells Fargo Bank, N.A. v. Jenkins, 293 Ga. 162, 744 S.E.2d 686 (2013), Section 5's prohibition on "unfair" trade practices is not sufficiently specific to support a negligence per se claim. Dkt. No. [41] at 27. Another district court applying Georgia law in a data breach case was presented with—and rejected—this same argument. See In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447, 478–82 (D. Md. 2020). As the court in Marriott correctly observed,

[U]nlike the statement of policy in [ Jenkins ] ..., Section 5 of the FTC Act is a statute that creates enforceable duties. Moreover, this duty is ascertainable as it relates to data breach cases based on

the text of the statute and a body of precedent interpreting the statute and applying it to the data breach context.

Id. at 481. Furthermore, and as noted by other district courts addressing this issue, at least one circuit court of appeals has found that allegations regarding a defendant's inadequate cybersecurity measures fell within the plain meaning of Section 5's prohibition on "unfair" practices. See FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 246–47 (3d Cir. 2015). Accordingly, the Court does not find that Plaintiffs’ negligence per se claim based on Section 5 fails for this reason.

Next, and relying on Govea v. City of Norcross, 271 Ga.App. 36, 608 S.E.2d 677 (2004), Defendant argues that because there is no private right of action under Section 5, Plaintiffs cannot use Section 5 as the basis for asserting a negligence per se claim. Dkt. No. [41-1] at 27. The Court is not persuaded by this argument. First, Defendant does not fully account for the fact that, in a post- Govea decision (and in spite of the fact that the FTC Act itself provides no private right of action), the Georgia Court of Appeals held that a plaintiff could pursue a claim under O.C.G.A. § 51-1-6 based upon alleged violations of the FTC Rules. Legacy Acad., Inc. v. Mamilove, LLC, 328 Ga.App. 775, 761 S.E.2d 880, 892 (2014), rev'd in part on other grounds, 297 Ga. 15, 771 S.E.2d 868 (2015). Defendant attempts to distinguish Mamilove because that case involved the FTC Rules rather than Section 5 more generally, but the Court finds this distinction immaterial for the reasons discussed above.⁶

6 Defendant also does not mention O.C.G.A. § 51-1-6, which is cited in Plaintiffs’ brief and states the following in plain terms: "When the law requires a person to perform an act for the benefit of another or to refrain from doing an act which may injure another, although no cause of action is given in express terms, the injured party may recover for the breach of such legal duty if he suffers damage thereby."

Second, the Georgia Supreme Court's analysis in Jenkins makes little sense if the rule stated in Govea is as categorical as Defendant suggests. In Jenkins, the Georgia Supreme Court specifically noted that a different statute, the Gramm-Leach-Bliley Act ("GLBA"), did not provide a private right of action, but the court nevertheless proceeded to analyze whether the GLBA otherwise imposed a duty that could form the basis of the plaintiff's negligence claim. Jenkins, 744 S.E.2d at 688. Ultimately, it was because the GLBA provided neither a duty nor standard of care—not because it lacked a private right of action—that the Georgia Supreme Court dismissed the negligence claim. Id. In light of these issues, this Court does not find that Plaintiffs’ claim fails for this reason.⁷

7 Defendant moves to dismiss Plaintiffs’ HIPAA-based negligence per se claim for essentially the same reason. Dkt. No. [41-1] at 32–33. Though Defendant cites an adopted report and recommendation from this District that dismissed a HIPAA-based negligence per se claim for this reason, that decision is not binding authority, and to the extent that it was based in large part on Govea and similar reasoning, the Court finds it unpersuasive for the reasons discussed above.

Next, Defendant suggests that the Eleventh Circuit's decision in LabMD, Inc. v. FTC, 894 F.3d 1221 (11th Cir. 2018), supports dismissal of Plaintiffs’ negligence per se claim based on Section 5.⁸ Dkt. No. [41-1] at 28–29. Defendant points to the Eleventh Circuit's statement that the FTC "must find the standards of unfairness it enforces in ‘clear and well-established’ policies that are expressed in the Constitution, statutes, or the common law." LabMD, 894 F.3d at 1231 ; see also Dkt. No. [41-1] at 28–29. In essence, Defendant argues that because Georgia law does not impose a common law duty to protect personal information (following McConnell ), Plaintiffs cannot assert a Section 5 violation as the basis of their negligence per se claim.

8 As noted by Plaintiffs in this case and the district court in Equifax, LabMD involved a direct enforcement action by the FTC.

As discussed in detail above, the Court has already rejected the central premise of this argument, so Defendant's contention is unavailing for that reason alone. Moreover, and even assuming arguendo that Defendant was correct on this point, Defendant provides no support for the underlying suggestion that the common law of an individual state could even affect a federal statute in this way or force the statute to be construed differently based on the state in which alleged violations occurred. Nor does the Eleventh Circuit's analysis suggest such a conclusion. LabMD, 894 F.3d at 1231 (analyzing the FTC's enforcement action in light of common law negligence principles stated in the Restatement (Second) of Torts § 281 (Am. Law Inst. 1965) ).

Next, Defendant argues that Plaintiffs fail to allege facts that plausibly support an inference that Defendant acted "unfairly" and thus in violation of Section 5. Dkt. No. [41-1] at 30–32. Defendant's fundamental argument on this point is that Plaintiffs’ allegations do not contain sufficiently specific facts about Defendant's allegedly deficient data security. Dkt. No. [46] at 18–19.

The Court disagrees. Here, Plaintiffs allege that the threat of cyberattacks, especially to healthcare providers like Defendant, was well-known to the public and within Defendant's industry. Dkt. No. [32] ¶¶ 83–85. Plaintiffs also assert that the kind of phishing attack allegedly used in the Data Breach is among the most common and widely known forms of cyberattack and that such attacks can be reasonably guarded against with a variety of preventative measures. Id. ¶¶ 86–87. They further allege that Defendant "failed to properly implement basic data security practices, including failing to implement multifactor authentication," and that this failure constituted an unfair act or practice under Section 5. Id. ¶ 93. When viewing Plaintiffs’ allegations in their most favorable light, the reasonable inference is that Defendant did not implement reasonable data security measures that could have prevented or at least mitigated the Data Breach. The Court therefore finds that Plaintiffs’ ultimate allegation—that Defendant breached a duty under Section 5 by failing to provide reasonable data security for Plaintiffs’ private information—is sufficiently supported by Plaintiffs’ other factual allegations. Id. ¶ 223.

Finally, Defendant argues in a footnote that Plaintiffs’ claims do not satisfy 15 U.S.C. § 45(n) ’s requirement that the allegedly unfair act or practice "is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition." Dkt. No. [41-1] at 31 n.12. First, Defendant cites an earlier decision by the Eleventh Circuit in the LabMD matter, arguing that Plaintiffs have not suffered any tangible injury and thus have not alleged a substantial injury. Id. (citing LabMD, Inc. v. FTC, 678 F. App'x 816 (11th Cir. 2016) ). In that decision, the Eleventh Circuit noted that "[t]he FTC's ruling did not point to any tangible harm to any consumer, because there is no evidence that any consumer suffered a harm such as identity theft or physical harm." 678 F. App'x at 820. But here, Plaintiff Johnson alleges that she has, in fact, suffered identity theft as a result of the Data Breach, so the central premise of Defendant's argument—that Plaintiffs have not alleged any tangible injury and thus not a substantial injury—is neither factually correct nor supported by the case law Defendant cites. Dkt. No. [32] ¶¶ 64–78.

Defendant's second argument on this issue is similarly without merit. Defendant maintains that Plaintiffs’ factual allegations fail to demonstrate that Plaintiffs’ alleged injury was not reasonably avoidable and not outweighed by countervailing benefits. Dkt. No. [41-1] at 31 n.12. Here, Plaintiffs have alleged that as a condition of either employment or medical care (and in the course of such medical care), they provided Defendant with their private information and that this information was compromised in the Data Breach. See, e.g., Dkt. No. [32] ¶¶ 6, 32–34, 40–48. Plaintiffs also allege that they have taken reasonable steps to protect their private information but that the delay in Defendant's discovery of the Data Breach hindered them from promptly mitigating its consequences. Id. ¶¶ 38, 148. It is easily inferable from these allegations that Plaintiffs did not have the means to "reasonably avoid" substantial injury under the circumstances of the Data Breach. Similarly, because Plaintiffs allege that Defendant failed to implement reasonable security measures to protect Plaintiffs’ private information from well-known forms of cyberattack, the Court has little trouble concluding that the injury alleged in this case is not outweighed by any "countervailing benefits." Wyndham Worldwide, 799 F.3d at 255 ("[T]he relevant inquiry here is a cost-benefit analysis[ ] ... that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.").

Finally, and as with Plaintiffs’ negligence claim, Defendant argues that Plaintiffs’ negligence per se claim fails because Plaintiffs have not alleged a cognizable injury and because of the economic loss rule. Dkt. No. [41-1] at 33 n.15 (incorporating arguments on these issues raised earlier in Defendant's briefing). The Court has already addressed and rejected Defendant's arguments on the injury element. See supra Part III.A.3. With regard to the application of the economic loss rule, much of the parties’ briefing on this issue focuses on the independent duty exception. And within the parties’ discussion of the independent duty exception, much of their briefing is focused on whether Georgia law recognizes an independent common law duty to protect personal information. Still, Plaintiffs also argue that the economic loss rule does not apply in this case because Defendant's duty to protect patient data is imposed by several other laws. Dkt. No. [44] at 26. In response to this argument, Defendant maintains that the Second Amended Complaint does not allege that Defendant owed Plaintiffs a statutory duty that would trigger application of the independent duty exception. Dkt. No. [46] at 14 n.10.

However, Plaintiffs have alleged that Defendant was obligated under HIPAA to reasonably protect or otherwise keep their private information confidential. See, e.g., Dkt. No. [32] ¶ 81, 105, 164, 219–220.⁹ And for the reasons discussed above, Plaintiffs’ HIPAA-based negligence per se claim has not been dismissed. Ultimately, because this issue was not briefed in any significant detail by either party, and because it remains Defendant's burden at this stage to demonstrate that certain claims must fail as a matter of law, the Court declines to dismiss Plaintiffs’ negligence per se claim on this basis.

9 It is unclear based on Plaintiffs’ briefing whether they are referring only to HIPAA or also to Section 5 when they argue that "the duty to protect patient data is imposed by several laws ...." Dkt. No. [44] at 26 (emphasis added). As discussed above, both HIPAA and Section 5 are cited in the Second Amended Complaint as a basis for Plaintiffs’ negligence per se claim.

C. Intrusion into Private Affairs or Invasion of Privacy

In Count Two, Plaintiffs assert a claim for "intrusion into private affairs / invasion of privacy." Dkt. No. [32] ¶¶ 172–181. Defendant moves to dismiss this claim, arguing that Plaintiffs’ allegations do not support an invasion of privacy claim under Georgia law. Dkt. No. [41-1] at 33–36. Under Georgia law,

there are four disparate torts under the common name of invasion of privacy. These four torts may be described briefly as: (1) intrusion upon the plaintiff's seclusion or solitude, or into his private affairs; (2) public disclosure of embarrassing private facts about the plaintiff; (3) publicity which places the plaintiff in a false light in the public eye; and (4) appropriation, for the defendant's advantage, of the plaintiff's name or likeness.

McConnell, 828 S.E.2d at 359 (citation omitted). In this case, Plaintiffs’ invasion of privacy claim invokes the first sub-category because Plaintiffs allege that Defendant's conduct intruded upon their seclusion and into their private affairs. See Dkt. No. [32] ¶¶ 175, 178.

The Georgia Supreme Court has held that a claim for intrusion upon seclusion fundamentally "involves a prying or intrusion, which would be offensive or objectionable to a reasonable person, into a person's private concerns." See Yarbray v. S. Bell Tel. & Tel. Co., 261 Ga. 703, 409 S.E.2d 835, 837 (1991). "In order to show the tort of unreasonable intrusion, a plaintiff must show a physical intrusion which is analogous to a trespass; however, this ‘physical’ requirement can be met by showing that the defendant conducted surveillance on the plaintiff or otherwise monitored plaintiff's activities." Sitton v. Print Direct., Inc., 312 Ga.App. 365, 718 S.E.2d 532, 537 (2011) (quotation marks and citations omitted); see also Summers v. Bailey, 55 F.3d 1564, 1566 (11th Cir. 1995). Here, Plaintiffs allege that Defendant invaded their privacy and intruded into their private affairs "[b]y intentionally failing to keep Plaintiffs and Class Members’ Private Information safe, and by intentionally misusing and/or disclosing said information to unauthorized parties for unauthorized use ...." Dkt. No. [32] ¶ 176. Defendant maintains that Plaintiffs’ allegations are insufficient to support their claim for intrusion upon seclusion. Dkt. No. [41-1] at 33–34.

The Court agrees with Defendant and finds Plaintiffs’ arguments to the contrary unpersuasive. See Dkt No. [44] at 34–35. Aside from conclusory allegations that Defendant "intentionally fail[ed]" to keep Plaintiffs’ sensitive information safe and "intentionally misused[ed] and/or disclos[ed] said information to unauthorized parties for unauthorized use[,]" Plaintiffs have not plausibly alleged any facts indicating that Defendant—as opposed to the third party that allegedly carried out the Data Breach—actively participated in the alleged intrusion into Plaintiffs’ affairs. See Dkt. No. [32] ¶ 176. Instead, the central narrative of Plaintiffs’ factual allegations is that Defendant failed to take sufficient precautions to prevent this intrusion. See, e.g., id. ¶¶ 6–10. Consequently, the Court need not accept Plaintiffs’ allegation that Defendant "intentionally invaded Plaintiffs’ and Class Members’ privacy by intentionally and substantially intruding into [their] private affairs[,]" see id. ¶ 176, because "labels and legal conclusions couched as factual allegations enjoy no presumption of truth and offer no support to the sufficiency of the complaint." Gunder's Auto Ctr. v. State Farm Mut. Auto Ins. Co., 422 F. App'x 819, 821 (11th Cir. 2011) (citing Iqbal ).

Moreover, even if one accepts Plaintiffs’ allegations for the sake of argument, they are still insufficient for stating a claim for intrusion upon seclusion under Georgia law. See Benedict v. State Farm Bank, FSB, 309 Ga.App. 133, 709 S.E.2d 314, 318 (2011) ("Because [the plaintiff] does not allege any conduct that is akin to surveillance, a physical trespass upon his property, or a physical touching of his person, we must conclude that [the plaintiff] fails to state a claim upon which relief can be granted under any of our intrusion precedents."). Accordingly, Plaintiffs’ claim for invasion of privacy (based on alleged intrusion upon seclusion) is DISMISSED .

D. Breach of Confidence

In Count Seven, Plaintiffs assert a claim for breach of confidence. Dkt. No. [32] ¶¶ 248–259. Defendant argues that this claim fails because its alleged misconduct does not constitute the tort of breach of confidence. Dkt. No. [41-1] at 35–36. The Court agrees.

"A breach of confidence ... involves ‘the unconsented, unprivileged disclosure to a third party of nonpublic information that the defendant has learned within a confidential relationship.’ " Muransky v. Godiva Chocolatier, 979 F.3d 917, 932 (11th Cir. 2020) (citations omitted). As discussed in the preceding section, Plaintiffs’ core allegation is that their private information was compromised in a criminal cyberattack after Defendant failed to take reasonable steps to prevent this foreseeable risk. As in Brinker, Plaintiffs’ allegations are insufficient to support a breach of confidence claim because there are no alleged facts suggesting that Defendant disclosed Plaintiffs’ information to a third party: "[The defendant] did not do any act that made Plaintiffs’ information known—the information was stolen by third-parties.... Simply put, [the defendant] made no disclosure, thus, this count is due to be dismissed." Brinker, 2020 WL 691848, at *22.

Plaintiffs maintain that their breach of confidence claim should survive because they have alleged that Defendant (1) allowed the disclosure to happen and (2) failed to heed warnings that its records might be targeted in a cyberattack. See Dkt. No. [44] at 37. This argument is unavailing: "Even assuming, arguendo , that [the defendant's] inadequate security facilitated the theft, such a claim would lie in negligence not breach of confidence." Brinker, 2020 WL 691848, at *22. Accordingly, Plaintiffs’ breach of confidence claim is DISMISSED.

E. Breach of Contract Claims

In Count Three, Plaintiffs Purvis and J.A. assert a claim for breach of express contract.¹⁰ Dkt. No. [32] ¶¶ 182–200. In Count Four, Plaintiffs assert a claim for breach of implied contract on behalf of all Plaintiffs and all Class Members. Id. ¶¶ 201–214. Defendant moves to dismiss these claims, primarily arguing that the Second Amended Complaint fails to adequately allege that Defendant assented to either an express or an implied contractual duty to protect Plaintiffs’ private information. Dkt. No. [41-1] at 36–43. Under Georgia law, a valid contract requires "parties able to contract, a consideration moving to the contract, the assent of the parties to the terms of the contract, and a subject matter upon which the contract can operate." O.C.G.A. § 13-3-1. "Mutual assent, or a meeting of the minds, ‘is the first requirement of the law relative to contracts.’ " Doe v. Emory Univ., No. 1:20-CV-2002-TWT, 2021 WL 358391, at *5 (N.D. Ga. Jan. 22, 2021) (quoting Simmons v. McBride, 228 Ga.App. 752, 492 S.E.2d 738 (1997) ). As for the assent requirement:

10 Count III is not asserted by Plaintiff Johnson or on behalf of the Employee Subclass. Plaintiff Johnson has withdrawn her claim for breach of express contract, which she asserted on behalf of herself and the Employee Subclass in Count Eight. Dkt. No. [44] at 40 n.7.

[Georgia] courts apply an objective theory of intent whereby one party's intention is deemed to be that meaning a reasonable man in the position of the other contracting party would ascribe to the first party's manifestations of assent, or that meaning which the other contracting party knew the first party ascribed to his manifestations of assent. Further, ... the circumstances surrounding the making of the contract, such as correspondence and discussions, are relevant in deciding if there was a mutual assent to an agreement. Where such extrinsic evidence exists and is disputed, the question of whether a party has assented to the contract is generally a matter for the jury.

Id. (quoting Turner Broad. Sys. Inc. v. McDavid, 303 Ga.App. 593, 693 S.E.2d 873 (2010) ).

1. Plaintiffs Purvis and J.A.’s Express Contract Claim

"An express contract is one where the intention of the parties and the terms of the agreement are declared or expressed by the parties, in writing or orally, at the time it is entered into." Classic Restorations, Inc. v. Bean, 155 Ga.App. 694, 272 S.E.2d 557, 562 (1980) (citation omitted). Plaintiffs Purvis and J.A. allege that they entered an express contract with Defendant when Plaintiff Purvis brought Plaintiff J.A. to Defendant for medical care in 2018. Dkt. No. [32] ¶ 184. Plaintiffs allege that their express agreements with Defendant included a promise to protect Plaintiffs’ (and Class Members’) PII and PHI, which was allegedly embodied in Defendant's Privacy Policy and other documents.¹¹ Id. ¶ 186, 188.

11 Though Plaintiffs use the term "Privacy Notice" in their Second Amended Complaint, the parties do not appear to dispute that Plaintiffs are in fact referring to Defendant's "Privacy Policy," which Defendant has attached to its Motion to Dismiss. See Dkt. No. [41-2].

Defendant maintains that Plaintiffs Purvis and J.A. do not adequately allege that Defendant's Privacy Policy constituted (or was part of) an express contract between the parties. Dkt. No. [41-1] at 37–39. In particular, Defendant argues that Plaintiffs Purvis and J.A. fail to plead that they saw, received, read, relied upon, or were even aware of Defendant's Privacy Policy when they chose Defendant as a healthcare provider. Id. The Court disagrees.

Though Plaintiffs Purvis and J.A. do not explicitly state that they saw, read, or relied upon Defendant's Privacy Policy, they do allege that they entered into an express contract with Defendant when Plaintiff Purvis brought J.A. to Defendant for medical care in 2018. Dkt. No. [32] ¶ 184. They also allege that their express contracts for medical services with Defendant "include[ed] (among other documents) Defendant's Privacy Notice[,]" and that "the express contracts to provide medical and health care services ... include Defendant's promise to protect nonpublic Private Information given to Defendant ...." Id. ¶¶ 184–185, 189. Additionally, they allege that, "at all relevant times, Defendant expressly represented in its Privacy Notice that it would ... maintain the privacy of protected health information." Id. ¶ 189. Finally, Plaintiffs have also alleged that the Privacy Policy was available upon request to all patients and was also posted on Defendant's website. Id. ¶ 29. While Plaintiffs’ allegations could be clearer and more detailed, the Court does not find that they are so deficient as to require dismissal. When viewing these allegations in the light most favorable to Plaintiffs, it is reasonably inferable—at least at this stage—that Plaintiffs became aware of Defendant's Privacy Policy when they sought medical services from Defendant in 2018 and allegedly entered a contract for such services.

Second, Defendant argues that Plaintiffs do not allege facts showing that Defendant's representations in its Privacy Policy were intended to form an enforceable, contractual duty to protect Plaintiffs’ private information "against any potential compromise." Dkt. No. [41-1] at 38. However, Plaintiffs do not allege that Defendant expressly promised protection from "any potential compromise," but rather that Defendant represented—including in its Privacy Policy—that it would "implement data security adequate to safeguard and protect the privacy of [their] Private Information." Dkt. No. [32] ¶ 190. As Plaintiffs note, even the disclaimer that Defendant cites from its own Privacy Policy (not to mention the sentence preceding this disclaimer) implies that Defendant was agreeing to provide some baseline form of data security. See Dkt. No. [41-2] at 9 ("We use a combination of multiple firewalls and multiple levels of physical security to protect the Personal Information you share with us from unauthorized access or disclosure. However, you should know that no company, including Aveanna Healthcare, can fully eliminate security or other risks associated with the possession of Personal Information.").¹²

12 As previously noted, Defendant has attached its Privacy Policy to its Motion to Dismiss. Dkt. No. [41-2]. "[W]here the plaintiff refers to certain documents in the complaint and those documents are central to the plaintiff's claim, then the Court may consider the documents as part of the pleadings for purposes of Rule 12(b)(6) dismissal, and the defendant's attaching such documents to the motion to dismiss will not require conversion of the motion into a motion for summary judgment." Brooks v. Blue Cross & Blue Shield of Fla., Inc., 116 F.3d 1364, 1369 (11th Cir. 1997).

Finally, the Court is unpersuaded by Defendant's argument that other courts have declined to permit statements in a privacy policy to be deemed contractual obligations. Dkt. No. [41-1] at 38–39. While Defendant is correct that some courts have reached this conclusion, none of those decisions are binding authority, and Plaintiffs correctly argue in response that other courts have reached the opposite conclusion. This Court finds the latter decisions more persuasive. See, e.g., In re Marriott, 440 F. Supp. 3d at 482–86.

2. Plaintiffs’ Implied Contract Claim

"An implied contract is one not created or evidenced by distinct and explicit language, but inferred by the law as a matter of reason and justice." Bean, 272 S.E.2d at 562–63. "Contracts implied in fact are inferred from the facts and circumstances of the case ...." Dawes Mining Co. v. Callahan, 154 Ga.App. 229, 267 S.E.2d 830, 832 (1980). Here, Plaintiffs allege (on behalf of all Plaintiffs and Class Members) that when they provided their private information to Defendant "in exchange for Defendant's services, or as a condition of employment, they entered into implied contracts with Defendant" through which Defendant "agreed to reasonably protect such Private Information." Dkt. No. [32] ¶ 202.

Before turning to Defendant's arguments and an analysis of Plaintiffs’ allegations, the Court makes one note about the nature and scope of Plaintiffs’ breach of implied contract claim. Similar to Plaintiffs’ claim for breach of fiduciary duty (which is also asserted by all Plaintiffs), it appears that Plaintiffs have in fact pled the existence of two distinct implied contracts—one that allegedly arose between Defendant and the patient-Plaintiffs who sought Defendant's healthcare services, and the other between Defendant and its employees (including Plaintiff Johnson) who allegedly provided personal information to Defendant as a condition of employment. Id. As illustrated below, the Court will consider the sufficiency of Plaintiffs’ allegations in light of this distinction.

Turning to Defendant's arguments, and as an initial matter, one of Defendant's overarching arguments is that, where the parties have an express contract that governs their relationship, a plaintiff may not alternatively allege the existence of an implied contract between the parties.¹³ See Dkt. No. [46] at 22–24. However, Defendant is only partly correct. Under Georgia law, "[t]here cannot be an express and implied contract for the same thing existing at the same time between the same parties." Ga. Real Est. Props., Inc. v. Lindwall, 303 Ga.App. 12, 692 S.E.2d 690, 693 (2010). Thus, "it is only when the parties do not expressly contract[ ] that the law interposes and raises an implied promise." Beacon Indus., Inc. v. Vanderbunt Concrete, Ltd., 172 Ga.App. 573, 323 S.E.2d 871, 873 (1984). But, contrary to Defendant's argument, "a plaintiff may plead theories of express contract and implied contract alternatively, [though] recovery may only be had upon one theory or the other." Id.; see also Williams v. Corp. of Mercer Univ., No. 5:20-CV-361 (LAG), 542 F.Supp.3d 1366, 1376-77 (M.D. Ga. June 7, 2021). Thus, Plaintiffs are not prohibited from alleging an implied contract claim in the alternative, and so the only relevant question at this time is whether Plaintiffs’ implied contract allegations are otherwise sufficient to survive Defendant's Motion to Dismiss.

13 Defendant initially appears to have argued (1) that Plaintiffs only alleged the existence of additional implied terms of the parties’ existing contractual relationship, and (2) that Georgia law would not support the imposition of such terms unless one of the contracting parties would receive no benefit at all from the contract without implying the term. Dkt. No. [41-1] at 40–42. However, Plaintiffs appear to instead allege (and argue) in the alternative that separate implied contracts existed between themselves and Defendant. Dkt. Nos. [32] ¶¶ 201–214; [44] at 38–40.

Aside from suggesting that Plaintiffs cannot plead an implied contract claim in the alternative (or that an additional term should not be implied into the parties’ pre-existing agreements), Defendant's primary argument is that Plaintiffs fail to point to any acts or words indicating Defendant's intent to provide data security as a contractual promise.¹⁴ Dkt. No. [41-1] at 41. The Court disagrees, at least with regard to Plaintiffs Purvis and J.A.’s (the patient-Plaintiffs’) claim. Plaintiffs specifically point to Defendant's Privacy Policy as one indication of Defendant's intent to enter into an implied contract that included a promise to "reasonably protect" Plaintiffs’ private information. Dkt. No. [32] ¶ 205. Plaintiffs also allege that the Privacy Policy was made available to patients upon request and was posted on Defendant's website. Id. ¶ 29. Plaintiffs Purvis and J.A.’s allegations are therefore sufficient for this stage of the litigation and do not fail for the reasons argued in Defendant's brief. See, e.g., Smith v. Triad of Ala., LLC, No. 1:14-CV-324-WKW, 2015 WL 5793318, at *14–15 (M.D. Ala. Sep. 29, 2015) ; Irwin v. RBS Worldpay, Inc., No. 1:09-CV-0033-CAP, 2010 WL 11570892, at *6 (N.D. Ga. Feb. 5, 2010).

14 Defendant also suggests in its Reply that Plaintiffs have "failed to establish consideration, given that Plaintiffs’ express contracts independently required provision of [their] data," but, again, Plaintiffs have alleged an implied contract claim in the alternative. Dkt. No. [46] at 24.

However, the Court reaches the opposite conclusion regarding Plaintiff Johnson's implied contract claim (the employee-Plaintiff). Plaintiffs allege that Plaintiff Johnson and other employees "provided their labor and employee services to Defendant, in addition to turning over their PII, in exchange for Defendant's promise to protect their PII from unauthorized disclosure." Dkt. No. [32] ¶ 204. However, Plaintiffs do not point to any other facts or circumstances that indicate how Defendant allegedly manifested an intent to provide data security as part of the parties’ employment agreement.¹⁵ Instead, Plaintiffs appear to suggest that Defendant's intent to provide such security was illustrated by the fact that Plaintiffs had to supply their PII as a condition of employment. Without more, this allegation is insufficient to support Plaintiffs’ claim. E.g., compare Longenecker-Wells v. Benecard Servs. Inc., 658 F. App'x 659, 662 (3d Cir. 2016) (dismissing employees’ implied contract claim) with In re GE/CBPS Data Breach Litig., No. 20 Civ. 2903 (KPF), 2021 WL 3406374, at *11–12 (S.D.N.Y. Aug. 4, 2021) (permitting implied contract claim to proceed where plaintiff pointed to company's policy documents, which expressed, inter alia , a commitment to protecting employee data). Accordingly, Plaintiffs’ breach of implied contract claim may proceed as to Plaintiffs Purvis and J.A., but this claim is DISMISSED WITHOUT PREJUDICE as to Plaintiff Johnson.

15 Plaintiffs allege (generally) that Defendant "manifested its intent to enter into an implied contract that included a contractual obligation to reasonably protect Plaintiffs and Class Member’ Private Information through, among other things, its Privacy Notice." Dkt. No. [32] ¶ 205. However, Plaintiffs specifically plead that the Privacy Policy was made available to patients, but they do not allege that the Privacy Policy was ever given to (or was otherwise applicable to) employees. Id. ¶ 29.

F. Breach of Fiduciary Duty

Defendant also moves to dismiss Plaintiffs’ claim for breach of fiduciary duty. Dkt. No. [41-1] at 43. A claim for breach of fiduciary duty has three elements under Georgia law: "(1) the existence of a fiduciary duty; (2) breach of that duty; and (3) damage proximately caused by the breach." Bedsole v. Action Outdoor Advert. JV, LLC, 325 Ga.App. 194, 750 S.E.2d 445, 452 (2013) (quotation marks and citations omitted). "Fiduciary duties and obligations are owed by those in confidential relationships, i.e., relationships ‘where one party is so situated as to exercise a controlling influence over the will, conduct, and interest of another or where, from a similar relationship of mutual confidence, the law requires the utmost good faith[ ] ....’ " Atlanta Mkt. Ctr. Mgmt., Co. v. McLane, 269 Ga. 604, 503 S.E.2d 278, 281 (1998) (quoting O.C.G.A. § 23-2-58 ). A confidential relationship that gives rise to a fiduciary duty "may be created by law, contract, or the facts of a particular case." Douglas v. Bigley, 278 Ga.App. 117, 120, 628 S.E.2d 199 (2006) (citation omitted). And because "a confidential relationship may be found whenever one party is justified in reposing confidence in another, the existence of [this] relationship is generally a factual matter for the jury to resolve." Id. (quotation marks and citation omitted).

In this case, Plaintiffs assert that Defendant owed and breached two fiduciary duties. First, Plaintiffs allege that Defendant, as a healthcare provider, owed a fiduciary duty to the patient-Plaintiffs to keep their private information secure. Dkt. No. [32] ¶ 230. Second, Plaintiffs also allege that Defendant separately owed a fiduciary duty to its employees to keep their private information secure. Id. ¶ 231. Plaintiffs allege that Defendant breached both duties in various ways through its conduct (or inaction) related to the Data Breach.

Defendant first argues that Georgia law does not recognize a fiduciary duty owed by healthcare providers that extends beyond a physician's duty to a patient in administering care. Dkt. No. [41-1] at 43–44. Defendant notes that, under Georgia law, hospitals do not owe patients a fiduciary duty in setting the prices of medical treatment. Id. Defendant also argues that Georgia law does not support the finding of a confidential relationship simply because Plaintiffs were required to provide personal information as a condition of receiving Defendant's services. Id.

The Court is not persuaded by Defendant's arguments on this issue. As another court applying Georgia law has concluded, "the fact that Defendant involved itself in the provision of medical care of Plaintiffs could suggest a confidential relationship." Bishop v. Shorter Univ., Inc., No. 4:15-CV-0033-HLM, 2015 WL 13753710, at *8 (N.D. Ga. June 4, 2015). As for Defendant's first argument—that Georgia law does not recognize a fiduciary duty between hospitals and patients in terms of prices a hospital charges for care—this does not foreclose the possibility that hospitals or other similar healthcare providers may owe patients a fiduciary duty in other contexts. Morrell v. Wellstar Health Sys., Inc., 280 Ga.App. 1, 633 S.E.2d 68, 73–74 (2006). Indeed, Morrell expressly leaves open the possibility that a hospital may owe a fiduciary duty to patients under some circumstances. Id. at 74.

Morell also helps to illustrate why Defendant's second argument—which is that a fiduciary duty does not attach by virtue of an entity receiving a consumer's personal information in exchange for services—is also unavailing in light of Plaintiffs’ allegations. In Morell, the Georgia Court of Appeals reasoned that hospitals do not owe patients a fiduciary duty regarding the price of care because "when nonprofit hospitals and their patients enter into agreements on the price to be charged for medical care, they are ordinarily engaged in business transactions indistinguishable from those engaged in by for-profit corporations with no confidential or fiduciary relationship between the parties." Id. But here, Plaintiffs’ alleged relationship with Defendant was different from standard consumer transactions insofar as it necessarily entailed the patient-Plaintiffs sharing and disclosing private health information with Defendant that was akin to the health information that would be communicated to a physician when receiving medical care. See, e.g., Dkt. No. [32] ¶¶ 25–27, 31–32, 42–43; see also Bishop, 2015 WL 13753710, at *8. Accordingly, when viewing Plaintiffs’ allegations in the light most favorable to them, the Court finds that there is an issue of fact—at least at this stage—as to whether the patient-Plaintiffs were "justified in reposing confidence" in Defendant with regard to the security of their private information, including their medical information and PHI. Douglas, 278 Ga.App. at 120, 628 S.E.2d at 204. The Court must still consider Plaintiffs’ allegations that Defendant owed Plaintiff Johnson (the former-employee Plaintiff) and its employees a separate fiduciary duty. Defendant argues that there was no fiduciary duty or confidential relationship between the Defendant and Plaintiff Johnson. Dkt. No. [41-1] at 44–45. As a general rule under Georgia law, "[t]he employee-employer relationship is not one from which the law will necessarily imply fiduciary obligations." McLane, 503 S.E.2d at 281–82. Still, "the facts of a particular case may establish the existence of a confidential relationship between an employer and an employee" under certain circumstances. See id.

Defendant argues it did not owe Plaintiff Johnson and other employees a fiduciary duty simply by virtue of employing her and, secondly, that Plaintiffs fail to plead any additional facts that would support the finding of a fiduciary duty under the circumstances of this case. Dkt. No. [41-1] at 44–45. In response, Plaintiffs argue that Georgia law recognizes a fiduciary duty in the employer-employee context under certain factual circumstances, and they also note that, in some of the case law cited by Defendant, the fiduciary-duty determination was made at summary judgment, not on a motion to dismiss. Dkt. No. [44] at 43–44.

The Court agrees with Defendant on this issue. Though it is true that "the facts of a particular case may establish the existence of a confidential relationship between an employer and an employee," see McLane, 503 S.E.2d at 281, Plaintiffs’ allegations (as discussed below) do not approximate the factual scenarios in which Georgia courts have found this exception applicable. See, e.g., Cochran v. Murrah, 235 Ga. 304, 219 S.E.2d 421, 422–424 (1975) (finding potential employer-employee confidential relationship where the plaintiff worked for his employer for eight years, lived rent-free in a house on the employer's property, relied upon the employer to pay him whatever wages were due to him, and, when he was severely injured and bed-ridden, allegedly relied on his employer's misrepresentations and signed (without reading) paperwork that released the plaintiff's claims and limited the amount he would receive for his medical expenses).

Here, Plaintiffs allege that, as a condition of employment, the employee-Plaintiffs were required to provide Defendant with personal information such as their names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, work histories, and direct deposit banking information. See Dkt. No. [32] ¶¶ 34, 47–48. Apparently on this basis, Plaintiffs assert that there existed a "special relationship" between Defendant and the Employee Subclass Members such that Defendant owed them a fiduciary duty to keep their personal information secure. Id. ¶¶ 229, 231. However, the gathering of such information is a common practice for almost any form of employment and does not by itself suggest that Plaintiff Johnson and the Employee Subclass Members were thereby relying upon or trusting their employer in unique or exceptional ways. Thus, even when viewing Plaintiffs’ allegations in the light most favorable to them, there are no alleged facts from which the Court can reasonably infer that the employee-employer relationship in this case was anything other than the "arm's-length" employment relationship that generally does not give rise to a fiduciary duty under Georgia law. See Cochran, 219 S.E.2d at 422–424 ; cf. McConnell, 305 Ga. at 818, 828 S.E.2d 352 ("[T]he complaint alleged merely that the Department, as the gatekeeper to unemployment benefits, required McConnell and the others to provide personal information in order to receive benefits. Such conduct is common between citizens and government agencies and is insufficient to show a fiduciary relationship.").

For the reasons discussed above, Plaintiffs’ claim for breach of fiduciary duty may proceed as to Plaintiffs Purvis and J.A. but is DISMISSED WITHOUT PREJUDICE as to Plaintiff Johnson.

IV. CONCLUSION

In accordance with the foregoing, Defendant Aveanna Healthcare, LLC's Motion to Dismiss [41] is GRANTED IN PART and DENIED IN PART . To summarize, Defendant's Motion is GRANTED as to the following claims:

• Plaintiffs’ claim for invasion of privacy based on intrusion upon seclusion and into private affairs (Count Two) is DISMISSED .

• Plaintiffs’ claim for breach of implied contract (Count Four) is DISMISSED WITHOUT PREJUDICE as to Plaintiff Johnson.¹⁶

• Plaintiffs’ claim for breach of fiduciary duty (Count Six) is DISMISSED WITHOUT PREJUDICE as to Plaintiff Johnson.

• Plaintiffs’ claim for breach of confidence (Count Seven) is DISMISSED .

16 As previously noted, Plaintiff Johnson has also abandoned her breach of express contract claim (Count Eight). Dkt. No. [44] at 40 n.7.

As discussed in detail above, Defendant's Motion is otherwise DENIED as to all other claims.

IT IS SO ORDERED this 27th day of September, 2021.