Opinion
3:20-CV-00947-NJR
06-29-2021
LEAHA SWEET and BRADLEY DEAN TAYLOR, on behalf of themselves and all others similarly situated, Plaintiffs, v. BJC HEALTH SYSTEM, d/b/a BJC HEALTHCARE, and BJC COLLABORATIVE, LLC, Defendants.
MEMORANDUM AND ORDER
NANCY J. ROSENSTENGEL CHIEF U.S. DISTRICT JUDGE
Pending before the Court is a Motion to Dismiss (Doc. 34) filed by Defendant BJC Healthcare (“BJC”), a Motion to Dismiss (Doc. 35) filed by Defendant BJC Collaborative, LLC (“Collaborative”), and a Motion to Strike (Doc. 45) by Plaintiffs. For the reasons set forth below, the Court denies in part and grants in part the Motions to Dismiss and denies the Motion to Strike.
Factual & Procedural Background
This action stems from a data security incident which occurred in March 2020 (the “Incident”) in which unauthorized individuals temporarily gained access to the employee email accounts of three employees of BJC. Plaintiffs Leaha Sweet and Bradley Dean Taylor allege that among the documents accessed by the unauthorized intruders were some that included the names of BJC patients and their Social Security numbers, driver's license numbers, dates of birth, medical record or patient account numbers, and treatment and/or clinical information (such personal health information, “PHI”) (Doc. 30 at 1-2). Plaintiffs state that they were among a group of BJC patients who received notice that their PHI had been exposed. Plaintiffs concede that the relevant BJC employees were based in Missouri at the time of this incident, and that the computers and servers involved were based in Missouri (Id. at 8). Collaborative, Plaintiffs allege, is a subsidiary of BJC to which BJC delegated responsibility for maintaining cybersecurity and safeguarding the PHI of BJC patients (Id. at 4).
Sweet originally filed this action in September 2020 against BJC (Doc. 1), and Taylor joined the action with the filing of the First Amended Complaint on December 14, 2020, which added Collaborative as a defendant (Doc. 18). Sweet and Taylor both indicate that they are citizens of Illinois and that their PHI was exposed in the Incident (Doc. 30 at 2). Plaintiffs indicate that Taylor was a patient at BJC facilities in Illinois (Id. at 4), while Sweet was treated only at BJC facilities in Missouri (Doc. 42 at 6). BJC is a Missouri nonprofit corporation with its principal place of business in Missouri, and Collaborative is a Missouri LLC with one or more members that are citizens of Illinois (Doc. 30 at 3). Plaintiffs indicate that they are part of a class of Illinois plaintiffs whose PHI was exposed in the Incident and that the damages of Plaintiffs and the proposed class exceed $5,000,000, exclusive of interest and costs (Id. at 2-3). Subject matter jurisdiction is predicated on 28 U.S.C. § 1332(d), which grants district courts jurisdiction over class actions where the amount in controversy is over $5,000,000 and any member of the plaintiff class is diverse from any defendant.
As for personal jurisdiction over Defendants, Plaintiffs represented that the Court has general and specific jurisdiction, as “Defendants have continuous and systematic general business contacts with Illinois.” Plaintiffs stated that Collaborative is a citizen of Illinois, while BJC operates hospitals in the state (Id. at 3-4).
In their Second Amended Complaint of February 24, 2021, Plaintiffs listed ten counts against Defendants, as follows:
Count I: Unjust Enrichment
Count II: Breach of Contract
Count III: Negligence
Count IV: Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”)
Count V: Negligence Per Se
Count VI: Breach of Covenant of Good Faith and Fair Dealing
Count VII: Invasion of Privacy
Count VIII: Vicarious Liability
Count IX: Bailment
Count X: Missouri Merchandising Practicing Act (“MMPA”)(Doc. 30).
After Plaintiffs filed their Second Amended Complaint, Defendants filed separate Motions to Dismiss (Doc. 34, 35). Defendants argue that this Court lacks personal jurisdiction over BJC, that Plaintiffs fail to allege an injury sufficient to confer standing, that Plaintiffs' complaint should be dismissed in its entirety for failure to state a claim, and in the alternative, that various individual counts should be dismissed for failure to state a claim.
I. Personal Jurisdiction
Defendants move to dismiss claims pursuant to Federal Rule of Civil Procedure 12(b)(2) for lack of personal jurisdiction. Where a defendant seeks to dismiss based on a lack of personal jurisdiction, the plaintiff bears the burden of establishing such jurisdiction. E.g., Kipp v. Ski Enter. Corp. of Wis., 783 F.3d 695, 697 (7th Cir. 2015).
In diversity actions, a federal court will look to the law of personal jurisdiction of the forum state. E.g., Hyatt Int'l Corp. v. Coco, 302 F.3d 707, 713 (7th Cir. 2002). The long-arm statute of Illinois authorizes personal jurisdiction co-extensive with federal due process, and the Seventh Circuit has suggested that there is no operative difference between Illinois and federal due process limits on personal jurisdiction. 735 Ill. Comp. Stat. 5/2-209(c); Hyatt Int'l Corp. v. Coco, 302 F.3d 707, 715 (7th Cir. 2002).
Under federal law, a court can have personal jurisdiction over a defendant where the defendant has “certain minimum contacts with [the forum state] such that the maintenance of the suit does not offend traditional notions of fair play and substantial justice.” Int'l Shoe Co. v. State of Wash., 326 U.S. 310, 316 (1945) (quotations omitted). Courts have recognized two categories of personal jurisdiction: general and specific. E.g., Poletti v. Syngenta AG (In re Syngenta Mass. Tort Actions), 272 F.Supp.3d 1074, 1082 (S.D. Ill. 2017).
A defendant will be subject to general jurisdiction in a forum where it is “essentially at home[.]” E.g. Daimler A.G. v. Bauman, 571 U.S. 117, 119 (2014). A corporation is generally “at home” only in its state of incorporation and principal place of business, absent an “exceptional case[.]” Id. at 138. To date, the only such “exceptional case” delineated by the Supreme Court appears to have been Perkins v. Benguet Consol. Mining Co., 342 U.S. 437 (1952), which involved a corporation temporarily displaced by war.
Here, Plaintiffs seek to argue that this Court should have general jurisdiction because BJC's contacts with Illinois are “continuous and systematic[.]” Before Daimler, that might have been sufficient. Since that case, however, it has become apparent that general jurisdiction will very rarely be found where an entity is not incorporated and does not have its principal place of business. Here, BJC is incorporated in Missouri and has its principal place of business there, so the Court could only find general jurisdiction if it identified this as an “exceptional case.” As discussed, exceptional cases are exceedingly rare. One prior situation identified as an exceptional case by this Court is described in Borders v. Wal-Mart Stores, Inc., 2018 U.S. Dist. LEXIS 138830 (S.D. Ill.) (Reagan, J.). In that action, the Court noted that Wal-Mart, though incorporated in Delaware and based in Arkansas, was the largest private employer in Illinois and “does more business and hires more workers in Illinois than it does in almost every other state in the country[.]” The undersigned is not convinced that she would have reached the same conclusion as to whether Wal-Mart presented an exceptional case-regardless, the situation is clearly different here, where Defendants indicate that only slightly over 10% of BJC's employees and revenue are related to Illinois operations (Doc. 34 at 18). This simply is not an exceptional case, and there is no general jurisdiction here.
Specific jurisdiction, on the other hand, is established where a defendant has “certain minimum contacts” with the forum. Int'l Shoe Co. v. State of Wash., 326 U.S. 310, 316 (1945). A defendant must have established such contacts by “purposefully avail[ing] itself” of the law of the forum state and the privilege of conducting activities therein, Hanson v. Denckla, 357 U.S. 235, 253 (1953), to the extent that it “should reasonably anticipate being haled into court there[.]” World-Wide Volkswagen Corp. v. Woodson, 444 U.S 286, 297 (1980). Furthermore, the litigation must result from injuries that “arise out of or relate to” defendants' contacts with the forum. Helicopteros Nacionales de Colombia, S.A. v. Hall, 466 U.S. 408, 414 (1984). In Bristol-Myers Squibb v. Superior Court of Calif., 137 S.Ct. 1773, 1780 (2017), the Supreme Court emphasized the importance of “an affiliation between the forum and the underlying controversy, principally, [an] activity or occurrence that takes place in the forum State and is therefore subject to the State's regulation.” This does not mean, however, that there must be a causal relationship between the defendant's activities in the forum state and the controversy. Most recently, in Ford Motor Co. v. Montana Eighth Judicial Dist. Court, the Supreme Court stated that a “causation-only approach finds no support in this Court's requirement of a ‘connection' between a plaintiff's suit” and the underlying controversy.” 141 S.Ct. 1017, 1026 (2021). In that case, the plaintiffs sued for products liability arising out of car accidents in their respective states, though car design and manufacture occurred elsewhere. Noting that the defendant had marketed and sold its products in the forum states for many years, the Court found that specific jurisdiction applied where a company regularly served a market and the action arose out of that service of the market, regardless of specific causality.
Here, there is no dispute as to the fact that BJC has purposefully availed itself of the law of Illinois. The question is whether this action arises out of or relates to BJC's contacts with the state. BJC has certain subsidiaries that provide healthcare to individuals in Illinois, the company markets those services and presumably affirmatively seeks patients in Illinois, it treats patients and obtains their medical information, assuming a duty to preserve confidentiality. Plaintiffs here represent that the class that they seek to represent are Illinois residents who entered into patient relationships with BJC in Illinois, both Plaintiffs are from Illinois, and Taylor was treated in Illinois, while Sweet was treated in Missouri. While the actual Incident may have involved employees and servers in Missouri, this action arose out of the alleged breach that the Incident caused of the patient-provider relationship, formed with Plaintiffs and the proposed class in Illinois through BJC's longstanding service of the market in Southern Illinois. Accordingly, the Court views this action as arising out of BJC's contacts with Illinois, and thus views BJC as being subject to specific jurisdiction for this action.
In their Motion to Strike (Doc. 45), Plaintiffs take issue with Defendants raising arguments about Ford Motor Co. in their reply briefs, and Plaintiffs ask that those responses be struck or that they be given leave to file a sur-reply. As the Court has already found that it has specific jurisdiction regardless of Defendants' arguments on Ford Motor Co., it does not appear necessary to strike the reply briefs or permit a sur-reply. Accordingly, the Motion to Strike is denied.
II. Standing
Defendants argue that Plaintiffs have failed to allege an injury sufficient to confer Article III standing. “Standing is an essential component of Article III's case-or-controversy requirement.” Apex Digital, Inv. v. Sears, Roebuck & Co., 572 F.3d 440, 443 (7th Cir. 2009). To demonstrate standing, a Plaintiff must show “(1) an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1547 (2016). An injury-in-fact refers to a particularized and concrete, actual or imminent invasion of a legally-protected interest. See Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992). A mere risk of harm, however, can be sufficient where the risk is “certainly impending” or plaintiff faces “a substantial risk” of injury. Clapper v. Amnesty Int'l USA, 568 U.S. 398, 414 n. 5 (2013).
In the context of data breaches, circuits have split over whether an increased risk of future harm can support standing. Courts including the First, Second, Third, Fourth, and Eighth Circuits have refused to find standing based solely on a risk of future harm. E.g., Katz v. Pershing, LLC, 672 F.3d 64, 80 (1st Cir. 2012); Whalen v. Michaels Stores, Inc., 689 Fed.Appx. 89 (2d Cir. 2017); Reilly v. Ceridian Corp., 664 F.3d 38, 40, 44 (3d Cir. 2011); Beck v. McDonald, 848 F.3d 262, 267 (4th Cir. 2017); Alleruzzo v. SuperValu, Inc., 870 F.3d 763, 766 (8th Cir. 2017). While certain of these courts have cited the “substantial risk” language of Clapper and noted that standing may be established by a substantial risk of future harm, they nevertheless conclude that the exposure of sensitive information in a data breach generally fails a establish such a substantial risk. E.g., Beck, 848 F.3d at 275; Alleruzzo, 870 F.3d at 769-70. On the other hand, the DC Circuit and the Sixth, Seventh, and Ninth Circuits have found that a substantial risk of identity theft will generally qualify as an injury in fact. E.g., Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015); Attias v. CareFirst Inc., 865 F.3d 620, 623 (D.C. Cir. 2017); Galaria v. Nationwide Mut. Ins. Co., 663 Fed. App'x 384, 386 (6th Cir. 2016); In re Zappos.com, Inc., 888 F.3d 1020, 1023 (9th Cir. 2018).
The Seventh Circuit has addressed standing in the context of a data breach in four decisions that are relevant to this action. First, in Pisciotta v. Old Nat. Bancorp, the Court examined a breach of information including customer names, addresses, social security numbers, driver's license numbers, dates of birth, and credit card or other financial account numbers. 499 F.3d 629, 631 (7th Cir. 2007). Where no actual identity theft had yet occurred and plaintiffs had voluntarily paid for credit monitoring to prevent future identity theft, the Seventh Circuit found that they had Article III standing, noting that “the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm[.]” Id. at 634.
The Seventh Circuit revisited this reasoning post-Clapper in Remijas v. Neiman Marcus Grp., LLC, where it examined a breach in which customer credit card numbers had been stolen and fraudulent charges had been discovered on the cards of some but not all affected customers. 794 F.3d 688 (7th Cir. 2015). The court concluded that even those customers who had not yet suffered identity theft or fraudulent charges should have standing, as the perpetrators behind the data breach had clearly stolen customer information with the intention of misusing it at some point in the future, and “customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood' that such an injury will occur.” Id. at 693 (quoting Clapper v. Amnesty Int'l USA, 568 U.S. 398, 410 (2013)).
The Seventh Circuit upheld the principles underlying its Remijas decision in Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), and Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826 (7th Cir. 2018). In Lewert and Dieffenbach, just as in Remijas, customer credit card information had been exposed, and some customers had experienced fraudulent charges. Lewert, 819 F.3d at 965; Dieffenbach, 887 F.3d at 827.
Here, as in Remijas and its progeny, a breach has occurred of sensitive customer data that raises the prospect of future identity theft and that has caused customers to invest in identity protection services. Here, no credit card information has been exposed and there do not yet appear to have been unauthorized charges or other indications of identity theft or other unauthorized use of the exposed customer data. This, however, does not prevent Plaintiffs from having standing-while credit card information may not have been exposed, information such as dates of birth, Social Security numbers, and addresses would likely be sufficient to permit identity theft. Further, the Seventh Circuit has already found that Plaintiffs need not wait until identity theft or a fraudulent charge has occurred to have standing-in Pisciotta, the court found standing where no misuse of the breached data had yet occurred, and here as in Remijas it seems evident that the perpetrators of the breach invested time and effort gaining illicit access to data with the intention of misusing it at some point in the future. Accordingly, the Court finds that the facts alleged are sufficient to establish a substantial risk of future harm and permit Article III standing.
III. Failure to state a claim
Next, Defendants seek to dismiss pursuant to Federal Rules of Civil Procedure 12(b)(6) and 9(b), first arguing that the action as a whole should be dismissed for failure to plead damages and then arguing that certain individual counts of the complaint should be dismissed for failure to state a claim.
The purpose of a Rule 12(b)(6) motion is to decide the adequacy of the complaint, not to determine the merits of the case or decide whether a plaintiff will ultimately prevail. Gibson v. City of Chicago, 910 F.2d 1510, 1520 (7th Cir. 1990). To survive a Rule 12(b)(6) motion to dismiss, a plaintiff only needs to allege enough facts to state a claim for relief that is plausible on its face. Twombly, 550 U.S. 570. A plaintiff need not plead detailed factual allegations, but must provide “more than labels and conclusions, and a formulaic recitation of the elements.” Id. For purposes of a motion to dismiss under Rule 12(b)(6), the Court must accept all well-pleaded facts as true and draw all possible inferences in favor of the plaintiff. McReynolds v. Merrill Lynch & Co., Inc., 694 F.3d 873, 879 (7th Cir. 2012). The plausibility of allegations must be determined by reviewing the complaint as a whole, and factual assertions must suggest a right to relief beyond mere speculation. Atkins v. City of Chicago, 631 F.3d 823, 832 (7th Cir. 2011). In order to state a claim under the usual pleading standard of Federal Rule of Civil Procedure 8(a), a party need merely provide “a short and plain statement of the claim[.]” For matters subject to the heightened pleading standard of Federal Rule of Civil Procedure 9(b), however, a party must “state with particularity the circumstances constituting fraud or mistake[.]”
A. Damages
Defendants argue that Plaintiffs “have failed to plausibly allege that they suffered damages, a required element of each of their claims[, ]” arguing that the action as a whole should be dismissed on this basis.
In addition to specific arguments made against various counts of the complaint, Defendants first seek to argue that the complaint as a whole should be dismissed due to a failure to sufficiently plead damages. Reviewing the Second Amended Complaint, Plaintiffs allege that they suffered monetary damages from costs incurred obtaining credit reports, credit monitoring, and insurance, and other past and future costs relating to responses to the Incident (Doc. 30 at 5). While Plaintiffs do appear to indicate that they have already incurred some concrete monetary costs connected with credit monitoring services, they do not state how much these services may have cost to date.
In Dieffenbach, the Seventh Circuit noted that where a plaintiff brings state law claims in federal court, “it is the federal rules that determine what must be in a complaint” and a Court should only dismiss for failure to adequately plead damages based on state law where “none of the plaintiffs' injuries is compensable, as a matter of law, under the statutes on which they rely.” 887 F.3d at 828.
A claim under the ICFA such as Count IV of the Second Amended Complaint requires the plaintiff to have suffered “actual damage” as a result of the defendant's conduct. 815 Ill. Comp. Stat. 505/10a(a); Alleruzzo, 925 F.3d at 964. This requires “actual pecuniary loss” which must be “real and measurable[.]” Alleruzzo, 925 F.3d at 965 (quotations omitted). In Dieffenbach, the Seventh Circuit previously held that monthly payments for credit monitoring services did qualify as compensable injury under the ICFA. 887 F.3d at 828. Here, Plaintiffs have not stated specifically the amount that they paid for these services, but what matters is that they allege that they have had actual, measurable monetary costs- the precise amount of these costs need not be stated unless they are special damages under Federal Rule of Civil Procedure 9 (g), which they do not appear to be. Id. Accordingly, it appears that Plaintiffs have sufficiently stated damages under the ICFA.
This argument similarly fails against other claims in the Second Amended Complaint. For example, Plaintiffs are not in fact required to plead damages in order to bring an action for breach of contract. Dominion Nutrition, Inc. v. Cesca, 467 F.Supp.2d 870, 882 (N.D. Ill. 2006). The same measurable monetary costs that provide damages for the ICFA claim seem sufficient to permit actions in tort and for breach of contract, as discussed in more detail below. Other claims have even more lenient standards, such as Plaintiffs' claim in Count X under the MMPA, which accepts as sufficient damages an alleged difference in value between a service as provided and that service as originally represented. Kelly v. Cape Cod Potato Chip Co., 81 F.Supp.3d 754, 758 (W.D. Miss. 2015). In short, without addressing each claim in turn, the Court notes that Defendants do not actually point to any particular case or provision of law that would indicate that Plaintiffs do not allege compensable damages for any of the individual counts, and the Court's own review suggests that Plaintiffs have sufficiently pled damages on all of the counts of the Second Amended Complaint that survive this order. Accordingly, the Court will move on to address Defendants' arguments on the individual counts of the Second Amended Complaint.
B. The ICFA
Defendants argue that Count IV, seeking damages under the ICFA, should be dismissed as the ICFA does not apply extraterritorially, and Plaintiffs have not pleaded fraud with sufficient particularity.
“A plaintiff may pursue a private cause of action under the [ICFA] if the circumstances that relate to the disputed transaction occur primarily and substantially in Illinois.” Avery v. State Farm Mut. Auto. Ins. Co., 835 N.E.2d 801, 854 (Ill. 2005). In Avery, the Illinois Supreme Court examined a case where fraud was alleged against an Illinois company by out-of-state plaintiffs. Noting that allegedly deceptive practices were devised in Illinois, the Court nevertheless found that because the plaintiff was based in Louisiana and his interactions with the defendant company largely occurred there, the circumstances surrounding the transaction at issue did not occur primarily and substantially in Illinois. Id. Here, the situation appears to be the reverse of Avery, with instate plaintiffs and an out-of-state defendant. While the actual Incident occurred in Missouri and decisions relevant to Defendants' internal data security occurred in that state, Plaintiff Taylor represents that his contact with Defendants was through medical treatment that occurred wholly within Illinois; it was in this state that he gave his personal information to Defendants and received representations from them about the security of that information. Thus, even though the actual Incident occurred in Missouri, the bulk of the “transaction” as it relates to Taylor and presumably most of the members of the proposed class will have occurred in Illinois. For this reason, the Court does not find dismissal to be warranted based on extraterritoriality.
As for pleading fraud with sufficient particularity, courts within this circuit have indicated that similar allegations relating to data breaches under the ICFA should be subject to the liberal pleading rule of Federal Rule of Civil Procedure 8(a), rather than Rule 9(b). Perdue v. Hy-Vee, Inc., 455 F.Supp.3d 749, 769 (C.D. Ill. 2020) (citing Windy City Metal Fabricators & Supply, Inc. v. CIT Tech. Fin. Servs, Inc., 536 F.3d 663, 670 (7th Cir. 2008)). Even if pleading under Rule 9(b) was necessary, that rule merely requires that Plaintiffs state “the who, what, when, where, and how” of the alleged fraudulent transaction in the complaint. DiLeo v. Ernst & Young, 901 F.2d 624, 627 (7th Cir. 1990). Plaintiffs appear to allege that Defendants (who), contrary to their representations, failed to protect personal information (what) obtained through medical care received at BJC's facilities in Illinois and stored at BJC's facilities in Missouri (where) in the course of the Incident between November 2018 and August 2019 (when) through inadequate security and insufficient training (how). It seems to the Court fairly straightforward to conclude that Plaintiffs have met the pleading requirements for fraud; other courts within this circuit have found lesser allegations sufficient to satisfy Rule 9(b) in a data breach context. Perdue, 455 F.Supp.3d at 769.
Accordingly, the Court will not dismiss Plaintiffs' claims under the ICFA.
C. Breach of Contract
Count II of the Second Amended Complaint alleges a breach of an express or implied contract by BJC.
The “required elements for a breach of express contract claim under Illinois law are: (1) the existence of a valid and enforceable contract; (2) performance by the plaintiff; (3) a breach by the defendant; and (4) an injury[.]” Landale Signs & Neon, Ltd. v. Runnion Equip. Co., 274 F.Supp.3d 787, 792 (N.D. Ill. 2017) (quoting Van Der Molen v. Washington Mutual Finance, Inc., 835 N.E.2d 61, 69 (Ill.App.Ct. 2005)). To assert an implied contract, a party must additionally show “a meeting of the minds and a mutual intent to contract[.]” Id. (quoting New v. Verizon Communs., Inc., 635 F.Supp.2d 773, 782-83 (N.D. Ill. 2008).
Here, Defendants concede that there was indeed a contract between the parties, but they assert that Plaintiffs do not plead the formation of a contract that provided a promise of data security. Plaintiffs in fact allege that they paid money to BJC in exchange for services, including a written agreement by which BJC promised to “protect, secure, keep private, and not disclose Plaintiffs' and Class Members' PHI” as well as to “comply with all HIPAA standards” (Doc. 30 at 12). In the alternate, Plaintiffs allege that there was an implied contract by which they paid for services with the understanding that BJC agreed to safeguard their PHI (Id.). Plaintiffs then allege that BJC failed to secure their PHI, resulting in a breach. Naturally, the allegations in the complaint do not delve into the specifics of what these written documents were, when they were executed, and the specifics of what they required of the parties-this is not required at the pleading stage, where a plaintiff must merely provide a short and plain statement of the claim. Landale, 274 F.Supp.3d at 793. Here, Plaintiffs have outlined their contract claims sufficiently to meet this low bar.
Defendants argue that even if there was a contract for protection of PHI, merely alleging that the Incident occurred is insufficient to allege a breach. In support of this contention, Defendants point to cases from outside this circuit in which assertions that defendants “failed to act in a reasonable and appropriate manner” or take “obligatory, sufficient, and adequate steps to protect plaintiffs” PHI have been deemed too conclusory to support a claim for breach of contract. Anderson v. Kimpton Hotel & Rest. Grp., LLC, 2019 U.S. Dist. LEXIS 133869 at *12-13 (N.D. Cal.); see also Kuhns v. Scottrade, Inc., 868 F.3d 711, 717 (8th Cir. 2017). Within this circuit, however, courts do not appear to require such specificity in alleging breach of contract based on a data security incident. See, e.g., Yvonne Mart Fox v. Iowa Health Sys., 399 F.Supp.3d 780, 802 (W.D. Wis. 2019) (“the allegations in the complaint allow the court to reasonably infer that the data breach occurred because UnityPoint did not follow the procedures laid out in its privacy policy.”). Here too, the factual allegations in the complaint permit an inference that the Incident occurred because BJC failed to adequately encrypt and store PHI, breaching their agreement to safeguard customer PHI.
Lastly, BJC argues that there was no consideration for any agreement to safeguard PHI, because it was already legally obligated to do so. Some commentators have indicated that a promise to perform an existing legal duty may still be enforceable against the promisor, even if it cannot be valid consideration for a return promise. See, e.g., 17A Am. Jur. 2d Contracts § 149; 3 Williston on Contracts § 7:41 (4th ed.). Regardless of this theory, even if a promise to perform an existing legal obligation could not be enforced, this would only make such a promise unenforceable if it was limited precisely to those legal obligations-any divergence would result in a substantively different, enforceable promise. This was the case in Dolmage v. Combined Ins. Co. of Am., 2016 U.S. Dist. LEXIS 22472 at *26-27 (N.D. Ill.), where the district court found that a privacy pledge “contain[ed] other provisions unrelated to Defendant's compliance with federal law.” At this early stage, the Court feels that the allegations in the complaint are sufficient to infer that any contractual promises regarding data security are not so clearly identical with Defendants' legal obligations so as to warrant dismissal, though Plaintiffs will in the future be required to show with greater specificity what Defendants' alleged promises were.
D. Tort Claims
Next, Defendants argue that Plaintiff's Counts III and V are barred by the economic loss or Moorman doctrine, which “bars a plaintiff from recovering for purely economic losses” in tort where losses arise out of a failure to perform contractual obligations. Perdue, 455 F.Supp.3d at 761 (citing Moorman Mfg. Co. v. Nat'l Tank Co., 435 N.E.2d 443, 453 (Ill. 1982)). The economic loss doctrine is not without exceptions, however, and it does not prohibit recovery in tort where “a duty arises outside of the contract[.]” Wigod v. Wells Fargo Bank, N.A., 673 F.3d 547, 567 (7th Cir. 2012) (quoting Congregation of the Passion, Holy Cross Province v. Touche Ross & Co., 636 N.E.2d 503, 514 (Ill. 1994)). In most data breach cases, the relationship between plaintiffs and defendants is purely commercial, the relationship between a business and a customer. Here, however, Defendants are health care providers, and Plaintiffs are their patients. There are both statutory obligations and common law duties which Defendants owe to their patients, which may overlap and may also diverge from their contractual obligations, as discussed supra. These obligations provide an independent basis for tort liability, and dismissal is thus not warranted under the economic loss doctrine at this time.
E. Invasion of Privacy
In Count VII of the Second Amended Complaint, Plaintiffs bring a claim against defendants for invasion of privacy for either intruding into their private lives or committing a disclosure of private facts. Under Illinois law, a party alleging intrusion into private life must show that the intrusion was intentional. Lovgren v. Citizens First Nat. Bank of Princeton, 534 N.E.2d 987, 988 (Ill. 1989). Public disclosure, on the other hand, requires a showing that the information was disclosed to the public at large. Cordts v. Chicago Tribune Co., 860 N.E.2d 444, 450 (Ill. App. 2006).
Here, as Defendants note, there is no allegation that the intrusion was intended by Defendants, and the information has not been disclosed to the public at large. Plaintiffs do not appear to offer any arguments to contradict these points. Accordingly, Count VII is dismissed with prejudice.
F. Bailment
In Count IX of the Second Amended Complaint, Plaintiffs seek to bring a claim for bailment against Defendants. To bring an action for bailment under Illinois law, a party must show:
“(1) an express or implied agreement to create a bailment; (2) a delivery of the property in good condition; (3) the bailee's acceptance of the property; and (4) the bailee's failure to return the property or the bailee's redelivery of the property in a damaged condition.”Alexander Chem. Corp. v. G.S. Robins & Co., 852 F.Supp.2d 1048, 1051 (N.D. Ill. 2012).
Here, Plaintiffs seek to allege that their PHI is the “property” serving as the basis for the bailment relationship, yet they do not allege that they sought the return of their information or that Defendants failed to return it. Accordingly, they have failed to state a claim for bailment, and Count IX must be dismissed with prejudice.
G. Missouri Merchandising Practices Act
In Count X of the Second Amended Complaint, Plaintiffs seek to bring a claim against Defendants under the MMPA in the alternative to their claim under the ICFA in Count IV.
Defendants argue that this count should be dismissed because “to be actionable under the MMPA, the alleged unlawful act must occur in relation to a sale of merchandise, and an ascertainable pecuniary loss must occur in relation to the plaintiff's purchase or lease of that merchandise.” Kuhns v. Scottrade, Inc., 868 F.3d 711, 719 (8th Cir. 2017). The definition of “merchandise” under the MMPA as read by Missouri courts is perversely expansive, however, and includes services. E.g., Williams v. HSBC Bank USA, N.A., 467 S.W.3d 836, 842-43 (Mo.Ct.App. 2015).
Here, Defendants concede that they were engaged in the sale of merchandise, but that merchandise was medical services, not information security services, and Plaintiffs “do not plead that they received BJC's privacy policy or any information security representations in connection with a sale of merchandise” (Doc. 34 at 35). Under the MMPA, however, representations need not constitute the merchandise itself, but merely need be made “in connection with” a sale of merchandise. Watson v. Wells Fargo Home Mortg., Inc., 438 S.W.3d 404, 407 (Mo. 2014). The Second Amended Complaint alleges that Defendants made representations about the security of PHI in connection with their agreement to provide medical services to Plaintiffs, and this is sufficient for the MMPA.
Next, Defendants argue that Plaintiffs have not pled an ascertainable pecuniary loss as required under the MMPA. While the phrase “ascertainable pecuniary loss” would appear to most rational individuals to require a relatively precise sum certain, this is not the case in Missouri courts, which in fact apply the “benefit of the bargain” rule, permitting a purchaser “to be awarded the difference between the actual value of the property and what its value would have been if it had been as represented.” Kelly v. Cape Cod Potato Chip Co., 81 F.Supp.3d 754, 758 (W.D. Miss. 2015) (quoting Sunset Pools v. Schaefer, 869 S.W.2d 883, 886 (Mo. App. E.D. 1994)). This difference in value can be peculiarly abstract- for example, in Kelly, the difference in value between potato chips represented as being “natural” and containing “no preservatives” and the same chips with preservatives was deemed sufficiently ascertainable to permit an action under the MMPA. Id. Compared with this example, the difference in value between medical services with a promise of thorough data security and medical services that lacked sufficient data security seems sufficiently ascertainable to permit suit under the MMPA. Count X will not be dismissed.
Conclusion
For the reasons set forth above, the Motions to Dismiss (Doc. 34, 35) are granted in part and denied in part. Counts VII and IX are dismissed, and the action shall proceed on the remaining Counts. The Motion to Strike (Doc. 45) is denied.
IT IS SO ORDERED.